Presentation on theme: "Knowing Your Enemy Understanding and Detecting Malicious Web Advertising."— Presentation transcript:
Knowing Your Enemy Understanding and Detecting Malicious Web Advertising
Background Actors in Web Advertising Publishers Advertisers Audiences Other (ex: trackers) a) Direct Delivery b) Ad syndication
An Example An example delivery chain of a fake AV campaign. An ad delivered by adsloader.com.
Terminology Node, Path, and Domain-Path Malicious Node Malicious Node : A node that performs malicious activities on ad-delivery path is called malicious node. Malicious Path Malicious Path : we call any path containing a malicious node a malvertising path. Infected Publisher Infected Publisher : The source node on malvertising path.
Measurement Results Encountered Malvertising Attacks : 1.Three types of malvertising attacks takes a significant portion of all the attacks detected 2.The average malvertising path length is 8.11 nodes, much longer than the average crawled ad path length of 3.59 nodes 3.The average life time of a particular malicious domain in our data is relatively short, ranging from 1 to 5 days Properties of Malvertising Nodes : Node roles Domain registration URL patterns Node frequency Node-pair frequency
Measurement Results Properties of Malvertising Paths: The use of ad syndication Path distances among malicious nodes Summary of Findings Summary of Findings : Malicious nodes tend to stay together, which helps for detection.
Mad Tracer Mad Tracer consists of two major components. −The first component identifies malvertising paths by analyzing ad paths and their features. −The second is an analyzer component that intensively monitors the infected publisher pages, so as to study cloaking techniques and to expand our detection results. Mad Tracer Infrastructure
Evaluation Results CONCLUSION : Mad Tracer works effectively against real-world malvertising activities: it caught 15 times as many malicious domain paths as Google Safe Browsing and Microsoft Forefront combined, and also discovered several large-scale malvertising campaigns, including a new type of click-fraud attack. A more detailed summary of findings will be released on