Drive-by download is a sort of network attack which uses different techniques to plant malicious codes in their computers. It makes the traditional intrusion detection systems and firewalls nonfunctional in the reason that those devices could not detect web-based threats.
The Crawler-based approach has been proposed by many studies to discover drive-by download sites. However, the Crawler-based approach could not simulate the real user behavior of web browsing when drive-by download attack happens. Therefore, this study proposes a new approach to detect drive-by download by sniffing HTTP flow.
This study uses reputation system to improve the efficiency of client honeypots, and adjusts client honeypots to process the raw data of HTTP flow. In the experiment conducted in real network environment, this study show the performance of a single client honeypot could reach average 560,000 HTTP success access log per day. Even in the peak traffic, this mechanism reduced the process time to 22 hours, and detected drive-by download sites that users were actually browsing.
Reputation system in this study is applicable to varieties of domain names because it does not refer to online WHOIS database. It established classification model on machine learning in 12 features. The correct classification rate of the reputation system applied in this study is 90.9%. Compared with other Reputation System studies, this study not only extract features from DNS A-Type but also extract features from DNS NS-Type. The experiment results show the Error Rate of the new features from DNS NS-Type is only 19.03%.
Identifer | oai:union.ndltd.org:NSYSU/oai:NSYSU:etd-0110112-180904 |
Date | 10 January 2012 |
Creators | Huang, Jhe-Jhun |
Contributors | D. J. Guan, Han-Wei Hsiao, Chia-Mei Chen, Hui-Tang Lin |
Publisher | NSYSU |
Source Sets | NSYSU Electronic Thesis and Dissertation Archive |
Language | Cholon |
Detected Language | English |
Type | text |
Format | application/pdf |
Source | http://etd.lib.nsysu.edu.tw/ETD-db/ETD-search/view_etd?URN=etd-0110112-180904 |
Rights | user_define, Copyright information available at source archive |
Page generated in 0.0025 seconds