1 / 20

SURF: Detecting and Measuring Search Poisoning

Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia ACM CCS 2010. SURF: Detecting and Measuring Search Poisoning. Agenda. Introduction SURF Search Engine Search Poisoning

zhen
Download Presentation

SURF: Detecting and Measuring Search Poisoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia ACM CCS 2010 SURF: Detecting and Measuring Search Poisoning

  2. Agenda • Introduction • SURF • Search Engine • Search Poisoning • SURF Implementation & Evaluation • Discussion • Empirical Measurements • Related Work • Conclusion

  3. Introduction • Blackhat SEO • Search inflating • Search poisoning • SURF : detection system • Generality • Robustness • Wide deployability

  4. SURF(Search User Redirection Finder) • Run as a browser component(plugin)

  5. SURF • Report an in-depth studyto motivate and inspire countermeasures against this increasing threat. • Be able to detectsearch poisoning with a 99.1% true positive rate at a 0.9%false positive rate • Provides insight into its fast growing trends.

  6. Search Engine • Search engines typically employ crawlers to discover newly created or updated webpages • Two advantages for abusers • Search engines trust the content on the webpages • a web server can easily distinguish between search crawlers and human visitors

  7. Search Poisoning • Preliminary study aimed to discover a set of robust features that can be leveraged for detection purposes • Ubiquitous use of cross-site redirections • Search poisoning as a service • Sophisticated poisoning and evasion tricks • Persistence under transient appearances • Various malicious applications

  8. Search Poisoning • Detection features

  9. SURF Implementation • As a plugin on IE8 • “mshtml.dll” for HTML parsing • Listening for event notification • Peek into browser data • Emulating simple user interactions • Use BLADE to protect from drive-by download malware

  10. SURF Evaluation • Three different experiments • Estimate SURF’s accuracy • Attempts to show that SURF is able to detectgeneric search poisoning cases • Show what features are the most important for classification • IP-to-name ratio • redirection consistency & landing to terminal distance

  11. Discussion • During feature selection process, we discarded a few candidate features that may help the classification accuracy but are not robust(15→9) • Detecting search poisoning cases can reveal information about compromised websites and botnet organizations. • Single client side-share information

  12. Empirical Measurements • Micro Measurements

  13. Empirical Measurements • Macro Measurements

  14. Empirical Measurements Super Bowl Poor Japan earthquake

  15. Empirical Measurements

  16. Related Work • Blackhat SEO countermeasures • Most detection methods work at the search engine level • Malicious webpage detection

  17. Conclusion • SURF:a novel detection system that runs as abrowser component • Detect malicious search user redirections resulted from user clicking on poisoned search results • Robust features that is hard to evade • Detection rate of 99.1% at a false positive rate of 0.9%

  18. Thanks for your listening

  19. Dynamically dispatch

  20. D: drive-by-downloadF: fake AVP: rogue pharmacyNa: randomly legitimate search redirection cases

More Related