Drive-by Download 1,a) 1,b) Web Drive-by Download(DbD) DbD Web DbD HTTP DbD Web DbD, Drive-by Download The Network Visualization Tool for detecting the Drive-by Download attacks. Amako Katsuhiro 1,a) Takada Tetsuji 1,b) Abstract: The Drive-by Download(DbD) attack, which is one of the intrusion method of malware, is a now major threat to the Internet. Detecting the DbD attack is difficult for administrators since there are no changes on the screen. A conventional approach for these attacks mainly utilizes the logs based on character information or focus attention on the http header or redirection. We propose the network visualization tool for detecting the DbD attacks. The proposed network visualization tool makes users and administrators to take action for malware. Keywords: Visualization, Network Security, Drive-by Download 1. Drive-by Download(DbD) DbD IBM SOC [1] DbD 2012 956 2013 3,972 4.2 DbD Web DbD 1 Uniersity of Electro-Communications, Tokyo, Japan a) amako.k@uec.ac.jp b) zetaka@computer.org Web DbD Web Web DbD DbD DbD 3 1
2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google Safe Browsing[6] Mcfee SiteAdvisor[7] URL DbD Web DbD URL Google Mcfee DbD IP [8] DbD 2.2 2.2.1 DbD Flow Vizulizer [2] Flow Visualizer ( 2) 2 (1) DbD (2) URL (3) URL (1),(2),(3) DbD 2.2.2 Gumbler PC [3] Gumbler 2
PC PC Gumbler FTP FTP (1) (2) FTP ( ) 2.2.3 [5] DbD DbD DbD (1)HTTP (2) URL (3)PDF SWF URL 3. 1 DbD DbD URL DbD DbD DbD DbD [2] Flow Vizulizer [3] DbD Gumbler DbD 3 [5] DbD DbD 4. 3 DbD DbD Drive-by Download HTTP IP DbD DbD [4] IP DbD 4.1 3 3
(pcap) 3 Pcap TCP/IP ( ) TCP HTTP HTTP HTML HTTP HTTP HTTP HTTP TCP HTTP HTTP HTTP HTTP HTTP Python3.3 pcap pypacker Java 4.2 4 IP IP IP 0.0.0.0 255.255.255.255 pcap 30 30 HTTP HTTP IP HTTP HTTP IP HTTP HTTP HTTP HTTP HTTP Content-Type DbD Adobe Flash Player Small Web Format Adobe Reader Portable Document Format Oracle Java Java Archive Windows HTTP 4.3 JavaScript HTTP HTTP 5 DbD HTTP HTTP ( 1 ) HTTP 300 HTTP HTTP ( 2 ) 1 HTTP HTTP (1) JavaScript HTTP 300 JavaScript DbD JavaScript JavaScript JavaScript URL 1 HTTP 5. 5.1 Web CiNii[9] PDF 4.3 6 4
4 5 (4) IP 2 2 IP IP (5) PDF 6 PDF Web DbD 6 CiNii 6 5.2 Malware Dataset Drive-by Download Dataset by Mrionette(D3M)[10] DbD NTT Marionette DbD 7 D3M 7 (6) 20 02 09 PDF PDF 7 (7) HTTP 5
7 D3M 8 Web HTTP IP IP 7 HTTP (6) IP (7) PDF (8) 1 PDF HTTP PDF JavaScript URL 5.3 OS Web DbD HTTP 8 1 urlquery[11] DbD Web urlquery[11] Web Web 8 (10) 8 (11) IP 8 (9) IP DbD HTML 1 Web OS Ubuntu 12.04 LTS CPU Core i7-3770k RAM 16GB Virtualbox 4.3.6 OS Windows XP Professional SP3 InternetExplorer 6.0.2900.5512 Adobe Reader 9.0, Adobe Flash 11.1.102.55, Oracle Java Ver.6 Update 10 Apple QuickTime 7.6 HTTP/1.1 302 Moved Temporarily Server: nginx Date: Wed, 05 Feb 2014 09:55:17 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive P3P: CUR ADM OUR NOR STA NID Location: http://xx.xxxxxxx.jp/yie/ld/gcs?v=zzh... 0 9 HTTP JavaScript Content-Type application/octet-stream HTTP ( 9) 6
6. Drive-by Download HTTP IP JavaScript JavaScript JavaScript 4.3 JavaScript 7. DbD DbD DbD JavaScript DbD [1] 2013 Tokyo SOC, IBM Security Services, http://www- 935.ibm.com/services/jp/its/pdf/tokyo soc report2013 h1.pdf ( 2014-02-13) [2],,, :, 2012, p.224-231,2012. [3],, : Gumbler PC, IEICE Technical Report, IA2010-1, ICSS2010-1, 2010. [4] Van Lam Le, Ian Welch, Xiaoying Gao, Peter Komisarczuk, Anatomy of drive-by download attack, in Proc. AISC, 2013. [5],,,,,, p.765-770, 2010. [6] Google Safe Browsing, https://www.google.com/transparencyreport/safebrowsing/ ( 2014-02-13) [7] Mcfee SiteAdvisor, http://www.siteadvisor.com/ ( 2014-02-13) [8] JSOC INSIGHT 2013 vol.2, http://www.lac.co.jp/security/report/2013/11/06 jsoc 01.html ( 2014-02-13) [9] CiNii Articles - -, http://ci.nii.ac.jp/ [10],,, : MWS Datasets 2013, CSS2013, 2013. [11] URLQuery, https://urlquery.net/ ( 2014-02-13) 7