Mitsuaki Akiyama

Searching Structural Neighborhood of Malicious URLs to Improve Blacklisting

Filtering based on blacklists is a major countermeasure against malicious websites. However, blacklists must be updated because malicious URLs tend to be short-lived and their sub strings may be partially mutated to avoid blacklisting. Due to these characteristics, it can be assumed that unknown malicious URLs exist in the neighborhood of known malicious URLs, created by the same adversary. We propose an effective blacklist URL generation method. We try to discover the URLs in the neighborhood of a malicious URL by using a search engine. Those suspicious neighborhoods around malicious URLs require further investigation to determine their blacklisting candidacy. We experimentally evaluated the proposed generation method by using real blacklisted URLs for both drive-by-download and click-download infection. The results showed that the proposed method can effectively improve identification of malicious URLs and maintenance of the coverage of blacklists.

Scalable and Performance-Efficient Client Honeypot on High Interaction System

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored for improving honeypot multiplication performance. We propose a client honeypot client system that uses our proposed multi-OS and multi-process honeypot multiplication approaches and implemented this system to evaluate its performance. Our process sandbox mechanism, a security measure for our multi-process approach, creates a virtually isolated environment for each web browser. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process and [our multi-OS approach lineally improved system performance according to the number of honeypot instances. Thus, our proposed multiplication approaches improve performance efficiency and enables in-depth analysis on high interaction systems.

Active Credential Leakage for Observing Web-Based Attack Cycle

A user who accesses a compromised website is usually redirected to an adversarys website and forced to download malware. Additionally, the adversary steals the users credentials by using information-stealing malware. Furthermore, the adversary may try to compromise public websites owned by individual users by impersonating the website administrator using the stolen credential. These compromised websites then become landing sites for drive-by download malware infection. Identifying malicious websites using crawling techniques requires large resources and takes a lot of time. To observe web-based attack cycles to achieve effective detection and prevention, we propose a novel observation system based on a honeytoken that actively leaks credentials and lures adversaries to a decoy that behaves like a compromised web content management system. The proposed procedure involves collecting malware, leaking credentials, observing access by an adversary, and inspecting the compromised web content. It can instantly discover malicious entities without conducting large-scale web crawling because of the direct observation on the compromised web content management system. Our system enables continuous and stable observation for about one year. In addition, almost all the malicious websites we discovered had not been previously registered in public blacklists.

Efficient Dynamic Malware Analysis Based on Network Behavior Using Deep Learning

Malware authors or attackers always try to evade detection methods to accomplish their mission. Such detection methods are broadly divided into three types: static feature, host-behavior, and network-behavior based. Static feature-based methods are evaded using packing techniques. Host- behavior-based methods also can be evaded using some code injection methods, such as API hook and dynamic link library hook. This arms race regarding static feature-based and host-behavior- based methods increases the importance of network-behavior-based methods. The necessity of communication between infected hosts and attackers makes it difficult to evade network-behavior- based methods. The effectiveness of such methods depends on how we collect a variety of communications by using malware samples. However, analyzing all new malware samples for a long period is infeasible. Therefore, we propose a method for determining whether dynamic analysis should be suspended based on network behavior to collect malware communications efficiently and exhaustively. The key idea behind our proposed method is focused on two characteristics of malware communication: the change in the communication purpose and the common latent function. These characteristics of malware communications resemble those of natural language from the viewpoint of data structure, and sophisticated analysis methods have been proposed in the field of natural language processing. For this reason, we applied the recursive neural network, which has recently exhibited high classification performance, to our proposed method. In the evaluation with 29,562 malware samples, our proposed method reduced 67.1% of analysis time while keeping the coverage of collected URLs to 97.9% of the method that continues full analyses.

DomainProfiler: Discovering Domain Names Abused in Future

Cyber attackers abuse the domain name system (DNS) to mystify their attack ecosystems, they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. As a solution to this problem, we propose a system for discovering malicious domain names that will likely be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that our system can predict malicious domain names 220 days beforehand with a true positive rate of 0.985.

MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the users web browser. Attackers profile the information on the users environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

Malicious URL sequence detection using event de-noising convolutional neural network

Attackers have increased the number of infected hosts by redirecting users of compromised popular websites toward websites that exploit vulnerabilities of a browser and its plugins. To prevent damage, detecting infected hosts based on proxy logs, which are generally recorded on enterprise networks, is gaining attention rather than blacklist-based filtering because creating blacklists has become difficult due to the short lifetime of malicious domains and concealment of exploit code. Since information extracted from one URL is limited, we focus on a sequence of URLs that includes artifacts of malicious redirections. We propose a system for detecting malicious URL sequences from proxy logs with a low false positive rate. To elucidate an effective approach of malicious URL sequence detection, we compared three approaches: individual-based approach, convolutional neural network (CNN), and our newly developed event de-noising CNN (EDCNN). Our EDCNN is a new CNN to reduce the negative effect of benign URLs redirected from compromised websites included in malicious URL sequences. Our evaluation shows that the EDCNN lowers the operation cost of malware infection by reducing 47% of false alerts compared with a CNN when users access compromised websites but do not obtain exploit code due to browser fingerprinting.

AutoBLG: Automatic URL blacklist generator using search space expansion and filters

Modern web users are exposed to a browser security threat called drive-by-download attacks that occur by simply visiting a malicious Uniform Resource Locator (URL) that embeds code to exploit web browser vulnerabilities. Many web users tend to click such URLs without considering the underlying threats. URL blacklists are an effective countermeasure to such browser-targeted attacks. URLs are frequently updated; therefore, collecting fresh malicious URLs is essential to ensure the effectiveness of a URL blacklist. We propose a framework called automatic blacklist generator (AutoBLG) that automatically identifies new malicious URLs using a given existing URL blacklist. The key idea of AutoBLG is expanding the search space of web pages while reducing the amount of URLs to be analyzed by applying several pre-filters to accelerate the process of generating blacklists. Auto-BLG comprises three primary primitives: URL expansion, URL filtration, and URL verification. Through extensive analysis using a high-performance web client honeypot, we demonstrate that AutoBLG can successfully extract new and previously unknown drive-by-download URLs.

Empowering Anti-malware Research in Japan by Sharing the MWS Datasets

Substantial research has been conducted to develop proactive and reactive countermeasures against malware threats. Gathering and analyzing data are widely accepted approaches for accelerating the research towards understanding malware threats. However, collecting useful data is not an easy task for individuals or new researchers owing to several technical barriers, such as conducting honeypot operations securely. The anti-Malware engineering WorkShop (MWS) was organized in 2008 to fill this gap; since then, we have shared datasets that are useful for accelerating the data-driven anti-malware research in Japan. This paper provides the definitive collection of the MWS Datasets that are a collection of different datasets for use in anti-malware research. We also report the effectiveness of the MWS Datasets from the viewpoint of published research papers and how to empower some of the papers by using the MWS Datasets. Furthermore, our discussion about issues of the MWS Datasets reveal the future directions for accelerating anti-malware research from the perspectives of dataset collection activity and dataset use activity.

Characterizing Obfuscated JavaScript Using Abstract Syntax Trees: Experimenting with Malicious Scripts

Obfuscation, code transformations that make the code unintelligible, is still an issue for web malware analysts and is still a weapon of choice for attackers. Worse, some researchers have arbitrarily decided to consider obfuscated contents as malicious although it has been proven wrong. Yet, we can assume than some web attack kits only feature a fraction of existing obfuscating transformations which may make it easy to detect malicious scripting contents. However, because of the undecidability on obfuscated contents, we propose to survey, classify and design deobfuscation methods for each obfuscating transformation. In this paper, we apply abstract syntax tree (AST) based methods to characterize obfuscating transformations found in malicious JavaScript samples. We are able to classify similar obfuscated codes based on AST fingerprints regardless of the original attack code. We are also able to quickly detect these obfuscating transformations by matching these in an analyzed samples AST using a pushdown automaton (PDA). The PDA accepts a set of sub trees representing obfuscating transformations previously learned. Such quick and lightweight sub tree matching algorithm has the potential to detect obfuscated pieces of code in a script, to be later extracted for deobfuscation.