Download Detecting drive-by-downloads using human

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

Cross-site scripting wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Malware wikipedia , lookup

Trusted Computing wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
Alex Crowell, Rutgers University
Computer Science and Mathematics
Advisor: Prof. Danfeng Yao,
Computer Science Department



drive-by-download - when visiting a URL
causes malware to be installed on a computer
Most approaches to detecting drive-bydownloads focus only on server-side
solutions or browser security
We can use the user’s input to validate each
download when it occurs

Implemented on Windows
 Popular; most drive-by-downloads on Windows
 Has convenient tool for monitoring file system events
(Process Monitor)
 Closed source; parts of API unavailable


We used the Firefox extension tlogger to handle
user input
Wrote a program that takes the file system data
from ProcMon and user action data from
tlogger and flags any ‘suspicious’ downloads

ProcMon doesn’t save its data in real-time
 minispy is a sample program supplied with the
Windows Driver Kit that works just like ProcMon


Some websites redirect through a chain of
pages before reaching the download
(e.g. download.com)
In practice, there is a long lag time between a
link click and file creation
 It may not be possible to track the user clicking
the ‘Save File’ button
Web Browser
File
System
Monitor
DBD
Analyzer
Input Monitor
Operating System
User
Kernel
Firefox
Modified
minispy
DBD
& Analyzer
tlogger
Windows
User
Kernel

Tracks, using ProcMon/minispy, for the
creation of files by Firefox

When a file is created by Firefox, the analyzer
searches through the entries in the tlogger
data file for a corresponding user input

As long as the input occurred within a time
limit from the file creation, it is a valid
download




Windows is not compromised
Firefox and tlogger are not compromised
No file overwrites occur in any file downloads
File creation occurs in legitimate downloads
within a short time of the user input that
initiated it

Want to test:
 Effectiveness of solution
▪ Particularly false positive/negative rates
 Performance and Usability
▪ Overhead on system
▪ Whether it is obtrusive to the user

Will do both:
 User study
 Partially automated testing

Authenticating the user input
 Trusted Platform Module (TPM) can be used



Making input logger platform independent
Test on both real-world techniques and
synthesized ones
Find better input to track
 Find some way to track the user’s clicking the
‘Save File’ button

Thanks to:
 Mentor Danfeng Yao
 Qiang Ma
 DIMACS Faculty
Related documents
(Microsoft Word Version)
(Microsoft Word Version)
History of Computers and the Internet
History of Computers and the Internet
Accessible Design Resources
Accessible Design Resources
Java Installation Instructions
Java Installation Instructions
www.kingsburyschool.org
www.kingsburyschool.org
Java Development Kit and Installation Instructions for
Java Development Kit and Installation Instructions for
mozilla® firefox - Medtronic Diabetes
mozilla® firefox - Medtronic Diabetes
1) Use a number line diagram to show why 14/6 = 7/3. Show the unit
1) Use a number line diagram to show why 14/6 = 7/3. Show the unit
NOTE: Installation of Java Runtime Environment and installers are
NOTE: Installation of Java Runtime Environment and installers are
the role of imc in the marketing process
the role of imc in the marketing process
Step by step method to access Oracle Apps 11i/R12 from Linux Client
Step by step method to access Oracle Apps 11i/R12 from Linux Client
World Wide Web
World Wide Web
Web Accessibility Tests Using Firefox and WAVE
Web Accessibility Tests Using Firefox and WAVE
Product information: Interactive Analyzer
Product information: Interactive Analyzer
Design for the Web
Design for the Web
document
document
Website Accessibility - School
Website Accessibility - School
PPT-Tools - Portnov Computer School
PPT-Tools - Portnov Computer School
Mozilla Projects and its Community
Mozilla Projects and its Community
What is Firefox? - Orangefield ISD
What is Firefox? - Orangefield ISD
VeriCentre 3.0 - Verifone DevNet
VeriCentre 3.0 - Verifone DevNet
Firefox Roaming Profile - final presentation
Firefox Roaming Profile - final presentation