ELPA: Emulation-Based Linked Page Map Analysis for the Detection of Drive-by Download Attacks

Sang-Yong Choi, Daehyeok Kim and Yong-Min Kim
Volume: 12, No: 3, Page: 422 ~ 435, Year: 2016
10.3745/JIPS.03.0045
Keywords: Drive-by Download, Malware Distribution Network, Webpage Link Analysis, Web Security
Full Text:

Abstract
Despite the convenience brought by the advances in web and Internet technology, users are increasingly being exposed to the danger of various types of cyber attacks. In particular, recent studies have shown that today’s cyber attacks usually occur on the web via malware distribution and the stealing of personal information. A drive-by download is a kind of web-based attack for malware distribution. Researchers have proposed various methods for detecting a drive-by download attack effectively. However, existing methods have limitations against recent evasion techniques, including JavaScript obfuscation, hiding, and dynamic code evaluation. In this paper, we propose an emulation-based malicious webpage detection method. Based on our study on the limitations of the existing methods and the state-of-the-art evasion techniques, we will introduce four features that can detect malware distribution networks and we applied them to the proposed method. Our performance evaluation using a URL scan engine provided by VirusTotal shows that the proposed method detects malicious webpages more precisely than existing solutions.

Article Statistics
Multiple requests among the same broswer session are counted as one view (or download).
If you mouse over a chart, a box will show the data point's value.


Cite this article
IEEE Style
Sang-Yong Choi, Daehyeok Kim, and Yong-Min Kim, "ELPA: Emulation-Based Linked Page Map Analysis for the Detection of Drive-by Download Attacks," Journal of Information Processing Systems, vol. 12, no. 3, pp. 422~435, 2016. DOI: 10.3745/JIPS.03.0045.

ACM Style
Sang-Yong Choi, Daehyeok Kim, and Yong-Min Kim, "ELPA: Emulation-Based Linked Page Map Analysis for the Detection of Drive-by Download Attacks," Journal of Information Processing Systems, 12, 3, (2016), 422~435. DOI: 10.3745/JIPS.03.0045.