skip to main content
research-article

A Framework for Large-Scale Detection of Web Site Defacements

Published:01 October 2010Publication History
Skip Abstract Section

Abstract

Web site defacement, the process of introducing unauthorized modifications to a Web site, is a very common form of attack. In this paper we describe and evaluate experimentally a framework that may constitute the basis for a defacement detection service capable of monitoring thousands of remote Web sites systematically and automatically.

In our framework an organization may join the service by simply providing the URLs of the resources to be monitored along with the contact point of an administrator. The monitored organization may thus take advantage of the service with just a few mouse clicks, without installing any software locally or changing its own daily operational processes. Our approach is based on anomaly detection and allows monitoring the integrity of many remote Web resources automatically while remaining fully decoupled from them, in particular, without requiring any prior knowledge about those resources.

We evaluated our approach over a selection of dynamic resources and a set of publicly available defacements. The results are very satisfactory: all attacks are detected while keeping false positives to a minimum. We also assessed performance and scalability of our proposal and we found that it may indeed constitute the basis for actually deploying the proposed service on a large scale.

References

  1. Androutsopoulos, I., Koutsias, J., Chandrinos, K. V., and Spyropoulos, C. D. 2000. An experimental comparison of naive Bayesian and keyword-based anti-spam filtering with personal e-mail messages. In Proceedings of the 23rd Annual International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR’00). ACM Press, New York, 160--167. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Anitha, A. and Vaidehi, V. 2006. Context based application level intrusion detection system. In Proceedings of the International Conference on Networking and Services (ICNS’06). IEEE Computer Society, Los Alamitos, CA, 16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Ballard, L. 2009. Show me the malware! Google online security blog. http://googleonlinesecurity.blogspot.com/2009/10/show-me-malware.html.Google ScholarGoogle Scholar
  4. Banikazemi, M., Poff, D., and Abali, B. 2005. Storage-based file system integrity checker. In Proceedings of the ACM Workshop on Storage Security and Survivability (StorageSS’05). ACM Press, New York, 57--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Barreno, M., Nelson, B., Sears, R., Joseph, A. D., and Tygar, J. D. 2006. Can machine learning be secure? In Proceedings of the ACM Symposium on Information, Computer, and Communications Security. ACM, 16--25. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bartoli, A. and Medvet, E. 2006. Automatic integrity checks for remote Web resources. IEEE Intern. Comput. 10, 6, 56--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Bartoli, A., Medvet, E., and Davanzo, G. 2009. The reaction time to Web site defacements. IEEE Intern. Comput. 13, 4, 52--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Boser, B. E., Guyon, I. M., and Vapnik, V. N. 1992. A training algorithm for optimal margin classifiers. In Proceedings of the 5th Annual Workshop on Computational Learning Theory. 144--152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Breunig, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. 2000. LOF: Identifying density-based local outliers. SIGMOD Rec. 29, 93--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Broder, A. Z., Glassman, S. C., Manasse, M. S., and Zweig, G. 1997. Syntactic clustering of the Web. Comput. Netw. ISDN Syst. 29, 8-13, 1157--1166. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. CERT/CC. 2001. FedCIRC Advisory FA-2001-19 “Code Red” worm exploiting buffer overflow in IIS indexing service DLL. Advisory, US-Cert. http://www.us-cert.gov/federal/archive/advisories/FA-2001-19.html.Google ScholarGoogle Scholar
  12. Chang, H.-Y., Wu, S. F., and Jou, Y. F. 2001. Real-time protocol analysis for detecting link-state routing protocol attacks. ACM Trans. Inform. Syst. Secur. 4, 1, 1--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Chari, S. N. and Cheng, P.-C. 2003. BlueBoX: A policy-driven, host-based intrusion detection system. ACM Trans. Inform. Syst. Secur. 6, 2, 173--200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chilimbi, T. M. and Ganapathy, V. 2006. HeapMD: Identifying heap-based bugs using anomaly detection. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-XII). ACM Press, New York, 219--228. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Cormack, G. V. and Lynam, T. R. 2007. Online supervised spam filter evaluation. ACM Trans. Inform. Syst. 25, 3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Cranor, L. F. and LaMacchia, B. A. 1998. Spam! Comm. ACM 41, 8, 74--83. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Danchev, D. 2009. Hackers hijack DNS records of high profile New Zealand sites. ZDNet. http://blogs.zdnet.com/security/?p=3185.Google ScholarGoogle Scholar
  18. Dasey, D. Oct. 2007. Cyber threat to personal details. The Sydney Morning Herald. http://www.smh.com.au/news/technology/cyber-threat-to-personal-details/2007/10/13/ 1191696235979.html.Google ScholarGoogle Scholar
  19. Dasient. 2009. Dasient Web anti-malware. http://www.dasient.com/.Google ScholarGoogle Scholar
  20. Davanzo, G., Medvet, E., and Bartoli, A. 2008. A comparative study of anomaly detection techniques in Web site defacement detection. In Proceedings of the 23rd International Information Security Conference. 711--716.Google ScholarGoogle Scholar
  21. Denning, D. E. 1987. An intrusion-detection model. IEEE Trans. Softw. Engin. 13, 2, 222--232. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. DSL. 2008. Comcast domain hacked. DSLReports.com. http://www.dslreports.com/shownews/Comcast-Hacked-94826.Google ScholarGoogle Scholar
  23. Fetterly, D., Manasse, M., Najork, M., and Wiener, J. L. 2004. A large-scale study of the evolution of Web pages. Softw. Pract. Exper. 34, 2, 213--237. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Fone, W. and Gregory, P. 2002. Web page defacement countermeasures. In Proceedings of the 3rd International Symposium on Communication Systems Networks and Digital Signal Processing. IEE/IEEE/BCS, 26--29.Google ScholarGoogle Scholar
  25. Fu, A. Y., Wenyin, L., and Deng, X. 2006. Detecting phishing Web pages with visual similarity assessment based on earth mover’s distance (EMD). IEEE Trans. Depend. Secur. Comput. 3, 4, 301--311. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Gehani, A., Chandra, S., and Kedem, G. 2006. Augmenting storage with an intrusion response primitive to ensure the security of critical data. In Proceedings of the ACM Symposium on Information, Computer, and Communications Security (ASIACCS’06). ACM Press, New York, 114--124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Goodman, J., Cormack, G. V., and Heckerman, D. 2007. Spam and the ongoing battle for the inbox. Comm. ACM 50, 2, 24--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. 2006. 2006 CSI/FBI Computer Crime and Security Survey. Security survey, Computer Security Institute.Google ScholarGoogle Scholar
  29. Gosh, A. K., Wanken, J., and Charron, F. 1998. Detecting anomalous and unknown intrusions against programs. In Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC’98). IEEE Computer Society, Los Alamitos, CA, 259. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Graham, P. 2003. Better Bayesian filtering. http://www.paulgraham.com/better.html.Google ScholarGoogle Scholar
  31. Handley, M., Paxson, V., and Kreibich, C. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th Conference on USENIX Security Symposium. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J., and Wolber, D. 1990. A network security monitor. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 296.Google ScholarGoogle Scholar
  33. IBM Rational. 2009. Malware Scanner Extension for IBM Rational AppScan. http://www.ibm.com/developerworks/rational/downloads/08/appscan_malwarescanner/ index.html.Google ScholarGoogle Scholar
  34. Kemp, T. 2005. Security’s Shaky State. Inform. Week. http://www.informationweek.com/industries/showArticle.jhtml?articleID=174900279.Google ScholarGoogle Scholar
  35. Kim, G. H. and Spafford, E. H. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS’94). ACM Press, New York, 18--29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Kirk, J. 2007. Microsoft’s U.K. Web site hit by SQL injection attack. ComputerWorld Security. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId= 9025941.Google ScholarGoogle Scholar
  37. Koza, J. R. 1992. Genetic Programming: On the Programming of Computers by Means of Natural Selection (Complex Adaptive Systems). The MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Kruegel, C., Toth, T., and Kirda, E. 2002. Service specific anomaly detection for network intrusion detection. In Proceedings of the ACM Symposium on Applied Computing (SAC’02). ACM Press, New York, 201--208. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Kruegel, C. and Vigna, G. 2003. Anomaly detection of Web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS’03). ACM Press, New York, 251--261. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Lazarevic, A., Ertöz, L., Kumar, V., Ozgur, A., and Srivastava, J. 2003. A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the 3rd SIAM International Conference on Data Mining. SIAM, San Francisco, CA.Google ScholarGoogle Scholar
  41. Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., and Das, K. 2000. Analysis and results of the 1999 DARPA offline intrusion detection evaluation. In Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID’00). Springer-Verlag, 162--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Liu, W., Deng, X., Huang, G., and Fu, A. Y. 2006. An antiphishing strategy based on visual similarity assessment. IEEE Intern. Comput. 10, 2, 58--65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Mahalanobis, P. C. 1936. On the generalized distance in statistics. In Proceedings of the National Institute of Science of India, 12, 49--55.Google ScholarGoogle Scholar
  44. McHugh, J. 2000. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inform. Syst. Secur. 3, 4, 262--294. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. McMillan, R. 2007. Bad things lurking on government sites. InfoWorld. http://www.infoworld.com/article/07/10/04/Bad-things-lurking-on-government-sites_1.html.Google ScholarGoogle Scholar
  46. Medvet, E. and Bartoli, A. 2007. On the effects of learning set corruption in anomaly-based detection of Web defacements. In Proceedings of the 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA). Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Medvet, E., Fillon, C., and Bartoli, A. 2007. Detection of Web defacements by means of genetic programming. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IAS, Manchester, UK. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Michael, C. C. and Ghosh, A. 2002. Simple, state-based approaches to program-based anomaly detection. ACM Trans. Inform. Syst. Secur. 5, 3, 203--237. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Mills, E. 2009. Puerto Rico sites redirected in a DNS attack. CNET. http://news.cnet.com/8301-1009_3-10228436-83.html.Google ScholarGoogle Scholar
  50. Mishne, G., Carmel, D., and Lempel, R. 2005. Blocking blog spam with language model disagreement. In Proceedings of the 1st International Workshop on Adversarial Information Retrieval on the Web (AIRWeb).Google ScholarGoogle Scholar
  51. Mukkamala, S., Janoski, G., and Sung, A. 2002. Intrusion detection using neural networks and support vector machines. In Proceedings of the International Joint Conference on Neural Networks (IJCNN’02). 1702--1707.Google ScholarGoogle Scholar
  52. Mutz, D., Valeur, F., Vigna, G., and Kruegel, C. 2006. Anomalous system call detection. ACM Trans. Inform. Syst. Secur. 9, 1, 61--93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Ntoulas, A., Cho, J., and Olston, C. 2004. What’s new on the Web? The evolution of the Web from a search engine perspective. In Proceedings of the 13th International World Wide Web Conference. ACM Press, New York, 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Page, L., Brin, S., Rajeev, M., and Terry, W. 1998. The PageRank Citation Ranking: Bringing Order to the Web. Tech. rep., Stanford University.Google ScholarGoogle Scholar
  55. Patcha, A. and Park, J.-M. 2007. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput. Netw. 51, 12, 3448--3470. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Pennington, A. G., Strunk, J. D., Griffin, J. L., Soules, C. A., Goodson, G. R., and Ganger, G. R. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium. USENIX. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Prefect. 2010. Congressional Web site defacements follow the state of the union. Praetorian Prefect. http://praetorianprefect.com/archives/2010/01/congressional-Web-site-defacements-follow-the-state-of-the-union/.Google ScholarGoogle Scholar
  58. Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the 17th Conference on Security Symposium (SS’08). USENIX Association, 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Pulliam, D. Aug. 2006. Hackers deface federal executive board Web sites. http://www.govexec.com/story_page.cfm?articleid=34812.Google ScholarGoogle Scholar
  60. Ramachandran, A., Feamster, N., and Vempala, S. 2007. Filtering spam with behavioral blacklisting. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, 342--351. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Ramaswamy, S., Rastogi, R., and Shim, K. 2000. Efficient algorithms for mining outliers from large data sets. SIGMOD Rec. 29, 427--438. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Richardson, R. 2007. 2007 CSI Computer Crime and Security Survey. Security survey, Computer Security Institute.Google ScholarGoogle Scholar
  63. Sanka, A., Chamakura, S., and Chakravarthy, S. 2006. A dataflow approach to efficient change detection of HTML/XML documents in WebVigiL. Comput. Netw. 50, 10, 1547--1563. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Sedaghat, S., Pieprzyk, J., and Vossough, E. 2002. On-the-fly Web content integrity check boosts users’ confidence. Comm. ACM 45, 11, 33--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy (SP’01). Los Alamitos, CA, 144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Shavlik, J. and Shavlik, M. 2004. Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’04). ACM Press, New York, 276--285. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Shyu, M.-L., Chen, S.-C., Sarinnapakorn, K., and Chang, L. 2003. A novel anomaly detection scheme based on principal component classifier. In Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, in Conjunction with the 3rd IEEE International Conference on Data Mining (ICDM’03). IEEE, 172--179.Google ScholarGoogle Scholar
  68. Sivathanu, G., Wright, C. P., and Zadok, E. 2005. Ensuring data integrity in storage: Techniques and applications. In Proceedings of the ACM Workshop on Storage Security and Survivability (StorageSS’05). ACM Press, New York, 26--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Smith, G. Feb. 2007. CRO Website hacked. Silicon Republic. http://www.siliconrepublic.com/news/news.nv?storyid=single7819.Google ScholarGoogle Scholar
  70. Tan, K., McHugh, J., and Killourhy, K. 2003. Hiding intrusions: From the abnormal to the normal and beyond. In Revised Papers from the 5th International Workshop on Information Hiding, Lecture Notes in Computer Science, vol. 2578. 1--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. UCSB. 2009. Wepawet---on line Web malware detection. http://wepawet.cs.ucsb.edu.Google ScholarGoogle Scholar
  72. Wanjiku, R. 2009. Google blames DNS insecurity for Web site defacements. Infoworld. http://www.infoworld.com/t/authentication-and-authorization/google-blames-dns-insecurity-Web-site-defacements-722.Google ScholarGoogle Scholar
  73. Ye, N., Emran, S. M., Chen, Q., and Vilbert, S. 2002. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans. Comput. 51, 7, 810--820. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Yeung, D.-Y. and Chow, C. 2002. Parzen-window network intrusion detectors. In Proceedings of the 16th International Conference on Pattern Recognition. 385--388. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Zanero, S. and Savaresi, S. M. 2004. Unsupervised learning techniques for an intrusion detection system. In Proceedings of the ACM Symposium on Applied Computing (SAC’04). ACM Press, New York, 412--419. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. Zone-H. 2006. Statistics on Web Server Attacks for 2005. http://www.zone-h.org.Google ScholarGoogle Scholar

Index Terms

  1. A Framework for Large-Scale Detection of Web Site Defacements

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!