Presentation is loading. Please wait.

Presentation is loading. Please wait.

Knowing Your Enemy Understanding and Detecting Malicious Web Advertising.

Similar presentations

Presentation on theme: "Knowing Your Enemy Understanding and Detecting Malicious Web Advertising."— Presentation transcript:

1 Knowing Your Enemy Understanding and Detecting Malicious Web Advertising

2 Background Actors in Web Advertising Publishers Advertisers Audiences Other (ex: trackers) a) Direct Delivery b) Ad syndication

3 An Example An example delivery chain of a fake AV campaign. An ad delivered by

4 Categories of Attacks There are three categories of attacks with Malvertising. Drive-by download Drive-by download : These attacks exploit the vulnerabilities of browsers or plugins using dynamic contents in JavaScript or Flash. Scam and phishing Scam and phishing : These attacks include fake-AVs or others that attempt to trick users into disclosing sensitive information Click-fraud Click-fraud : imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link

5 Terminology Node, Path, and Domain-Path Malicious Node Malicious Node : A node that performs malicious activities on ad-delivery path is called malicious node. Malicious Path Malicious Path : we call any path containing a malicious node a malvertising path. Infected Publisher Infected Publisher : The source node on malvertising path.

6 Measurement Results Encountered Malvertising Attacks : 1.Three types of malvertising attacks takes a significant portion of all the attacks detected 2.The average malvertising path length is 8.11 nodes, much longer than the average crawled ad path length of 3.59 nodes 3.The average life time of a particular malicious domain in our data is relatively short, ranging from 1 to 5 days Properties of Malvertising Nodes : Node roles Domain registration URL patterns Node frequency Node-pair frequency

7 Measurement Results Properties of Malvertising Paths: The use of ad syndication Path distances among malicious nodes Summary of Findings Summary of Findings : Malicious nodes tend to stay together, which helps for detection.

8 Mad Tracer  Mad Tracer consists of two major components. −The first component identifies malvertising paths by analyzing ad paths and their features. −The second is an analyzer component that intensively monitors the infected publisher pages, so as to study cloaking techniques and to expand our detection results. Mad Tracer Infrastructure

9 Detection Methodology

10 Evaluation Results CONCLUSION : Mad Tracer works effectively against real-world malvertising activities: it caught 15 times as many malicious domain paths as Google Safe Browsing and Microsoft Forefront combined, and also discovered several large-scale malvertising campaigns, including a new type of click-fraud attack. A more detailed summary of findings will be released on

Download ppt "Knowing Your Enemy Understanding and Detecting Malicious Web Advertising."

Similar presentations

Ads by Google