deseo combating search result poisoning
play

deSEO: Combating Search-Result Poisoning John P John Fang Yu, - PowerPoint PPT Presentation

Jan 22, 2023 •248 likes •766 views

deSEO: Combating Search-Result Poisoning John P John Fang Yu, Yinglian Xie, Arvind Krishnamurthy, Martin Abadi University of Washington & MSR, Silicon Valley The malware pipeline find vulnerable web servers compromise web servers and

  1. deSEO: Combating Search-Result Poisoning John P John Fang Yu, Yinglian Xie, Arvind Krishnamurthy, Martin Abadi University of Washington & MSR, Silicon Valley

  2. The malware pipeline find vulnerable web servers compromise web servers and host malicious content spread malicious links via email, IM, search results bad stu fg

  3. The malware pipeline find vulnerable web servers • Malware links spread through: compromise web servers and host malicious content • spam emails, spam IMs, social networks, search results, etc. spread malicious links via email, IM, search results • We look at search results bad stu fg

  5. Is this really a problem? • ~40% of popular searches contain at least one malicious link in top results • Scareware fraud made $150 m. in pro fi t last year

  6. Is this really a problem? • ~40% of popular searches contain at least one malicious link in top results • Scareware fraud made $150 m. in pro fi t last year

  7. Contributions • How does the search poisoning attack work? -examined a live attack involving 5,000 compromised sites • What can we learn about such attacks? -identi fi ed common features in search poisoning attacks • How can we defend against them? -developed deSEO, which detected new live SEO attacks on 1,000+ domains

  8. Anatomy of SEO attack search engine compromised redirection Web server server exploit server

  9. Anatomy of SEO attack search engine compromised redirection search Web server query server exploit server

  10. Anatomy of SEO attack search engine compromised redirection search Web server query server exploit server

  11. Anatomy of SEO attack search engine compromised redirection search Web server query server exploit server

  12. Anatomy of SEO attack search engine compromised redirection search Web server query server exploit server

  13. Anatomy of SEO attack search engine compromised redirection search Web server query server exploit server

  14. Analysis of an attack • Examine a speci fi c attack • August - October 2010 • 5,000 compromised domains • Tens of thousands of compromised keywords • Millions of SEO pages generated

  15. How are servers compromised? • Sites running osCommerce • Unpatched vulnerabilities • Allows attackers to host any fi le on the Web server - including executables www.example.com/admin/file_manager.php/login.php? action=processuploads !

  16. What files are uploaded?

  17. What files are uploaded? • php shell to manage fi le operations

  18. What files are uploaded? • php shell to manage fi le operations • HTML templates, images

  19. What files are uploaded? • php shell to manage fi le operations • HTML templates, images • php script to generate SEO web pages

  20. The main php script www.example.com/images/page.php?page=kobayashi+arrested

  21. The main php script www.example.com/images/page.php?page=kobayashi+arrested kobayashi arrested

  22. The main php script www.example.com/images/page.php?page=kobayashi+arrested • Obfuscated script • Simple encryption using nested evals

  23. The main script (de-obfuscated)

  24. The main script (de-obfuscated) Check if search crawler Generate page for keyword

  25. The main script (de-obfuscated) Check if search crawler Generate page for keyword Fetch: snippets from google images from bing

  26. The main script (de-obfuscated) Check if search crawler Generate page for keyword Fetch: snippets from google images from bing Add links to other compromised sites

  27. The main script (de-obfuscated) Check if search crawler Generate page for keyword Fetch: snippets from google images from bing Add links to other compromised sites Cache page

  28. Dense link structure • Other compromised domains found by crawling included links • Each site linked to 200 other sites • ~5,000 compromised domains identi fi ed • Each site hosted 8,000 SEO pages • 40 million pages total

  29. Poisoned keywords • 20,000+ popular search terms poisoned

  30. Poisoned keywords • 20,000+ popular search terms poisoned

  31. Poisoned keywords • 20,000+ popular search terms poisoned

  32. Poisoned keywords • 20,000+ popular search terms poisoned • Google Trends + Bing related searches • haiti earthquake • senate elections • veterans day 2010 • halloween 2010 • thanksgiving 2010 ...

  33. Poisoned keywords • 20,000+ popular search terms poisoned • Google Trends + Bing related searches • haiti earthquake • senate elections • veterans day 2010 • halloween 2010 • thanksgiving 2010 ... • 95% of Google Trends keywords poisoned

  34. Redirection servers • Three domains used for redirection • Over 1,000 exploit URLs fetched *!!!" !"#$%&'()'*+,-#'*+.+/.' δ 2 )!!!" δ 1 δ 3 (!!!" '!!!" &!!!" %!!!" $!!!" τ 0 τ 0 +T τ 1 τ 2 τ 3 #!!!" !" 01/%'

  35. Redirection servers • Three domains used for redirection • Over 1,000 exploit URLs fetched *!!!" !"#$%&'()'*+,-#'*+.+/.' δ 2 )!!!" δ 1 δ 3 (!!!" '!!!" &!!!" %!!!" $!!!" τ 0 τ 0 +T τ 1 τ 2 τ 3 #!!!" !" 01/%' Almost 100,000 victims over 10 weeks

  36. Evasive techniques • Why can’t redirection behavior be easily detected? • Cloaking • Requiring user interaction • Redirection through javascript or fl ash

  37. What are prominent features in search poisoning? • Dense link structure • Automatic generation of relevant pages • Large number of pages with popular keywords • Behavior of compromised sites • before - diverse content and behavior • after - similar content and behavior

  38. What are prominent features in search poisoning? • Dense link structure • Automatic generation of relevant pages • Large number of pages with popular keywords • Behavior of compromised sites • before - diverse content and behavior • after - similar content and behavior

  39. deSEO steps 1. History-based fi ltering select domains where many new pages are set up, di ff erent from older pages 2. Clustering suspicious domains using K-means++ 3. Group similarity analysis select groups where new pages are similar across domains

  40. Sample web URLs with trendy keywords http://www.askania-fachmaerkte.de/images/news.php? page=justin+bieber+breaks+neck

  41. Sample web URLs with trendy keywords History based detection

  42. Sample web URLs with trendy keywords History based detection Domain clustering - lexical features of URLs String features- keyword separators, arguments, fi lename, path Numerical features- number of arguments, length of arguments, length of keywords Bag of words- set of keywords

  43. Sample web URLs with trendy keywords History based detection Domain clustering - lexical features of URLs Group analysis - web page feature similarity

  44. Sample web URLs with trendy keywords History based detection Domain clustering - lexical features of URLs Group analysis - web page feature similarity

  45. !"# !"!+ !"#$%&'()'*)+#,-.)) Sample web URLs with !"!* !"!) trendy keywords !"!( !"!' !"!& !"!% History based detection !"!$ !"!# ! #! %! '! )! +! ##! #%! #'! #)! #+! $#! $%! $'! $)! %!! %(! &!! &$! '#! ()! /)'*)012.) Domain clustering - lexical features of URLs !"* Group analysis !") !"#$%&'()'*)+#,-.)) - web page feature similarity !"( !"' !"& !"% !"$ !"# ! ! # $ ) + #! $! $+ %$ %* (! (' (( ### #+# /)'*)012.)

  46. Sample web URLs with trendy keywords History based detection Domain clustering - lexical features of URLs Group analysis - web page feature similarity Regular expressions .*\/xmlrpc\.php\/\?showc=\w+(\+\w+)+$ - to match URLs not in our sample

  47. deSEO findings • 11 malicious groups from sampled web graph in January 2011 • 957 domains • 15,482 URLs • Revealed a new search poisoning attack • compromised Wordpress installations • cloaking to avoid detection • di ff erent link topology

  48. Applying to search results • 120 keyword searches in Google and Bing • 163 malicious URLs detected in results • 43 search terms a ff ected 3<* !"#$%&''()'#*+,-,(".'+,/0.' :* 8* 4* 5* <* 3* 5* 6* 4* 7* 8* 9* :* ;* 1%*&-2'&%."+3'4*5%'

  49. Conclusion • Malware and SEO are big problems • Analyzed an ongoing scareware campaign • Identi fi ed thousands of compromised domains • Identi fi ed prominent features in SEO attacks and used them to build deSEO • Promising results on a partial dataset from bing • Identi fi ed multiple live SEO attacks

  50. Thank You jjohn@cs.washington.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COMBATING THE OPIOIDS CRISIS Deaths Estimated age-adjusted in 2006 death rates for drug

COMBATING THE OPIOIDS CRISIS Deaths Estimated age-adjusted in 2006 death rates for drug

U.S. DEPARTMENT OF HEALTH &amp; HUMAN SERVICES COMBATING THE OPIOIDS CRISIS Deaths Estimated age-adjusted in 2006 death rates for drug poisoning Deaths Estimated age-adjusted in 2016 death rates for drug poisoning 2016 OPIOID DEATHS

468 views • 18 slides
CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning is the most common exposure poisoning in the United States and the rest of the world. 2. It is an odorless, colorless gas that can cause sudden

198 views • 15 slides
Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b. Forefathers of toxicology c. Famous poisoning cases d. Misconception about poisoning e. Basic principles of poisoning f. Factors influencing toxic

843 views • 16 slides
Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions Matthew Joslin*, Neng Li

Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions Matthew Joslin*, Neng Li

Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions Matthew Joslin*, Neng Li , Shuang Hao*, Minhui Xue , Haojin Zhu *University of Texas at Dallas, Shanghai Jiao Tong University, Macquarie University

440 views • 23 slides
Pharmacists Role in Prevention &amp; Management of Poisoning Prof. Rahmat Awang National Poison

Pharmacists Role in Prevention &amp; Management of Poisoning Prof. Rahmat Awang National Poison

Overview of Poisoning Incidence and the Pharmacists Role in Prevention &amp; Management of Poisoning Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st. National Poisoning Symposium 2016: Pharmacists Role in Poisoning

570 views • 33 slides
DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the process of improving the visibility of a website on organic (&quot;natural&quot; or un-paid) search engine result pages (SERPs), by incorporating

1.54k views • 35 slides
Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

1 Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio Provide an overview of the Public Health Lead Investigation Process Bring awareness to funding resources for lead hazard control 3

1.35k views • 71 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
Optimizing Result Prefetching in Web Search Engines with Segmented Indices Ronny Lempel Shlomo

Optimizing Result Prefetching in Web Search Engines with Segmented Indices Ronny Lempel Shlomo

Optimizing Result Prefetching in Web Search Engines with Segmented Indices Ronny Lempel Shlomo Moran Technion, Israel Institute of Technology Web Search Engines Index billions of documents. Make use of distributed storage. Their

522 views • 37 slides
Lesson 2.4: Reading the SERP SERP Search Engine Results Page Reading a single result

Lesson 2.4: Reading the SERP SERP Search Engine Results Page Reading a single result

Lesson 2.4: Reading the SERP SERP Search Engine Results Page Reading a single result A single result has many parts to it Title URL Snippet (Abstract) Reading a single result Links into site

62 views • 3 slides
Poisoning Exposure Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st.

Poisoning Exposure Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st.

Role of Pharmacist in Assessing the Risk of a Poisoning Exposure Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st. National Poisoning Symposium 2016: Pharmacists Role in Poisoning Prevention and Management 5th-6th

486 views • 14 slides
O VERDOSE P REVENTION Age adjusted rate per 100,000 Poisoning IN M ARYLAND MV Traffic Drug

O VERDOSE P REVENTION Age adjusted rate per 100,000 Poisoning IN M ARYLAND MV Traffic Drug

1/9/2015 United States: Injury Deaths by Cause, 1999-2010 O VERDOSE P REVENTION Age adjusted rate per 100,000 Poisoning IN M ARYLAND MV Traffic Drug Poisoning Firearm Michael Baier Overdose Prevention Director Department of Health and

246 views • 7 slides
CSE 7/5337: Information Retrieval and Web Search Evaluation &amp; Result Summaries (IIR 8)

CSE 7/5337: Information Retrieval and Web Search Evaluation &amp; Result Summaries (IIR 8)

CSE 7/5337: Information Retrieval and Web Search Evaluation &amp; Result Summaries (IIR 8) Michael Hahsler Southern Methodist University These slides are largely based on the slides by Hinrich Sch utze Institute for Natural Language

562 views • 52 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
Search for Stan Lai, Pekka K. Sinervo Exotics Meeting, April 20, 2006 Result Blessing Outline:

Search for Stan Lai, Pekka K. Sinervo Exotics Meeting, April 20, 2006 Result Blessing Outline:

Search for Stan Lai, Pekka K. Sinervo Exotics Meeting, April 20, 2006 Result Blessing Outline: Review of Procedure Result Plots to be blessed 1

294 views • 11 slides
Acoustic location of Bragg peak for hadrontherapy monitoring Jorge Otero, Miguel Ardid, Ivan

Acoustic location of Bragg peak for hadrontherapy monitoring Jorge Otero, Miguel Ardid, Ivan

Acoustic location of Bragg peak for hadrontherapy monitoring Jorge Otero, Miguel Ardid, Ivan Felis and Alicia Herrero Content I. Introduction. II. Localization method. III. Numerical simulations. IV. Experimental set up. V. Localization

146 views • 13 slides
B I O I N F O R M A T I C S Kristel Van Steen, PhD 2 Montefiore Institute - Systems and Modeling

B I O I N F O R M A T I C S Kristel Van Steen, PhD 2 Montefiore Institute - Systems and Modeling

B I O I N F O R M A T I C S Kristel Van Steen, PhD 2 Montefiore Institute - Systems and Modeling GIGA - Bioinformatics ULg kristel.vansteen@ulg.ac.be Bioinformatics

1.67k views • 143 slides
Grid cells and the entorhinal map of space Edvard I. Moser Kavli Institute for Systems

Grid cells and the entorhinal map of space Edvard I. Moser Kavli Institute for Systems

Nobel Prize in Physiology or Medicine Nobel Lecture 071214 Grid cells and the entorhinal map of space Edvard I. Moser Kavli Institute for Systems Neuroscience, Centre for Neural Computation, NTNU, Trondheim From psychology to neurophysiology

801 views • 50 slides
Endoscopic navigation in the absence of CT imaging Ayushi shi Sinha ha 1, , , Xingtong Liu 1

Endoscopic navigation in the absence of CT imaging Ayushi shi Sinha ha 1, , , Xingtong Liu 1

Endoscopic navigation in the absence of CT imaging Ayushi shi Sinha ha 1, , , Xingtong Liu 1 , Austin Reiter 1 , Masaru Ishii 2 , Greg Hager 1 , Russ Taylor 1 1 The Johns Hopkins University, Baltimore, USA 2 Johns Hopkins Medical Institutes,

365 views • 34 slides
PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance

PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance

PCI DSS Compliance Training Matthew Packard, CCEP | Internal Auditing and Compliance mpackard@uwf.edu | 850.857.6070 Agenda PCI DSS overview The Basics Your responsibilities University Policies Best Practices So what is

420 views • 30 slides
Frog Lab: Anatomy and Contraction Bioengineering/Physiology 3202 Frog Lab I Slide 1

Frog Lab: Anatomy and Contraction Bioengineering/Physiology 3202 Frog Lab I Slide 1

Frog Lab: Anatomy and Contraction Bioengineering/Physiology 3202 Frog Lab I Slide 1 Bioengineering 3202- Human Physiology Frog Heart Anatomy/Function Shared ventricle but blood separated Spiral fold Initial flow through

745 views • 5 slides
Performance Model of DRAM Caches Authors: Nagendra Gulur * , Mahesh Mehendale * , and R

Performance Model of DRAM Caches Authors: Nagendra Gulur * , Mahesh Mehendale * , and R

A Comprehensive Analytical Performance Model of DRAM Caches Authors: Nagendra Gulur * , Mahesh Mehendale * , and R Govindarajan + Presented by: Sreepathi Pai * Texas Instruments, + Indian Institute of Science University of Texas, Austin

679 views • 48 slides
Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of better things concerning you, yes, things that accompany salvation, though we speak in this manner. Hebrews 6:10, For God is not unjust to forget

739 views • 41 slides

More recommend