Birhanu Eshete

BINSPECT: Holistic Analysis and Detection of Malicious Web Pages

Malicious web pages are among the major security threats on the Web. Most of the existing techniques for detecting malicious web pages focus on specific attacks. Unfortunately, attacks are getting more complex whereby attackers use blended techniques to evade existing countermeasures. In this paper, we present a holistic and at the same time lightweight approach, called BINSPECT, that leverages a combination of static analysis and minimalistic emulation to apply supervised learning techniques in detecting malicious web pages pertinent to drive-by-download, phishing, injection, and malware distribution by introducing new features that can effectively discriminate malicious and benign web pages. Large scale experimental evaluation of BINSPECT achieved above 97% accuracy with low false signals. Moreover, the performance overhead of BINSPECT is in the range 3-5 seconds to analyze a single web page, suggesting the effectiveness of our approach for real-life deployment.

WebWinnow: leveraging exploit kit workflows to detect malicious urls

Organized cybercrime on the Internet is proliferating due to exploit kits. Attacks launched through these kits include drive-by-downloads, spam and denial-of-service. In this paper, we tackle the problem of detecting whether a given URL is hosted by an exploit kit. Through an extensive analysis of the workflows of about 40 different exploit kits, we develop an approach that uses machine learning to detect whether a given URL is hosting an exploit kit. Central to our approach is the design of distinguishing features that are drawn from the analysis of attack-centric and self-defense behaviors of exploit kits. This design is based on observations drawn from exploit kits that we installed in a laboratory setting as well as live exploit kits that were hosted on the Web. We discuss the design and implementation of a system called WEBWINNOW that is based on this approach. Extensive experiments with real world malicious URLs reveal that WEBWINNOW is highly effective in the detection of malicious URLs hosted by exploit kits with very low false-positives.

Effective analysis, characterization, and detection of malicious web pages

The steady evolution of the Web has paved the way for miscreants to take advantage of vulnerabilities to embed malicious content into web pages. Up on a visit, malicious web pages steal sensitive data, redirect victims to other malicious targets, or cease control of victims system to mount future attacks. Approaches to detect malicious web pages have been reactively effective at special classes of attacks like drive-by-downloads. However, the prevalence and complexity of attacks by malicious web pages is still worrisome. The main challenges in this problem domain are (1) fine-grained capturing and characterization of attack payloads (2) evolution of web page artifacts and (3) exibility and scalability of detection techniques with a fast-changing threat landscape. To this end, we proposed a holistic approach that leverages static analysis, dynamic analysis, machine learning, and evolutionary searching and optimization to effectively analyze and detect malicious web pages. We do so by: introducing novel features to capture fine-grained snapshot of malicious web pages, holistic characterization of malicious web pages, and application of evolutionary techniques to fine-tune learning-based detection models pertinent to evolution of attack payloads. In this paper, we present key intuition and details of our approach, results obtained so far, and future work.

Host-based anomaly detection for pervasive medical systems

Intrusion detection systems are deployed on hosts in a computing infrastructure to tackle undesired events in the course of usage of the systems. One of the promising domains of applying intrusion detection is the healthcare domain. A typical healthcare scenario is characterized by high degree of mobility, frequent interruptions and above all demands access to sensitive medical records by concerned stakeholders. Migrating this set of concerns in pervasive healthcare environments where the traditional characteristics are more intensified in terms of uncertainty, one ends up with more challenges on security due to nature of pervasive devices and wireless communication media along with classic security problems for desktop based systems. Despite evolution of automated healthcare services and sophistication of attacks against such services, there is a reasonable lack of techniques, tools and experimental setups for protecting hosts against intrusive actions. This paper presents a contribution to provide a host-based, anomaly modeling and detection approach based on data mining techniques for pervasive healthcare systems. The technique maintains normal usage profile of pervasive healthcare applications and inspects current workflow against normal usage profile so as to classify it as anomalous or normal. The technique is implemented as a prototype with sample data set and the results obtained revealed that the technique is able to perform classification of anomalous activities.

Early Detection of Security Misconfiguration Vulnerabilities in Web Applications

This paper presents a web-based tool to supplement defense against security misconfiguration vulnerabilities in web applications. The tool automatically audits security configuration settings of server environments in web application development and deployment. It also offers features to automatically adjust security configuration settings and quantitatively rates level of safety for server environments before deploying web applications. Using the tool, we were able to evaluate eleven server packages for Apache, PHP and MySQL across three operating system platforms. Our evaluation revealed that the tool is able to audit current security configuration settings and alert users to fix the server environment to achieve the level of safety of security configuration with respect to recommended configurations for real-life web application deployment.

ICT for Good: Opportunities, Challenges and the Way Forward

ICT seems well understood as a tool and an infrastructure for delivering information and services for the society and for allowing communications through interactions among the service users —mostly, the digital society. Using ICT for ensuring better life requires far more than good infrastructure, ICT know-how and the various techniques and tools in place. If ICT has to address the real problems of the society, it should be at a rescue being environment-friendly, with real and tangible impact, sustainable, seamless, down to the grass-roots and above all with reproducible experiences. In this paper, we introduce a different perspective of looking into and using ICT, which we call ICT for Good (ICT4G). It is about using ICT for addressing problems of societies with low ICT penetration and changing a society’s life for the better. More specifically, based on our observation of current promises ICT gives to society, we discuss ICT4G’s distinguishing aspects, opportunities it offers, challenges it imposes along with preliminary roadmap for its realization. A high-level correlation of what we pointed out with a relevant case study (i.e., the eGIF4M1) is presented.

Chainsaw: Chained Automated Workflow-based Exploit Generation

We tackle the problem of automated exploit generation for web applications. In this regard, we present an approach that significantly improves the state-of-art in web injection vulnerability identification and exploit generation. Our approach for exploit generation tackles various challenges associated with typical web application characteristics: their multi-module nature, interposed user input, and multi-tier architectures using a database backend. Our approach develops precise models of application workflows, database schemas, and native functions to achieve high quality exploit generation. We implemented our approach in a tool called Chainsaw. Chainsaw was used to analyze 9 open source applications and generated over 199 first- and second-order injection exploits combined, significantly outperforming several related approaches.

EINSPECT: Evolution-Guided Analysis and Detection of Malicious Web Pages

Most existing work to thwart malicious web pages capture maliciousness via discriminative artifacts, learn a model, and detect by leveraging static and/or dynamic analysis. Unfortunately, there is a two-sided evolution of the artifacts of web pages. On one hand, cybercriminals constantly revamp attack payloads in malicious web pages. On the other hand, benign web pages evolve to improve content rendering and interaction with users. Consequently, the onceprecise detection techniques suffer from limitations to cope with the evolution, resulting in malicious web pages that escape detection. In this paper, we present EINSPECT, an evolution-aware and learning-based approach to address evolution of web page artifacts to more precisely analyze and detect malicious web pages. EINSPECT continuously tunes its detection models to automatically decide the best interplay of features and learning algorithms to embrace the evolution of web page artifacts into the analysis and detection. We have implemented and evaluated our approach and the results show that EINSPECT is able to improve the effectiveness of analysis and detection ofmalicious web pages while aligning the detection models with the continuous evolution of web page artifacts.

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Web applications and server environments hosting them rely on configuration settings that influence their security, usability, and performance. Misconfiguration results in severe security vulnerabilities. Recent trends show that misconfiguration is among the top critical risks in web applications. While effective at uncovering numerous classes of vulnerabilities, generic web application vulnerability scanners are limited in identifying configuration vulnerabilities. In this paper, we present an approach that effectively combines hierarchical configuration scanning and preliminary source code analysis of web applications to pinpoint potential configuration vulnerabilities, quantify the degree of severity based on standard metrics, and facilitate fixing of vulnerabilities found therein. We implemented our approach in a tool called Confeagle and evaluated it on 14 widely deployed PHP web applications. Unlike generic web vulnerability scanners, on the subject applications, Confeagle detected potential configuration vulnerabilities that could result in information disclosure, denial-of-service, and session hijacking attacks on the applications.

Social Accountability for Mozambique: An Experience Report from the Moamba District

Empowering citizens in making Governments more accountable and transparent in the services they provide has gained more attention in the last few years both in the developing and in the developed world. At the basis of any such exercise, information and data collection activities play an important role. In this paper we report on a pilot we conducted in collaboration with the Ministry of Education of Mozambique, the World Bank and the Maputo Living Lab to collect data about various procurement indicators of primary schools in the Moamba district of Mozambique. For this purpose we developed a data collection platform and a mobile application to conduct field work.