1 / 10

Knowing Your Enemy

Knowing Your Enemy. Understanding and Detecting Malicious Web Advertising. Actors in Web Advertising Publishers Advertisers Audiences Other (ex: trackers) a) Direct Delivery b) Ad syndication. Background.

xandy
Download Presentation

Knowing Your Enemy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Knowing Your Enemy Understanding and Detecting Malicious Web Advertising

  2. Actors in Web Advertising • Publishers • Advertisers • Audiences • Other (ex: trackers) a) Direct Delivery b) Ad syndication Background

  3. An example delivery chain of a fake AV campaign. An Example An ad delivered by adsloader.com.

  4. There are three categories of attacks with Malvertising. • Drive-by download : These attacks exploit the vulnerabilities of browsers or plugins using dynamic contents in JavaScript or Flash. • Scam and phishing : These attacks include fake-AVs or others • that attempt to trick users into disclosing sensitive information • Click-fraud : imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link Categories of Attacks

  5. Node, Path, and Domain-Path • Malicious Node : A node that performs malicious activities on ad-delivery path is called malicious node. • Malicious Path : we call any path containing • a malicious node a malvertising path. • Infected Publisher : The source node on malvertising path. Terminology

  6. Encountered Malvertising Attacks : • Three types of malvertising attacks takes a significant portion of all the attacks detected • The average malvertising path length is 8.11 nodes, much longer than the average crawled ad path length of 3.59 nodes • The average life time of a particular malicious domain in our data is relatively short, ranging from 1 to 5 days • Properties of Malvertising Nodes : • Node roles • Domain registration • URL patterns • Node frequency • Node-pair frequency Measurement Results

  7. Properties of Malvertising Paths: • The use of ad syndication • Path distances among malicious nodes • Summary of Findings : Malicious nodes tend to stay together, which helps for detection. Measurement Results

  8. Mad Tracer Infrastructure • Mad Tracer consists of two major components. • The first component identifies malvertising paths by analyzing ad paths and their features. • The second is an analyzer component that intensively monitors the infected publisher pages, so as to study cloaking techniques and to expand our detection results. Mad Tracer

  9. Detection Methodology

  10. CONCLUSION : Mad Tracer works effectively against real-world malvertising activities: it caught 15 times as many malicious domain paths as Google Safe Browsing and Microsoft Forefront combined, and also discovered several large-scale malvertising campaigns, including a new type of click-fraud attack. A more detailed summary of findings will be released on www.madtracer.org Evaluation Results

More Related