With the growing importance of the Internet in our lives, attempts to exploit software vulnerabilities in our PCs for personal gain are increasing. One way to do this is to infect the victim’s PC with malicious code injected through a website. In fact, it is common to come across websites that have been hacked and repurposed to distribute viruses or redirect user visitors to other web pages that contain malicious codes.
Fortunately, modern web browsers implement security measures to detect malicious code hidden in websites before they are executed. These methods can be categorized into “signature-based detection” and “behaviour-based detection”. Signature-based methods detect threats by referring to a previously established list of “indicators of compromise” and checking to see if a web page displays any of these indicators. Although this approach provides good speed, it cannot detect new, unknown attacks, also known as zero-day attacks. On the other hand, behavior-based methods compare the state of an unprotected virtual machine before and after visiting a website to detect any suspicious changes that may have occurred. Although this approach is slower, it can detect zero-day attacks much more effectively.
In a recent study published in the Electronic Imaging Journal, researchers Yong-joon Lee from Far East University and Won-shik Na from Namseoul University, both in the Republic of Korea, reported a new approach to detecting malicious code hidden in websites . Unlike existing techniques, their method revolves around identifying and analyzing common attack patterns used when spreading malicious code on websites.
In their work, the researchers first collected the data needed to find attack patterns by “crawling” 500 harmful websites. They analyzed the most common approaches used on these websites to spread malicious code. They then focused on the programming techniques and scripts used in this malicious code, such as running shell scripts, executable files (.exe) or suspicious string manipulation, to exploit the vulnerabilities.
The researchers counted the number of times each of these techniques was used on malicious websites and developed an equation to determine the “risk score” for a given website. To do this, they quantified the reliability of each of these techniques as an indicator of suspicion by focusing on their false positive detection rates, that is, how often a benign website using these techniques has been (incorrectly) flagged as “malicious”.
With this information, the developed equation could identify so-called distribution models that hackers use to spread malicious code. “While previous detection methods focused on the actual execution of malicious code, our proposed detection method can identify malicious distribution patterns by analyzing user-side scripts while considering website characteristics,” said N / A.
Based on the 500 harmful websites previously identified by Google and Microsoft, researchers were able to establish the relative importance (and weight) of each individual aspect of malicious distribution schemes. The performance of their approach was exceptional, both in terms of accuracy and speed. “The proposed method can effectively detect malicious websites based on script patterns. The complexity of the algorithm and its memory load are therefore low,” Na said. Moreover, the new approach could also successfully detect zero-day attacks.
The researchers expect the new method to help bolster web user security while contributing to cybersecurity science and education by gathering information about malicious code distribution patterns. Let’s hope their approach catches on in the field!
Read Yong-joon Lee and Won-shik Na’s Gold Open Access article, “Technique for detecting malicious script distribution patterns for image search websites“, J. Electronic Imaging31(3) 033046 (2022) doi 10.1117/1.JEI.31.3.033046.
Electronic Imaging Journal
The title of the article
Technique for detecting malicious script distribution patterns for image search websites
Publication date of articles
June 28, 2022
Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of press releases posted on EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.