Detecting and Preventing Drive-By Download Attack via Participative Monitoring of the Web

Drive-by Download Attack (DBD) is one of the major threats on the web infrastructure. DBD attacks are triggered by user access to a malicious website and force users to download malware by exploiting the vulnerabilities of web browsers or plugins. Malicious websites are ephemeral. Therefore, it is necessary to gather fresh information related to malicious activities to detect and prevent such attacks. In this paper, we propose a framework that combats with DBD attacks with users´ voluntary monitoring of the web. This framework tackles the two issues: ways to obtain up-to-date information related malicious activities and ways to provide up-to-date information to the world. The framework aims to realize a security ecosystem: users actively offer information about their activities on the web (e.g. access URL, download contents), and security analysts inspect the information to detect new threats and devise countermeasures for any new threats and then provide the countermeasures to users as feedback. The framework consists of sensors located on the user side and a centralized center located on the network side. Sensors are deployed in the web browser, in web proxies, and DNS servers. Sensors monitors the access URLs download contents, the method of triggering the link events (e.g. mouse click, move, redirected by the server), then the sensors report the data to the center. The center analyzes the data, derives the statistical data and the web link structure, and detects new threats by facilitating the characteristics of malicious web pages. This paper also shows a real world example that demonstrates the potential of our framework. The example implies that our focus on the change of the web link structure can detect illegal falsification of web pages. Our framework can obtain long-term data on how many hosts users are forced to access by the access of a web page, so we believe that our framework can distinguish legitimate changes in web pages with compromised changes.