Victoria University

Localisation of Attacks, Combating Browser-Based Geo-Information and IP Tracking Attacks

ResearchArchive/Manakin Repository

Show simple item record

dc.contributor.advisor Welch, Ian Mansoori, Masood 2017-09-07T22:51:46Z 2017-09-07T22:51:46Z 2017 2017
dc.description.abstract Accessing and retrieving users’ browser and network information is a common practice used by advertisers and many online services to deliver targeted ads and explicit improved services to users belonging to a particular group. They provide a great deal of information about a user’s geographical location, ethnicity, language, culture and general interests. However, in the same way these techniques have proven effective in advertising services, they can be used by attackers to launch targeted attacks against specific user groups. Targeted attacks have been proven more effective against user groups than their blind untargeted counterparts (e.g.spam, phishing). Their detection is more challenging as the detection tools need to be located within the targeted user group. This is one of the challenges faced by security researchers and organisations involved in the detection of new malware and exploits, using client honeypots. Client honeypots are detection systems used in the identification of malicious web sites. The client honeypot needs to mimic users in a pre-defined location, system, network and personality for which the malware is intended. The case is amplified by the use of Browser Exploit Packs/kits (BEPs), supporting these features. BEPs provide simplicity in deployment of targeted malicious web sites. They allow attackers to utilise specific geographical locations, network information, visit patterns or browser header information obtained from a visiting user to determine if a user should be subjected to an attack. Malicious web sites that operate based on targeted techniques can disguise themselves as legitimate web sites and bypass detection. Benign content is delivered to attacker-specified users while avoiding delivery to suspicious systems such as well-known or possible subnets that may host client honeypots. A client honeypot deployed in a single location with a single IP address will fail to detect an attack targeted at users in different demographic and network subnets. Failure in detection of such attacks results in high rates of false negatives which affect all honeypots regardless of detection technique or interaction level. BEPs are hugely popular and most include tracking features. The number of malicious web sites that utilise these features is currently unknown. There are very few studies that have addressed identifying the rate and number of malicious web sites utilising these techniques and no available client honeypot system is currently able to detect them. Any failure to detect these web sites will result in unknown numbers of users being exploited and infected with malware. The false negatives resulting from failing to detect these web sites can incorrectly be interpreted as a decline in the number of attacks. In this work, a study of information that can potentially expose users to targeted attack through a browser is examined through experimental analysis. Concrete approaches by attackers to obtain user-specific information in the deployment of targeted attacks through browsers are discussed and analysed. We propose a framework for designing a client honeypot capable of detecting geolocation attacks. Our framework relies on HAZard and OPerability (HAZOP) studies to identify components of the client honeypot, its processes and attributes of the experimental setup which could potentially introduce bias into our study. Any potential bias neglected, would affect the results of our real-world experiments and undermine our analysis through deviation from the intent of the study. To facilitate in our experiments, we developed a low interaction client honeypoy (YALIH) and performed real-world experiments on large selection of web sites. We determined the popularity of targeted malicious attacks based on likely attributes of a visiting user’s system. Our approach relies on previous research performed in the area of online spam detection which has similar attributes to malicious web sites. Our experiments show that referer, via, X-Forwarded-For and browser language attributes of HTTP protocol header, retrieval behaviour (i.e. IP tracking) and geographical location of a visitor identified by an IP address can be used in a targeted attack. These attributes can have significant effect on the number of detected malicious web sites in a study and should therefore be reliably controlled in an experimental setup. This findings in this research can potentially reduce false negative rates in all types of client honeypots, measurement studies of malicious malicious web sites and help researchers and malware analysts capture and analyse new malware and exploit samples from malicious web sites. en_NZ
dc.language.iso en_NZ
dc.language.iso en_NZ
dc.publisher Victoria University of Wellington en_NZ
dc.subject Geolocation Attacks en_NZ
dc.subject HAZOP en_NZ
dc.subject Client Honeypots en_NZ
dc.subject Browser Based Attacks en_NZ
dc.subject IP Tracking en_NZ
dc.subject Browser Exploit Kits en_NZ
dc.subject YALIH en_NZ
dc.subject Localized Attacks en_NZ
dc.subject Targeted attacks en_NZ
dc.subject Honeypots en_NZ
dc.subject Honey clients en_NZ
dc.subject Hazard and Operability en_NZ
dc.title Localisation of Attacks, Combating Browser-Based Geo-Information and IP Tracking Attacks en_NZ
dc.type text en_NZ
vuwschema.contributor.unit School of Engineering and Computer Science en_NZ
vuwschema.contributor.unit Engineering at Victoria en_NZ
vuwschema.type.vuw Awarded Doctoral Thesis en_NZ Computer Science en_NZ Electronic and Computer System Engineering en_NZ Software Engineering en_NZ Victoria University of Wellington en_NZ Doctoral en_NZ Doctor of Philosophy en_NZ
dc.rights.license Author Retains Copyright en_NZ 2017-08-28T00:52:21Z
vuwschema.subject.anzsrcfor 080303 Computer System Security en_NZ
vuwschema.subject.anzsrctoa 4 EXPERIMENTAL DEVELOPMENT en_NZ

Files in this item

This item appears in the following Collection(s)

Show simple item record

Search ResearchArchive

Advanced Search


My Account