计算机应用 ›› 2016, Vol. 36 ›› Issue (7): 1841-1846.DOI: 10.11772/j.issn.1001-9081.2016.07.1841

• 网络空间安全 • 上一篇    下一篇

自动下载行为检测

黄吉鲲, 龚伟刚, 游伟, 秦波, 石文昌, 梁彬   

  1. 中国人民大学 信息学院, 北京 100872
  • 收稿日期:2015-12-03 修回日期:2016-02-11 出版日期:2016-07-10 发布日期:2016-07-14
  • 通讯作者: 梁彬
  • 作者简介:黄吉鲲(1993-),女,云南昭通人,硕士研究生,主要研究方向:软件安全;龚伟刚(1992-),男,浙江义乌人,硕士研究生,主要研究方向:软件安全;游伟(1988-),男,福建福州人,博士研究生,主要研究方向:Android安全;秦波(1977-),女,湖北郧西人,讲师,博士,主要研究方向:数据安全与隐私保护、应用密码学;石文昌(1964-),男,广西北海人,教授,博士,CCF会员,主要研究方向:可信计算、数字取证;梁彬(1973-),男,云南昆明人,副教授,博士,CCF会员,主要研究方向:软件安全性检测、系统软件安全机制。
  • 基金资助:
    国家自然科学基金资助项目(61170240,91418206,61472429);国家科技重大专项(2012ZX01039-004)。

Auto-download behavior detection

HUANG Jikun, GONG Weigang, YOU Wei, QIN Bo, SHI Wenchang, LIANG Bin   

  1. School of Information, Renmin University, Beijing 100872, China
  • Received:2015-12-03 Revised:2016-02-11 Online:2016-07-10 Published:2016-07-14
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61170240, 91418206, 61472429), the National Science and Technology Major Project of China (2012ZX01039-004).

摘要: 目前,很多恶意网页仅利用常规的Web编程技术使得浏览器自动下载木马等恶意软件并诱骗用户执行。这种恶意行为被称为自动下载。浏览器中现有的防御机制并不能有效地识别这种攻击。针对此类恶意行为,提出了一种防御方法。该方法通过监控网页中能导致自动下载的操作,并在下载实际发生时判断是否由用户触发,来识别自动下载行为并加以阻断。此防御方法已经在WebKitGtk+2.8.0和Chromium 38.0.2113.1两个浏览器中实现,并进行了评估:两个检测防御系统针对现存的攻击样本均无误报和漏报,额外的性能开销分别为1.26%和7.79%。实验结果表明,该方法能够有效地监测并阻断自动下载攻击且性能开销较小。

关键词: 恶意网页, 恶意软件, 自动下载检测, 用户交互

Abstract: Nowadays, many malicious Web pages can launch the downloading of malware without any user interaction only by leveraging normal Web programming techniques and deceive victims into executing the downloaded malware. This type of attack is called auto-download. The existing defense mechanisms equipped with browsers can not effectively identify the attack. In order to solve the problem, an approach was presented to mitigate the attack. The downloading operations were monitored. When a download was performing, it would be checked to see whether it was triggered by the user interaction or not. Consequently, potential auto-download behaviors would be detected and terminated. The approach had been implemented in two browsers WebKitGtk+2.8.0 and Chromium 38.0.2113.1. Both of the two detection and defense systems were evaluated. The false negatives and false positives were 0, and performance overload was 1.26% and 7.79%. The experimental results show that the proposed approach can effectively detect and terminate the auto-download attack with less performance overload.

Key words: malicious Web page, malware, auto-download detection, user interaction

中图分类号: