Detection and Analysis of Malicious Web Content
Malicious web content has become the primary instrument used by miscreants to perform their attacks on the
Internet. In particular, attacks that target web clients, as opposed to infrastructure components, have become
pervasive. Drive-by downloads are a particularly common and insidious form of such attacks.
We have developed a novel approach to the automatic detection and analysis of malicious web pages. For this,
we visit web pages with an instrumented browser and record events that occur during the interpretation of HTML
values are evaluated using anomaly detection techniques. Anomalous features allow us to identify malicious content
even in the case of previously-unseen attacks. Our features are comprehensive and model many properties that
capture intrinsic characteristics of attacks. Moreover, our system provides additional details about the attack. For
example, it identifies the exploits that are used and the unobfuscated version of the code, which are helpful to
explain how the attack was executed and for performing additional analysis.
We implemented our approach in a tool called Wepawet. Wepawet is available online at
http://wepawet.cs.ucsb.edu, where users can submit URLs and files that are automatically analyzed, delivering
detailed reports about the type of observed attacks and the targeted vulnerabilities. This service has been operative
since November 2008 and analyzes thousands of URLs per day submitted by users across the world.
2011 (1 publication)
Escape from Monkey Island: Evading High-Interaction Honeyclients
Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2011)
PDF (224.9 KB)
2010 (1 publication)
Proceedings of the International World Wide Web Conference (WWW 2010)
PDF (242.5 KB)