114 research outputs found
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Extensions provide useful additional functionality for web browsers, but are
also an increasingly popular vector for attacks. Due to the high degree of
privilege extensions can hold, extensions have been abused to inject
advertisements into web pages that divert revenue from content publishers and
potentially expose users to malware. Users are often unaware of such practices,
believing the modifications to the page originate from publishers.
Additionally, automated identification of unwanted third-party modifications is
fundamentally difficult, as users are the ultimate arbiters of whether content
is undesired in the absence of outright malice.
To resolve this dilemma, we present a fine-grained approach to tracking the
provenance of web content at the level of individual DOM elements. In
conjunction with visual indicators, provenance information can be used to
reliably determine the source of content modifications, distinguishing
publisher content from content that originates from third parties such as
extensions. We describe a prototype implementation of the approach called
OriginTracer for Chromium, and evaluate its effectiveness, usability, and
performance overhead through a user study and automated experiments. The
results demonstrate a statistically significant improvement in the ability of
users to identify unwanted third-party content such as injected ads with modest
performance overhead.Comment: International Symposium on Research in Attacks, Intrusions and
Defenses (RAID), Paris, France, September 201
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Modern websites include various types of third-party content such as
JavaScript, images, stylesheets, and Flash objects in order to create
interactive user interfaces. In addition to explicit inclusion of third-party
content by website publishers, ISPs and browser extensions are hijacking web
browsing sessions with increasing frequency to inject third-party content
(e.g., ads). However, third-party content can also introduce security risks to
users of these websites, unbeknownst to both website operators and users.
Because of the often highly dynamic nature of these inclusions as well as the
use of advanced cloaking techniques in contemporary malware, it is exceedingly
difficult to preemptively recognize and block inclusions of malicious
third-party content before it has the chance to attack the user's system. In
this paper, we propose a novel approach to achieving the goal of preemptive
blocking of malicious third-party content inclusion through an analysis of
inclusion sequences on the Web. We implemented our approach, called Excision,
as a set of modifications to the Chromium browser that protects users from
malicious inclusions while web pages load. Our analysis suggests that by
adopting our in-browser approach, users can avoid a significant portion of
malicious third-party content on the Web. Our evaluation shows that Excision
effectively identifies malicious content while introducing a low false positive
rate. Our experiments also demonstrate that our approach does not negatively
impact a user's browsing experience when browsing popular websites drawn from
the Alexa Top 500.Comment: International Conference on Financial Cryptography and Data Security
(FC), Barbados, February 201
Alert Correlation Algorithms: A Survey and Taxonomy
Alert correlation is a system which receives alerts from heterogeneous
Intrusion Detection Systems and reduces false alerts, detects high level
patterns of attacks, increases the meaning of occurred incidents, predicts the
future states of attacks, and detects root cause of attacks. To reach these
goals, many algorithms have been introduced in the world with many advantages
and disadvantages. In this paper, we are trying to present a comprehensive
survey on already proposed alert correlation algorithms. The approach of this
survey is mainly focused on algorithms in correlation engines which can work in
enterprise and practical networks. Having this aim in mind, many features
related to accuracy, functionality, and computation power are introduced and
all algorithm categories are assessed with these features. The result of this
survey shows that each category of algorithms has its own strengths and an
ideal correlation frameworks should be carried the strength feature of each
category.Comment: Symposium on Cyberspace Safety and Security (CSS), Lecture Notes in
Computer Science, Springer International Publishing, vol 8300, pp 183-197,
Zhangjiajie, China, November 201
Performance Evaluation of Shared Hosting Security Methods
Shared hosting is a kind of web hosting in which multiple websites reside on
one webserver. It is cost-effective and makes the administration easier for
websites' owners. However, shared hosting has some performance and security
issues. In default shared hosting configuration, all websites' scripts are
executed under the webserver's user account regardless of their owners.
Therefore, a website is able to access other websites' resources. This security
problem arises from lack of proper isolation between different websites hosted
on the same webserver. In this survey, we have examined different methods for
handling mentioned security issue. Also we evaluated the performance of
mentioned methods. Finally, we evaluated performance of these methods with
various configurations.Comment: IEEE Conference on Trust, Security and Privacy in Computing and
Communications (TrustCom), Liverpool, UK, June 201
An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets
Botnets (networks of compromised computers) are often used for malicious
activities such as spam, click fraud, identity theft, phishing, and distributed
denial of service (DDoS) attacks. Most of previous researches have introduced
fully or partially signature-based botnet detection approaches. In this paper,
we propose a fully anomaly-based approach that requires no a priori knowledge
of bot signatures, botnet C&C protocols, and C&C server addresses. We start
from inherent characteristics of botnets. Bots connect to the C&C channel and
execute the received commands. Bots belonging to the same botnet receive the
same commands that causes them having similar netflows characteristics and
performing same attacks. Our method clusters bots with similar netflows and
attacks in different time windows and perform correlation to identify bot
infected hosts. We have developed a prototype system and evaluated it with
real-world traces including normal traffic and several real-world botnet
traces. The results show that our approach has high detection accuracy and low
false positive.Comment: IEEE Conference on Computer Applications and Industrial Electronics
(ICCAIE), Penang, Malaysia, December 201
A Comprehensive Approach to Abusing Locality in Shared Web Hosting Servers
With the growing of network technology along with the need of human for
social interaction, using websites nowadays becomes critically important which
leads in the increasing number of websites and servers. One popular solution
for managing these large numbers of websites is using shared web hosting
servers in order to decrease the overall cost of server maintenance. Despite
affordability, this solution is insecure and risky according to high amount of
reported defaces and attacks during recent years. In this paper, we introduce
top ten most common attacks in shared web hosting servers which can occur
because of the nature and bad configuration in these servers. Moreover, we
present several simple scenarios that are capable of penetrating these kinds of
servers even with the existence of several securing mechanisms. Finally, we
provide a comprehensive secure configuration for confronting these attacks.Comment: IEEE Conference on Trust, Security and Privacy in Computing and
Communications (TrustCom), Melbourne, Australia, July 201
Two Novel Server-Side Attacks against Log File in Shared Web Hosting Servers
Shared Web Hosting service enables hosting multitude of websites on a single
powerful server. It is a well-known solution as many people share the overall
cost of server maintenance and also, website owners do not need to deal with
administration issues is not necessary for website owners. In this paper, we
illustrate how shared web hosting service works and demonstrate the security
weaknesses rise due to the lack of proper isolation between different websites,
hosted on the same server. We exhibit two new server-side attacks against the
log file whose objectives are revealing information of other hosted websites
which are considered to be private and arranging other complex attacks. In the
absence of isolated log files among websites, an attacker controlling a website
can inspect and manipulate contents of the log file. These attacks enable an
attacker to disclose file and directory structure of other websites and launch
other sorts of attacks. Finally, we propose several countermeasures to secure
shared web hosting servers against the two attacks subsequent to the separation
of log files for each website.Comment: IEEE Conference for Internet Technology and Secured Transactions
(ICITST), London, UK, December 201
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Numerous surveys have shown that Web users are concerned about the loss of
privacy associated with online tracking. Alarmingly, these surveys also reveal
that people are also unaware of the amount of data sharing that occurs between
ad exchanges, and thus underestimate the privacy risks associated with online
tracking.
In reality, the modern ad ecosystem is fueled by a flow of user data between
trackers and ad exchanges. Although recent work has shown that ad exchanges
routinely perform cookie matching with other exchanges, these studies are based
on brittle heuristics that cannot detect all forms of information sharing,
especially under adversarial conditions.
In this study, we develop a methodology that is able to detect client- and
server-side flows of information between arbitrary ad exchanges. Our key
insight is to leverage retargeted ads as a tool for identifying information
flows. Intuitively, our methodology works because it relies on the semantics of
how exchanges serve ads, rather than focusing on specific cookie matching
mechanisms. Using crawled data on 35,448 ad impressions, we show that our
methodology can successfully categorize four different kinds of information
sharing behavior between ad exchanges, including cases where existing heuristic
methods fail.
We conclude with a discussion of how our findings and methodologies can be
leveraged to give users more control over what kind of ads they see and how
their information is shared between ad exchanges.Comment: USENIX Security Symposium, Austin, TX, USA, August 201
Understanding and Mitigating the Security Risks of Content Inclusion in Web Browsers
Thanks to the wide range of features offered by web browsers, modern websites
include various types of content such as JavaScript and CSS in order to create
interactive user interfaces. Browser vendors also provided extensions to
enhance web browsers with additional useful capabilities that are not
necessarily maintained or supported by default.
However, included content can introduce security risks to users of these
websites, unbeknownst to both website operators and users. In addition, the
browser's interpretation of the resource URLs may be very different from how
the web server resolves the URL to determine which resource should be returned
to the browser. The URL may not correspond to an actual server-side file system
structure at all, or the web server may internally rewrite parts of the URL.
This semantic disconnect between web browsers and web servers in interpreting
relative paths (path confusion) could be exploited by Relative Path Overwrite
(RPO). On the other hand, even tough extensions provide useful additional
functionality for web browsers, they are also an increasingly popular vector
for attacks. Due to the high degree of privilege extensions can hold,
extensions have been abused to inject advertisements into web pages that divert
revenue from content publishers and potentially expose users to malware.
In this thesis, I propose novel research into understanding and mitigating
the security risks of content inclusion in web browsers to protect website
publishers as well as their users.Comment: Doctor of Philosophy (PhD) Thesis Khoury College of Computer
Sciences, Northeastern University Boston, MA, USA, April 201
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Relative Path Overwrite (RPO) is a recent technique to inject style
directives into sites even when no style sink or markup injection vulnerability
is present. It exploits differences in how browsers and web servers interpret
relative paths (i.e., path confusion) to make a HTML page reference itself as a
stylesheet; a simple text injection vulnerability along with browsers' leniency
in parsing CSS resources results in an attacker's ability to inject style
directives that will be interpreted by the browser. Even though style injection
may appear less serious a threat than script injection, it has been shown that
it enables a range of attacks, including secret exfiltration.
In this paper, we present the first large-scale study of the Web to measure
the prevalence and significance of style injection using RPO. Our work shows
that around 9% of the sites in the Alexa Top 10,000 contain at least one
vulnerable page, out of which more than one third can be exploited. We analyze
in detail various impediments to successful exploitation, and make
recommendations for remediation. In contrast to script injection, relatively
simple countermeasures exist to mitigate style injection. However, there
appears to be little awareness of this attack vector as evidenced by a range of
popular Content Management Systems (CMSes) that we found to be exploitable.Comment: The Web Conference (WWW), Lyon, France, April 201
- …