Responsive image
博碩士論文 etd-0204109-163602 詳細資訊
Title page for etd-0204109-163602
Malicious Web Page Detection Based on Anomaly Behavior
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
drive-by download, malicious web page, anomaly behavior
本論文已被瀏覽 5847 次,被下載 10
The thesis/dissertation has been browsed 5847 times, has been downloaded 10 times.
根據本研究長時間觀察,相較於正常網頁,惡意網頁常以像是網頁編碼、關鍵字拆解等不尋常行為來逃避防毒軟體的檢測;這使得惡意網頁和正常網頁兩者在行為面上會出現明顯的差異。因此,本研究乃提出名為Web Page Checker (WPC) 客戶端之惡意網頁檢測機制;WPC是基於異常行為追蹤與分析之方式,來偵測惡意網頁。根據本研究實驗結果,顯示我們所提出之方法可以有效辨別惡意網頁並及時警告網站瀏覽者,証實異常行為檢測可被視為一個新的惡意網頁檢測方法。
Because of the convenience of the Internet, we rely closely on the Internet to do information searching and sharing, forum discussion, and online services. However, most of the websites we visit are developed by people with limited security knowledge, and this condition results in many vulnerabilities in web applications. Unfortunately, hackers have successfully taken advantage of these vulnerabilities to inject malicious JavaScript into compromised web pages to trigger drive-by download attacks.
Based on our long time observation of malicious web pages, malicious web pages have unusual behavior for evading detection which makes malicious web pages different form normal ones. Therefore, we propose a client-side malicious web page detection mechanism named Web Page Checker (WPC) which is based on anomaly behavior tracing and analyzing to identify malicious web pages. The experimental results show that our method can identify malicious web pages and alarm the website visitors efficiently.
目次 Table of Contents
Chapter 1 Introductions 1
1.1Background 1
1.2 Motivation 4
Chapter 2 Related Works 6
2.1 Malicious Code Injection Mechanisms 6
2.1.1 Web Server Security 6
2.1.2 User Contributed Content 6
2.1.3 Advertisement 7
2.1.4 Third-Party Widgets 7
2.2 Malicious Code Obfuscation Techniques 8
2.2.1 Code Reordering 8
2.2.2 Junk Instruction Insertion 8
2.2.3 Equivalent Code Replacement 9
2.2.4 Code and Data Encapsulation 9
2.2.5 String Splitting 10
2.3 Malicious Code Detection Researches 11
2.3.1 Types of Injected Malicious Code 11
2.3.2 Related Research 13
2.3.3 Brief Conclusion 15
Chapter 3 The Proposed Approach 17
3.1 Introduction of Anomaly Behavior and Detection Approach 17
3.1.1 Deeper Depth 17
3.1.2 Web Page Encoding 18
3.1.3 Sensitive Keywords Splitting 19
3.1.4 Sensitive Keywords Encoding 20
3.1.5 Unreasonable Coding Styles 21
3.1.6 Redirection 22
3.2 Proposed System Architecture and System Flowchart 23
3.3 Detailed System Modules illustration 25
3.3.1 Web Page URL Extraction Module 26
3.3.2 Web Page Crawler Module 26
3.3.3 Behavior Extraction Module 26 Web Page Encoding Detection 26 Sensitive Keywords Splitting Detection 27 Sensitive Keywords Encoding Detection 28 Unreasonable Coding Styles Detection 29 Redirection Detection 30
3.4 MoBR Module 31
3.5 Anomaly Behavior Scoring Module 31
3.5.1 Predictor Variables of Behavior Scoring Formula 32
3.5.2 Weight Variables of Behavior Scoring Formula 32
3.5.3 Target Variable of Behavior Scoring Formula 33
Chapter 4 System Implementation and Experiment Design 38
4.1 System Implementation 38
4.2 Experiment Design 39
4.2.1 Samples Collection 39
4.2.2 Sampling and Experiment 40
4.3 Experiment Results 41
4.4 Comparisons 42
Chapter 5 Conclusions and Future Work 48
5.1 Conclusions 48
5.2 Future Work 49

參考文獻 References
[1] D. Stuttard and M. Pinto, The Web Application Hacker s Handbook: Discovering and Exploiting Security Flaws. New York: Wiley, 2007, pp. 768.
[2] P. Mavrommatis and N. Provos, "Introducing google's online security efforts," [Online document] May. 2007, [2008 Jul. 25], Available at HTTP:
[3] S. Northcutt, E. Skoudis, M. Sachs, J. Ullrich, T. Liston, E. Cole, E. Schultz, R. Dhamankar, A. Yoran, H. Schmidt, W. Pelgrin and A. Paller, " Top ten cyber security menaces for 2008," [Online document] n.d., [2008 Jul. 25], Available at HTTP:
[4] C. Seifert, R. Steenson, T. Holz, Y. Bing and M. A. Davis, " Know your enemy: malicious web servers," [Online document] Aug. 2007, [2008 Jul. 25], Available at HTTP:
[5] C. Seifert, " Know your enemy: behind the scenes of malicious web servers," [Online document] Nov. 2007, [2008 Jul. 25], Available at HTTP:
[6] A. Moshchuk, T. Bragin, S. D. Gribble and H. M. Levy, "A crawler-based study of spyware in the web," in NDSS '06: Proceedings of the 13th Network and Distributed System Security, 2006, pp. 17-33.
[7] M. Christodorescu and S. Jha, "Testing malware detectors," in ISSTA '04: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis, 2004, pp. 34-44.
[8] Shih-Fen Lin, Yung-Tsung Hou, Chia-Mei Chen, Bingchiang Jeng1 and Chi-Sung Laih, " Malicious Webpage Detection by Semantics-Aware Reasoning," in ISDA '08: Proceedings of The International Conference on Intelligent Systems Design and Applications, 2008, pp. 115-120.
[9] N. Provos, P. Mavrommatis, M. A. Rajab and F. Monrose, "All your iFrames point to us," [Online document] Feb. 2008, [2008 Jul. 25], Available at HTTP:
[10] N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, "The ghost in the browser analysis of web-based malware," in HotBots '07: Proceedings of the first USENIX workshop on hot topics in Botnets, 2007.
[11] Wikipedia contributors, "Web 2.0," [Online document] Nov. 2008, [2008 Nov. 13], Available at HTTP:
[12] T. Jim, N. Swamy and M. Hicks, "Defeating script injection attacks with browser-enforced embedded policies," in WWW '07: Proceedings of the 16th international conference on World Wide Web, 2007, pp. 601-610.
[13] O. Hallaraker and G. Vigna, "Detecting malicious JavaScript code in mozilla," in ICECCS '05: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, 2005, pp. 85-94.
[14] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky and S. Esmeir, "BrowserShield: Vulnerability-driven filtering of dynamic HTML," in OSDI '06: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, 2006, pp. 5-5.
[15] D. Yu, A. Chander, N. Islam and I. Serikov, "JavaScript instrumentation for browser security," in POPL '07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007, pp. 237-249.
[16] Y. Wang, D. Beck, X. Jiang and R. Roussev, "Automated web patrol with strider honeymonkeys:Finding web sites that exploit browser vulnerabilities," in NDSS '06: Proceedings of the 13th Annual Network and Distributed System Security Symposium, 2006.
[17] E. Kirda, C. Kruegel, G. Vigna and N. Jovanovic, "Noxes: A client-side solution for mitigating cross-site scripting attacks," in SAC '06: Proceedings of the 2006 ACM Symposium on Applied Computing, 2006, pp. 330-337.
[18] M. Christodorescu, S. Jha, S. A. Seshia, D. Song and R. E. Bryant, "Semantics-aware malware detection," in SP '05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, 2005, pp. 32-46.
[19] M. D. Preda, M. Christodorescu, S. Jha and S. Debray, "A semantics-based approach to malware detection," in POPL '07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007, pp. 377-388.
[20] E. Horowitz, S. Sahni and S. Anderson-Freed, Fundamentals of Data Structures in C. New York: W. H. Freeman & Co, 1992, pp. 585.
[21], " May 2008 badware websites report," [Online document] May. 2008, [2008 Jul. 25], Available at HTTP:
電子全文 Fulltext
論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是
論文開放下載的時間是 校外不公開

Your IP address is
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
開放時間 available 已公開 available

QR Code