JShield-ACSAC14.pptxVIP

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 2/24 Introduction and Background Drive-by download Attack Unintended download of malicious computer software from the Internet, which is usually due to a browser vulnerability, such as buffer and heap overflow. Approximately 1.3% of the incoming search queries (millions per day) to Google returned at least one URL with a drive-by download attack. 3/24 4/24 Overview A reactive vulnerability-based approach to match malicious JavaScript samples targeting drive-by download attacks. JShield ( 4,000 additional lines of code integrated into WebKit) has been adopted by Huawei, the world’s largest telecommunication equipment maker. I spent two months at Huawei in 2012 and 2013 respectively to help them test JShield with millions of real-world samples. JShield is filed under a U.S. patent (14/207,665). 5/24 Deployment Server Side The Web Application Firewalls (WAF) or Web IDS/IPS Web malware scanning services Client Side Part of Anti-virus Software 6/24 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 7/24 Motivation Attackers will change existing malicious JavaScript code to evade detection, called sample pollution: Embedded inside DOM events, such as mouse moves. Injected and interleaved with benign JavaScript code. 8/24 Motivation Cont’d 9/24 Anti-virus Software Original Samples Polluted Samples Avira Antivirus Premium 2013 98.00% (1176/1200) 0.58% (7/1200) AVG Internet Security 2013 89.33% (1072/1200) 3.58% (43/1200) Kaspersky Internet Security 2012 92.41% (1109/1200) 2.00% (24/1200) Norton Internet Security 2013 20.67% (248/1200) 0.08% (1/1200) Trend Micro Titanium Internet Security 2013 87.58% (1051/1200) 2.00% (24/1200) Top Vendors in Industry: Motivation Cont’d 10/24 Original Samples Polluted Samples True Positive 93.1% 36.7% False Positive 0.5% 0.5%