seclab
play

seclab Detecting Website Defacements through Image-based Object - PowerPoint PPT Presentation

Feb 27, 2024 •143 likes •329 views

M EERKAT seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna

  1. M EERKAT 
 seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna vigna@cs.ucsb.edu August 13th, 2015 USENIX Security 2015

  2. seclab Defacements Source: The Register, August 3rd 2015, http://www.theregister.co.uk/2015/08/03/trump_website_hacked/ Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 2

  3. seclab Defacements: Scale • Prolific defacers: 
 Team System Dz, 2,800 websites in 10 months (~10/day) • Over 4,700 manually-verified defacements each day (Zone-H) • Defacements to Phishing Pages 
 Reported Websites per Month Average: ~7 to 1 
 1,000,000 Reported Websites Maximum: ~33 to 1 100,000 • Over 53,000 websites from 
 10,000 top 1 million lists were 
 1,000 Defacements defaced in 2014 Phishing Pages 100 2000-01 2001-01 2002-01 2003-01 2004-01 2005-01 2006-01 2007-01 2008-01 2009-01 2010-01 2011-01 2012-01 2013-01 2014-01 Month Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 3

  4. seclab Approach • Prior work looks at websites’ code, host-based IDS etc. • Compares to prior version / known good state • M EERKAT : Visually, like a human analyst • Render website in browser • Take screenshot • Does the screenshot looks like a defacement? • No previous version of website needed • No manual feature engineering Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 4

  5. seclab Approach: Deep Neural Network ... Defaced Legitimate ... ... ... 160x160x3 ... 18x18x3 Local Feed-forward with Local 1600x900x3 L2 ... Receptive Dropout Contrast Pooling Fields Normalization Window Screenshot Feature Learning Classification Collection Extraction Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 5

  6. seclab Approach: A Window “Into” The Defacement ... Defaced Legitimate ... ... ... 160x160x3 160x160x3 ... 18x18x3 Local Feed-forward with Local 1600x900x3 1600x900x3 L2 ... Receptive Dropout Contrast Pooling Fields Normalization • Full-size screenshots impractical; window “into” defacement instead • Size of window? • Too large ⇒ overfit (high variance) • Too small ⇒ underfit (high bias) • Extract window from which part of the screenshot? Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 6

  7. seclab Approach: Representative Window Extraction (1) Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 7

  8. seclab Approach: Representative Window Extraction (2) • Sample windows from 2-dimensional Gaussian distribution • Bias heavily toward center of page • If outside of screenshot, resample • Why? • Center of page is descriptive! • Non-trivial to poison training set Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 8

  9. seclab Approach: Deep Neural Network • Feature Learning: 
 Stacked Auto-Encoders • Classification: 
 Feed-Forward Neural Network with Dropout • Implemented on-top of Caffe • Trained on GPU, training time in weeks Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 9

  10. seclab Approach: Features Learned • Color combinations • Green on black? Black on white/bright gray? • Letter combinations • Broken and mixed encodings • Leetspeak • “pwned” or “h4x0red” • Typographical and grammatical errors • “greats to” or “visit us in our website” • Defacement group logos Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 10

  11. seclab Approach: Detection Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 11

  12. seclab Evaluation • Dataset • 10,053,772 defaced websites = positives • Defaced websites manually verified by Zone-H • 2,554,905 legitimate websites = negatives • Legitimate websites not verified, might be defaced • Dataset skewed toward defacements • Report Bayesian detection rate (BDR): P(true positive|positive) • Unverified legitimate websites ⇒ TPR & BDR are lower-bounds! Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 12

  13. seclab Evaluation: Traditional • 10-fold cross-validation • Results: • TPR: avg. 97.878% [97.422%, 98.375%] • FPR: avg. 1.012% [0.547%, 1.419%] • BDR: avg. 99.716% [99.603%, 99.845%] • Traditional evaluation has problems: • Same defacement possibly in two bins • Defacements from 1998 vs. 2014 Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 13

  14. seclab Limitations • Fingerprinting and delayed defacements • Tiny defacements • Huge advertisements • Concept drift (natural and adversarial) • Major: learn new features from new data (no feature engineering) • Minor: adjust weights of deeper classification layer Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 14

  15. seclab Limitations: Minor Concept Drift & Fine-Tuning • Train on Dec 2012 to Dec 2013 Time-wise Split, with and without Fine-Tuning 1.000 • 1.78 million defacements True Positive Rate with fine-tuning 0.995 without fine-tuning 0.990 • 1.76 million legitimate pages 0.985 0.980 0.975 • Test on Jan to May 2014 0.970 0.040 False Positive Rate 0.035 • 1.54 million samples, 50/50 split 0.030 0.025 0.020 • Fine-tune Jan, Feb, Mar, Apr 0.015 0.010 • BDR in Jan: 98.583% 0.015 w/ FT - w/o FT True Positive Rate 0.010 False Positive Rate Di ff erence • w/o FT drops to 97.177% 0.005 0.000 -0.005 • w/ FT increases to 98.717% -0.010 -0.015 • Team System Dz started Jan 2014! January May February March April Month of 2014 Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 15

  16. seclab Conclusion • Introduced M EERKAT • Learns features automatically, match domain knowledge • Does not require prior version of website • Outperforms state of the art • Gracefully tackles minor and major concept drift Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 16

  17. Thank you for your attention! Questions? seclab kevinbo@cs.ucsb.edu http://kevin.borgolte.me twitter: @caovc THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

Recommend

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at Agenda 802.11 fundamentals 802.11

820 views • 79 slides
Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007 Sylvester Keil sk [at] seclab [dot] tuwien [dot] ac [dot] at Clemens Kolbitsch ck [at] seclab [dot] tuwien [dot] ac [dot] at About us We are

589 views • 45 slides
seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

969 views • 70 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides
Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers at the University of California Santa Barbara Seclab People interested in finding bugs in software People interested in publishing papers

626 views • 36 slides
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

918 views • 36 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna } @cs.ucsb.edu Computer Security Group UC Santa Barbara 13 August 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

433 views • 42 slides

More recommend