ADAM: Automated detection and attribution of malicious webpages

Ahmed E. Kosba, Aziz Mohaisen, Andrew West, Trevor Tonn, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Malicious webpages are a prevalent and severe threat in the Internet security landscape. This fact has motivated numerous static and dynamic techniques to alleviate such threat. Building on this existing literature, this work introduces the design and evaluation of ADAM, a system that uses machine-learning over network metadata derived from the sandboxed execution of webpage content. ADAM aims at detecting malicious webpages and identifying the type of vulnerability using simple set of features as well. Machine-trained models are not novel in this problem space. Instead, it is the dynamic network artifacts (and their subsequent feature representations) collected during rendering that are the greatest contribution of this work. Using a real-world operational dataset that includes different type of malice behavior, our results show that dynamic cheap network artifacts can be used effectively to detect most types of vulnerabilities achieving an accuracy reaching 96%. The system was also able to identify the type of a detected vulnerability with high accuracy achieving an exact match in 91% of the cases. We identify the main vulnerabilities that require improvement, and suggest directions to extend this work to practical contexts.

Original languageEnglish
Title of host publicationInformation Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers
PublisherSpringer Verlag
Pages3-16
Number of pages14
Volume8909
ISBN (Electronic)9783319150864
DOIs
Publication statusPublished - 2015
Event15th International Workshop on Information Security Applications, WISA 2014 - , Korea, Republic of
Duration: 2014 Aug 252014 Aug 27

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8909
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other15th International Workshop on Information Security Applications, WISA 2014
CountryKorea, Republic of
Period14/8/2514/8/27

Fingerprint

Vulnerability
Dynamic Networks
Metadata
Learning systems
Internet
Rendering
Machine Learning
High Accuracy
Evaluation
Model

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Kosba, A. E., Mohaisen, A., West, A., Tonn, T., & Kim, H. K. (2015). ADAM: Automated detection and attribution of malicious webpages. In Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers (Vol. 8909, pp. 3-16). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8909). Springer Verlag. https://doi.org/10.1007/978-3-319-15087-1_1

ADAM : Automated detection and attribution of malicious webpages. / Kosba, Ahmed E.; Mohaisen, Aziz; West, Andrew; Tonn, Trevor; Kim, Huy Kang.

Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers. Vol. 8909 Springer Verlag, 2015. p. 3-16 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8909).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kosba, AE, Mohaisen, A, West, A, Tonn, T & Kim, HK 2015, ADAM: Automated detection and attribution of malicious webpages. in Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers. vol. 8909, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8909, Springer Verlag, pp. 3-16, 15th International Workshop on Information Security Applications, WISA 2014, Korea, Republic of, 14/8/25. https://doi.org/10.1007/978-3-319-15087-1_1
Kosba AE, Mohaisen A, West A, Tonn T, Kim HK. ADAM: Automated detection and attribution of malicious webpages. In Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers. Vol. 8909. Springer Verlag. 2015. p. 3-16. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-15087-1_1
Kosba, Ahmed E. ; Mohaisen, Aziz ; West, Andrew ; Tonn, Trevor ; Kim, Huy Kang. / ADAM : Automated detection and attribution of malicious webpages. Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers. Vol. 8909 Springer Verlag, 2015. pp. 3-16 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{36b25b3c5fad4f24aa09f1f48ae90953,
title = "ADAM: Automated detection and attribution of malicious webpages",
abstract = "Malicious webpages are a prevalent and severe threat in the Internet security landscape. This fact has motivated numerous static and dynamic techniques to alleviate such threat. Building on this existing literature, this work introduces the design and evaluation of ADAM, a system that uses machine-learning over network metadata derived from the sandboxed execution of webpage content. ADAM aims at detecting malicious webpages and identifying the type of vulnerability using simple set of features as well. Machine-trained models are not novel in this problem space. Instead, it is the dynamic network artifacts (and their subsequent feature representations) collected during rendering that are the greatest contribution of this work. Using a real-world operational dataset that includes different type of malice behavior, our results show that dynamic cheap network artifacts can be used effectively to detect most types of vulnerabilities achieving an accuracy reaching 96{\%}. The system was also able to identify the type of a detected vulnerability with high accuracy achieving an exact match in 91{\%} of the cases. We identify the main vulnerabilities that require improvement, and suggest directions to extend this work to practical contexts.",
author = "Kosba, {Ahmed E.} and Aziz Mohaisen and Andrew West and Trevor Tonn and Kim, {Huy Kang}",
year = "2015",
doi = "10.1007/978-3-319-15087-1_1",
language = "English",
volume = "8909",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "3--16",
booktitle = "Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers",

}

TY - GEN

T1 - ADAM

T2 - Automated detection and attribution of malicious webpages

AU - Kosba, Ahmed E.

AU - Mohaisen, Aziz

AU - West, Andrew

AU - Tonn, Trevor

AU - Kim, Huy Kang

PY - 2015

Y1 - 2015

N2 - Malicious webpages are a prevalent and severe threat in the Internet security landscape. This fact has motivated numerous static and dynamic techniques to alleviate such threat. Building on this existing literature, this work introduces the design and evaluation of ADAM, a system that uses machine-learning over network metadata derived from the sandboxed execution of webpage content. ADAM aims at detecting malicious webpages and identifying the type of vulnerability using simple set of features as well. Machine-trained models are not novel in this problem space. Instead, it is the dynamic network artifacts (and their subsequent feature representations) collected during rendering that are the greatest contribution of this work. Using a real-world operational dataset that includes different type of malice behavior, our results show that dynamic cheap network artifacts can be used effectively to detect most types of vulnerabilities achieving an accuracy reaching 96%. The system was also able to identify the type of a detected vulnerability with high accuracy achieving an exact match in 91% of the cases. We identify the main vulnerabilities that require improvement, and suggest directions to extend this work to practical contexts.

AB - Malicious webpages are a prevalent and severe threat in the Internet security landscape. This fact has motivated numerous static and dynamic techniques to alleviate such threat. Building on this existing literature, this work introduces the design and evaluation of ADAM, a system that uses machine-learning over network metadata derived from the sandboxed execution of webpage content. ADAM aims at detecting malicious webpages and identifying the type of vulnerability using simple set of features as well. Machine-trained models are not novel in this problem space. Instead, it is the dynamic network artifacts (and their subsequent feature representations) collected during rendering that are the greatest contribution of this work. Using a real-world operational dataset that includes different type of malice behavior, our results show that dynamic cheap network artifacts can be used effectively to detect most types of vulnerabilities achieving an accuracy reaching 96%. The system was also able to identify the type of a detected vulnerability with high accuracy achieving an exact match in 91% of the cases. We identify the main vulnerabilities that require improvement, and suggest directions to extend this work to practical contexts.

UR - http://www.scopus.com/inward/record.url?scp=84922195497&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84922195497&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-15087-1_1

DO - 10.1007/978-3-319-15087-1_1

M3 - Conference contribution

AN - SCOPUS:84922195497

VL - 8909

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 16

BT - Information Security Applications - 15th International Workshop, WISA 2014, Revised Selected Papers

PB - Springer Verlag

ER -