The MALICIA dataset: identification and analysis of drive-by download operations.

Saved in:
Bibliographic Details
Title: The MALICIA dataset: identification and analysis of drive-by download operations.
Authors: Nappa, Antonio antonio.nappa@imdea.org, Rafique, M.1 zubair.rafique@cs.kuleuven.be, Caballero, Juan2 juan.caballero@imdea.org
Source: International Journal of Information Security. Feb2015, Vol. 14 Issue 1, p15-33. 19p.
Subjects: Malware, Client/server computing software, Client/server computing, Distributed computing, Internet service providers, Cloud computing, Web hosting, Safety
Abstract: Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60 % of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore, we analyze the exploit polymorphism problem, measuring the repacking rate for different exploit types. To understand how difficult is to takedown exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61 % of the reports are not even acknowledged. On average, an exploit server still lives for 4.3 days after a report. Finally, we detail the Malicia dataset we have collected and are making available to other researchers. [ABSTRACT FROM AUTHOR]
Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
FullText Links:
  – Type: pdflink
Text:
  Availability: 0
Header DbId: egs
DbLabel: Engineering Source
An: 100351860
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: The MALICIA dataset: identification and analysis of drive-by download operations.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Nappa%2C+Antonio%22">Nappa, Antonio</searchLink><i> antonio.nappa@imdea.org</i><br /><searchLink fieldCode="AR" term="%22Rafique%2C+M%2E%22">Rafique, M.</searchLink><relatesTo>1</relatesTo><i> zubair.rafique@cs.kuleuven.be</i><br /><searchLink fieldCode="AR" term="%22Caballero%2C+Juan%22">Caballero, Juan</searchLink><relatesTo>2</relatesTo><i> juan.caballero@imdea.org</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22International+Journal+of+Information+Security%22">International Journal of Information Security</searchLink>. Feb2015, Vol. 14 Issue 1, p15-33. 19p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Malware%22">Malware</searchLink><br /><searchLink fieldCode="DE" term="%22Client%2Fserver+computing+software%22">Client/server computing software</searchLink><br /><searchLink fieldCode="DE" term="%22Client%2Fserver+computing%22">Client/server computing</searchLink><br /><searchLink fieldCode="DE" term="%22Distributed+computing%22">Distributed computing</searchLink><br /><searchLink fieldCode="DE" term="%22Internet+service+providers%22">Internet service providers</searchLink><br /><searchLink fieldCode="DE" term="%22Cloud+computing%22">Cloud computing</searchLink><br /><searchLink fieldCode="DE" term="%22Web+hosting%22">Web hosting</searchLink><br /><searchLink fieldCode="DE" term="%22Safety%22">Safety</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60 % of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore, we analyze the exploit polymorphism problem, measuring the repacking rate for different exploit types. To understand how difficult is to takedown exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61 % of the reports are not even acknowledged. On average, an exploit server still lives for 4.3 days after a report. Finally, we detail the Malicia dataset we have collected and are making available to other researchers. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=100351860
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1007/s10207-014-0248-7
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 19
        StartPage: 15
    Subjects:
      – SubjectFull: Malware
        Type: general
      – SubjectFull: Client/server computing software
        Type: general
      – SubjectFull: Client/server computing
        Type: general
      – SubjectFull: Distributed computing
        Type: general
      – SubjectFull: Internet service providers
        Type: general
      – SubjectFull: Cloud computing
        Type: general
      – SubjectFull: Web hosting
        Type: general
      – SubjectFull: Safety
        Type: general
    Titles:
      – TitleFull: The MALICIA dataset: identification and analysis of drive-by download operations.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Nappa, Antonio
      – PersonEntity:
          Name:
            NameFull: Rafique, M.
      – PersonEntity:
          Name:
            NameFull: Caballero, Juan
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 02
              Text: Feb2015
              Type: published
              Y: 2015
          Identifiers:
            – Type: issn-print
              Value: 16155262
          Numbering:
            – Type: volume
              Value: 14
            – Type: issue
              Value: 1
          Titles:
            – TitleFull: International Journal of Information Security
              Type: main
ResultId 1