Real-Time Detection of Polluted Drive-by Download Attacks with JShield

Protecting against drive-by download attacks, JShield offers a real-time, vulnerability-based detection system that identifies malicious JavaScript samples. With a focus on mitigating sample pollution and evasive tactics, this innovative approach has been implemented by a leading telecommunications equipment manufacturer and holds a U.S. patent. The deployment involves server-side and client-side defenses to enhance web security against such threats.

• Drive-by Download
• JShield
• Real-time Detection
• Vulnerability-based
• Cybersecurity

caniya Follow

Uploaded on Sep 24, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge*** * Columbia University ** Northwestern University *** Tsinghua University

2. Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 2/24

3. Introduction and Background Drive-by download Attack Unintended download of malicious computer software from the Internet, which is usually due to a browser vulnerability, such as buffer and heap overflow. Approximately 1.3% of the incoming search queries (millions per day) to Google returned at least one URL with a drive-by download attack. 3/24

4. 4/24

5. Overview A reactive vulnerability-based approach to match malicious JavaScript samples targeting drive-by download attacks. JShield (> 4,000 additional lines of code integrated into WebKit) has been adopted by Huawei, the world s largest telecommunication equipment maker. I spent two months at Huawei in 2012 and 2013 respectively to help them test JShield with millions of real-world samples. JShield is filed under a U.S. patent (14/207,665). 5/24

6. Deployment Server Side The Web Application Firewalls (WAF) or Web IDS/IPS Web malware scanning services Client Side Part of Anti-virus Software 6/24

7. Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 7/24

8. Motivation Attackers will change existing malicious JavaScript code to evade detection, called sample pollution: Embedded inside DOM events, such as mouse moves. Injected and interleaved with benign JavaScript code. 8/24

9. Motivation Contd Top Vendors in Industry: Anti-virus Software Original Samples Polluted Samples Avira Antivirus Premium 2013 98.00% (1176/1200) 0.58% (7/1200) AVG Internet Security 2013 89.33% (1072/1200) 3.58% (43/1200) Kaspersky Internet Security 2012 92.41% (1109/1200) 2.00% (24/1200) Norton Internet Security 2013 20.67% (248/1200) 0.08% (1/1200) Trend Micro Titanium Internet Security 2013 87.58% (1051/1200) 2.00% (24/1200) 9/24

10. Motivation Contd State-of-the-art Research Work: Detection Rate of Zozzle [1] Original Samples Polluted Samples True Positive 93.1% 36.7% False Positive 0.5% 0.5% [1] Curtsinger, Charlie, Benjamin Livshits, Benjamin G. Zorn, and Christian Seifert. "ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection." In USENIX Security Symposium, pp. 33-48. 2011. 10/24

11. Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 11/24

12. Solution Space High Turing Machine Signature Ideal Signature JShield Signature Accuracy Symbolic Constraint Signature Regular Expression High Speed 12/24

13. System Architecture 13/24

14. Opcode Signature Example Signature Sentence Clause 14/24

15. Example Exploit: var obj = new Object(); obj.__proto__.__defineGetter__("a", function () { this.__proto__ = null; return 0; }); obj.a; Outputted Opcodes: 15/24

16. Matching Process Opcodes of the exploit: Signature to be matched: State 1 State 2 State 3 16/24

17. Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 17/24

18. Evaluation Vulnerability Coverage Rate Robust to Sample Pollution Performance 18/24

19. Evaluation Vulnerability Coverage Vulnerability Position BrowserShield Song et al. JShield JS Engine 3/22 0/22 22/22 PDF JS Engine 4/18 0/18 18/18 Plug-in 20/21 21/21 21/21 Reis et al., Browsershield: vulnerability-driven filtering of dynamic html. In OSDI (2006). Song et al., preventing drive-by download via inter-module communication monitoring. In ASIACCS (2010). 19/24

20. Evaluation Accuracy Original Samples Polluted Samples TP for Web Pages 100% 100% FP for Web Pages 0% 0% Anti-virus Software Original Samples Polluted Samples Avira Antivirus Premium 2013 98.00% (1176/1200) 0.58% (7/1200) AVG Internet Security 2013 Zozzle 89.33% (1072/1200) Original Samples 3.58% (43/1200) Polluted Samples Kaspersky Internet Security 2012 False Positive 92.41% (1109/1200) 93.1% 2.00% (24/1200) True Positive 36.7% 0.5% 0.5% Norton Internet Security 2013 20.67% (248/1200) 0.08% (1/1200) Trend Micro Titanium Internet Security 2013 87.58% (1051/1200) 2.00% (24/1200) 20/24

21. Evaluation Performance 21/24

22. Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 22/24

23. Conclusion In this talk, I presented JShield, a vulnerability based detection engine of drive-by download attacks. JShield represents the semantics of each vulnerability and is robust to sample pollution. In evaluation, we show that JShield incurs affordable overhead. 23/24

24. Thank you! Questions? yzcao@cs.columbia.edu http://www.yinzhicao.org 24/24