Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding and Detecting Malicious Web Advertising

Similar presentations

Presentation on theme: "Understanding and Detecting Malicious Web Advertising"— Presentation transcript:

1 Understanding and Detecting Malicious Web Advertising
Knowing Your Enemy Understanding and Detecting Malicious Web Advertising

2 Background Actors in Web Advertising Publishers Advertisers Audiences
Other (ex: trackers) a) Direct Delivery b) Ad syndication Background

3 An Example An example delivery chain of a fake AV campaign.
An ad delivered by

4 There are three categories of attacks with Malvertising.
Drive-by download : These attacks exploit the vulnerabilities of browsers or plugins using dynamic contents in JavaScript or Flash. Scam and phishing : These attacks include fake-AVs or others that attempt to trick users into disclosing sensitive information Click-fraud :  imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link Categories of Attacks

5 Terminology Node, Path, and Domain-Path
Malicious Node : A node that performs malicious activities on ad-delivery path is called malicious node. Malicious Path : we call any path containing a malicious node a malvertising path. Infected Publisher : The source node on malvertising path. Terminology

6 Measurement Results Encountered Malvertising Attacks :
Three types of malvertising attacks takes a significant portion of all the attacks detected The average malvertising path length is 8.11 nodes, much longer than the average crawled ad path length of 3.59 nodes The average life time of a particular malicious domain in our data is relatively short, ranging from 1 to 5 days Properties of Malvertising Nodes : Node roles Domain registration URL patterns Node frequency Node-pair frequency Measurement Results

7 Measurement Results Properties of Malvertising Paths:
The use of ad syndication Path distances among malicious nodes Summary of Findings : Malicious nodes tend to stay together, which helps for detection. Measurement Results

8 Mad Tracer Mad Tracer consists of two major components.
Mad Tracer Infrastructure Mad Tracer consists of two major components. The first component identifies malvertising paths by analyzing ad paths and their features. The second is an analyzer component that intensively monitors the infected publisher pages, so as to study cloaking techniques and to expand our detection results. Mad Tracer

9 Detection Methodology

10 Evaluation Results CONCLUSION :
Mad Tracer works effectively against real-world malvertising activities: it caught 15 times as many malicious domain paths as Google Safe Browsing and Microsoft Forefront combined, and also discovered several large-scale malvertising campaigns, including a new type of click-fraud attack. A more detailed summary of findings will be released on Evaluation Results

Download ppt "Understanding and Detecting Malicious Web Advertising"

Similar presentations

Ads by Google