seclab
play

seclab Detecting Website Defacements through Image-based Object - PowerPoint PPT Presentation

Feb 27, 2024 •143 likes •329 views

M EERKAT seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna

  1. M EERKAT 
 seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna vigna@cs.ucsb.edu August 13th, 2015 USENIX Security 2015

  2. seclab Defacements Source: The Register, August 3rd 2015, http://www.theregister.co.uk/2015/08/03/trump_website_hacked/ Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 2

  3. seclab Defacements: Scale • Prolific defacers: 
 Team System Dz, 2,800 websites in 10 months (~10/day) • Over 4,700 manually-verified defacements each day (Zone-H) • Defacements to Phishing Pages 
 Reported Websites per Month Average: ~7 to 1 
 1,000,000 Reported Websites Maximum: ~33 to 1 100,000 • Over 53,000 websites from 
 10,000 top 1 million lists were 
 1,000 Defacements defaced in 2014 Phishing Pages 100 2000-01 2001-01 2002-01 2003-01 2004-01 2005-01 2006-01 2007-01 2008-01 2009-01 2010-01 2011-01 2012-01 2013-01 2014-01 Month Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 3

  4. seclab Approach • Prior work looks at websites’ code, host-based IDS etc. • Compares to prior version / known good state • M EERKAT : Visually, like a human analyst • Render website in browser • Take screenshot • Does the screenshot looks like a defacement? • No previous version of website needed • No manual feature engineering Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 4

  5. seclab Approach: Deep Neural Network ... Defaced Legitimate ... ... ... 160x160x3 ... 18x18x3 Local Feed-forward with Local 1600x900x3 L2 ... Receptive Dropout Contrast Pooling Fields Normalization Window Screenshot Feature Learning Classification Collection Extraction Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 5

  6. seclab Approach: A Window “Into” The Defacement ... Defaced Legitimate ... ... ... 160x160x3 160x160x3 ... 18x18x3 Local Feed-forward with Local 1600x900x3 1600x900x3 L2 ... Receptive Dropout Contrast Pooling Fields Normalization • Full-size screenshots impractical; window “into” defacement instead • Size of window? • Too large ⇒ overfit (high variance) • Too small ⇒ underfit (high bias) • Extract window from which part of the screenshot? Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 6

  7. seclab Approach: Representative Window Extraction (1) Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 7

  8. seclab Approach: Representative Window Extraction (2) • Sample windows from 2-dimensional Gaussian distribution • Bias heavily toward center of page • If outside of screenshot, resample • Why? • Center of page is descriptive! • Non-trivial to poison training set Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 8

  9. seclab Approach: Deep Neural Network • Feature Learning: 
 Stacked Auto-Encoders • Classification: 
 Feed-Forward Neural Network with Dropout • Implemented on-top of Caffe • Trained on GPU, training time in weeks Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 9

  10. seclab Approach: Features Learned • Color combinations • Green on black? Black on white/bright gray? • Letter combinations • Broken and mixed encodings • Leetspeak • “pwned” or “h4x0red” • Typographical and grammatical errors • “greats to” or “visit us in our website” • Defacement group logos Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 10

  11. seclab Approach: Detection Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 11

  12. seclab Evaluation • Dataset • 10,053,772 defaced websites = positives • Defaced websites manually verified by Zone-H • 2,554,905 legitimate websites = negatives • Legitimate websites not verified, might be defaced • Dataset skewed toward defacements • Report Bayesian detection rate (BDR): P(true positive|positive) • Unverified legitimate websites ⇒ TPR & BDR are lower-bounds! Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 12

  13. seclab Evaluation: Traditional • 10-fold cross-validation • Results: • TPR: avg. 97.878% [97.422%, 98.375%] • FPR: avg. 1.012% [0.547%, 1.419%] • BDR: avg. 99.716% [99.603%, 99.845%] • Traditional evaluation has problems: • Same defacement possibly in two bins • Defacements from 1998 vs. 2014 Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 13

  14. seclab Limitations • Fingerprinting and delayed defacements • Tiny defacements • Huge advertisements • Concept drift (natural and adversarial) • Major: learn new features from new data (no feature engineering) • Minor: adjust weights of deeper classification layer Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 14

  15. seclab Limitations: Minor Concept Drift & Fine-Tuning • Train on Dec 2012 to Dec 2013 Time-wise Split, with and without Fine-Tuning 1.000 • 1.78 million defacements True Positive Rate with fine-tuning 0.995 without fine-tuning 0.990 • 1.76 million legitimate pages 0.985 0.980 0.975 • Test on Jan to May 2014 0.970 0.040 False Positive Rate 0.035 • 1.54 million samples, 50/50 split 0.030 0.025 0.020 • Fine-tune Jan, Feb, Mar, Apr 0.015 0.010 • BDR in Jan: 98.583% 0.015 w/ FT - w/o FT True Positive Rate 0.010 False Positive Rate Di ff erence • w/o FT drops to 97.177% 0.005 0.000 -0.005 • w/ FT increases to 98.717% -0.010 -0.015 • Team System Dz started Jan 2014! January May February March April Month of 2014 Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 15

  16. seclab Conclusion • Introduced M EERKAT • Learns features automatically, match domain knowledge • Does not require prior version of website • Outperforms state of the art • Gracefully tackles minor and major concept drift Kevin Borgolte Meerkat: Detecting Website Defacements through Image-based Object Recognition 16

  17. Thank you for your attention! Questions? seclab kevinbo@cs.ucsb.edu http://kevin.borgolte.me twitter: @caovc THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at Agenda 802.11 fundamentals 802.11

820 views • 79 slides
Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007 Sylvester Keil sk [at] seclab [dot] tuwien [dot] ac [dot] at Clemens Kolbitsch ck [at] seclab [dot] tuwien [dot] ac [dot] at About us We are

589 views • 45 slides
seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

969 views • 70 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides
Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers at the University of California Santa Barbara Seclab People interested in finding bugs in software People interested in publishing papers

626 views • 36 slides
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

918 views • 36 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna } @cs.ucsb.edu Computer Security Group UC Santa Barbara 13 August 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

433 views • 42 slides
www.parenthese-london.co.uk Berkeley Square House Berkeley Square London W1J 6BD Facebook :

www.parenthese-london.co.uk Berkeley Square House Berkeley Square London W1J 6BD Facebook :

www.parenthese-london.co.uk Berkeley Square House Berkeley Square London W1J 6BD Facebook : Parenthese Twitter: parentheseparis contact@parenthese-london.co.uk vendredi 6 mars 15 Who are we? 2014 marks 10 years for Parenthese In that

1.81k views • 95 slides
Can the SPDE approach replace traditional Geostatistics for industrial applications? N. Desassis,

Can the SPDE approach replace traditional Geostatistics for industrial applications? N. Desassis,

RESSTE workshop - Avignon - November 2018 Can the SPDE approach replace traditional Geostatistics for industrial applications? N. Desassis, R. Carrizo Vergara, M. Pereira D. Renard, T. Romary, X. Freulon MINES-ParisTech - G eosciences

1.16k views • 97 slides
EQUALITY 12ai (1) T(p,q) T(q,p) (p,q are constants) AUTOMATED REASONING (2) T(X,X)

EQUALITY 12ai (1) T(p,q) T(q,p) (p,q are constants) AUTOMATED REASONING (2) T(X,X)

EQUALITY 12ai (1) T(p,q) T(q,p) (p,q are constants) AUTOMATED REASONING (2) T(X,X) (3) p=q A "Natural" derivation of [] SLIDES 12: (1) T(p,q) T(q,p)

104 views • 7 slides
Asymptotic study of subcritical graph classes Michael Drmota, Eric Fusy, Mihyun Kang, Veronika

Asymptotic study of subcritical graph classes Michael Drmota, Eric Fusy, Mihyun Kang, Veronika

Asymptotic study of subcritical graph classes Michael Drmota, Eric Fusy, Mihyun Kang, Veronika Kraus, Juanjo Ru e Laboratoire dInformatique, Ecole Polytechnique, ERC Exploremaps Project VII Jornadas de Matem atica Discreta y Algor

1.1k views • 36 slides
COVID-19 Update April 6, 2020 Jill Hunsaker Ryan, executive Agenda director, CDPHE

COVID-19 Update April 6, 2020 Jill Hunsaker Ryan, executive Agenda director, CDPHE

COVID-19 Update April 6, 2020 Jill Hunsaker Ryan, executive Agenda director, CDPHE Dr. Rachel Herlihy, state epidemiologist, CDPHE Dr. Eric France, chief medical officer, CDPHE Media questions and answers Moderator:

826 views • 17 slides
Apache CloudStack & Apalia Involved with CloudStack since 2010 Dozens of CloudStack

Apache CloudStack & Apalia Involved with CloudStack since 2010 Dozens of CloudStack

Billing for Apache CloudStack Billing for Apache CloudStack CloudStack Collaboration Confer CloudStack Collaboration Conference US ence US Miami May 18 Miami May 18 th th 2017 2017 Apache CloudStack & Apalia Involved with

322 views • 15 slides
Operators vs Arguments The Ins and Outs of Reification Antony Galton University of Exeter, UK

Operators vs Arguments The Ins and Outs of Reification Antony Galton University of Exeter, UK

Operators vs Arguments The Ins and Outs of Reification Antony Galton University of Exeter, UK 1 What is Reification? White ( x ) Colour ( x, white ) All balls in the bag are the same colour: x y ( Ball ( y ) In ( y, b )

473 views • 26 slides
Class logistics Object recognition and Computer Vision 2020

Class logistics Object recognition and Computer Vision 2020

Object recognition and Computer Vision 2020 http://www.di.ens.fr/willow/teaching/recvis Class logistics Object recognition and Computer Vision 2020 http://www.di.ens.fr/willow/teaching/recvis Lectures: Jean Cordelia Mathieu Ivan Josef

407 views • 18 slides
Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET Ledger SAS Ledger Technologies Inc. 1, rue du Mail 121 2nd Street - Suite 5 75002 Paris - France 94105 San Francisco - USA Ledger 10+ years

912 views • 42 slides
The probability of planarity of a random graph near the critical point Marc Noy, Vlady

The probability of planarity of a random graph near the critical point Marc Noy, Vlady

The probability of planarity of a random graph near the critical point Marc Noy, Vlady Ravelomanana, Juanjo Ru e Instituto de Ciencias Matem aticas (CSIC-UAM-UC3M-UCM), Madrid Journ ee-s eminaire de combinatoire CALIN, Paris-Nord

1.05k views • 67 slides
Learning Context-dependent Label Permutations for Multi-label Classification Jinseok Nam Amazon

Learning Context-dependent Label Permutations for Multi-label Classification Jinseok Nam Amazon

Learning Context-dependent Label Permutations for Multi-label Classification Jinseok Nam Amazon Alexa AI Joint work with Young-Bum Kim, Eneldo Loza Menca, Sunghyun Park, Ruhi Sarikaya and Johannes Frnkranz Mu Multi-lab label el Clas

742 views • 13 slides
Random Utility without Regularity Michel Regenwetter Department of Psychology, University of

Random Utility without Regularity Michel Regenwetter Department of Psychology, University of

Random Utility without Regularity Michel Regenwetter Department of Psychology, University of Illinois at Urbana-Champaign Winer Memorial Lectures 2018 Work w. J. Dana, C. Davis-Stober, J. Mller-Trede, M.Robinson Thanks: NSF-DRMS SES-10-62045

1.25k views • 76 slides

More recommend