visual fingerprinting for malicious websites
TRANSCRIPT
![Page 1: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/1.jpg)
BY IBRAHIM MOSAAD
SUPERVISED BY OSAMA KAMAL
VISUAL FINGERPRINTING FOR MALICIOUS DOMAINS
![Page 2: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/2.jpg)
OUTLINE• Introduction
• Statistics of malicious Domains/URLs
• Goal
• How
• Conceptually
• Theoretically
• Practically
• Testing And Results
• Challenges
• Future Works
![Page 3: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/3.jpg)
INTRODUCTION
• Statistics
• In 2014, Kaspersky Lab’s web antivirus detected 123,054,503 unique malicious objects: scripts, exploits, executable files, etc
![Page 4: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/4.jpg)
INTRODUCTION
• Exploit kits
• How Common Are Exploit Kits?• 6000 infections/0.2 hour
• 2B visitors/month
• 2/3rd of all malwares delivered by exploit kits
![Page 5: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/5.jpg)
GOAL
“Create an automated system to d iff erenti ate between benign and mal ic ious websi tes”
![Page 6: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/6.jpg)
HOW - CONCEPTUALLY
• How do malicious websites behave?• Lack of a good training set
• How do benign websites behave? • Testing top 250 websites from different categories in Alexa
• Scoring system
![Page 7: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/7.jpg)
HOW – THEORETICALLY
• Browsing websites using real/emulated system
• Store/Visualize The collected data
• Score it
![Page 8: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/8.jpg)
HOW - PRACTICALLY
• Browsing websites using honeyclients• Low-interaction
• Thug
• HoneySpider Network 2.0
• High-interaction
• Capture-HPC
• HoneyClient
![Page 9: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/9.jpg)
HOW - PRACTICALLY
• HSN• Modular Framework – Extendable
• Wappalyzer module (Developed)
• Peepdf Module (Developed)
• Cuckoo sandbox module (Updated)
• Yara module (Updated)
![Page 10: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/10.jpg)
HOW - PRACTICALLY• Storing collected data
• Graph database neo4j
• GraphDB driver to HSN using Py2neo
• Scoring System• Mix of First and Second Degree functions
![Page 11: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/11.jpg)
FIRST RUN - TRAINING
• Number of websites: 1500
![Page 12: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/12.jpg)
MOZILLA.ORG
![Page 13: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/13.jpg)
AVG.COM
![Page 14: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/14.jpg)
ORACLE.COM
![Page 15: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/15.jpg)
APPLE.COM
![Page 16: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/16.jpg)
FIRST RUN
• Feature Extraction • Number levels
• Number resources
• Number redirections
• Number Iframes
• Website Topology
![Page 17: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/17.jpg)
BABYLON.COM
![Page 18: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/18.jpg)
SECOND RUN – REAL CASE
• Top domains looked malicious• http://dictionary.reverso.net
• http://n4hr.com
• http://s02.arab.sh
• http://dc11.arabsh.com
![Page 19: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/19.jpg)
CHALLENGES
• HSN• Lack of good documentation
• Last version was released in 2013
• Code written in 3 languages C/Python/Java
• Lack of community support
![Page 20: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/20.jpg)
CHALLENGES
![Page 21: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/21.jpg)
CHALLENGES
• Graph Database (py2neo)• Insertion
• Library is still immature
• REST-API can’t handle it
• 7000 URL * 30 * 2 = 420000 ~ 0.5M Nodes
• Store the queries in one request?!
• Huge POST request
• Querying
• 7000 URL => 7000*20 = 140K
![Page 22: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/22.jpg)
FUTURE WORKS
• HSN• Enhance the web-client module
• Enhance SWF emulation module
• Scoring System• Machine learning
• Graph Database• Adopt Giraph database rather neo4j
• Monitoring governmental websites
![Page 23: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/23.jpg)
BIGGER PICTURE
![Page 24: Visual fingerprinting for malicious websites](https://reader037.vdocument.in/reader037/viewer/2022110203/55d18ac2bb61eb8a6f8b4629/html5/thumbnails/24.jpg)
Questions?