Website forensic investigation to identify evidence and impact of compromise

Yuta Takata*, Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Shigeki Goto



    3 被引用数 (Scopus)


    Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.

    ホスト出版物のタイトルSecurity and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
    出版社Springer Verlag
    198 LNICST
    出版ステータスPublished - 2017
    イベント12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 - Guangzhou, China
    継続期間: 2016 10月 102016 10月 12


    名前Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
    198 LNICST


    Other12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016

    ASJC Scopus subject areas

    • コンピュータ ネットワークおよび通信


    「Website forensic investigation to identify evidence and impact of compromise」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。