Full Record

New Search | Similar Records

Author
Title Localisation of Attacks, Combating Browser-Based Geo-Information and IP Tracking Attacks
URL
Publication Date
Date Available
Degree Level doctoral
University/Publisher Victoria University of Wellington
Abstract Accessing and retrieving users’ browser and network information is a common practice used by advertisers and many online services to deliver targeted ads and explicit improved services to users belonging to a particular group. They provide a great deal of information about a user’s geographical location, ethnicity, language, culture and general interests. However, in the same way these techniques have proven effective in advertising services, they can be used by attackers to launch targeted attacks against specific user groups. Targeted attacks have been proven more effective against user groups than their blind untargeted counterparts (e.g.spam, phishing). Their detection is more challenging as the detection tools need to be located within the targeted user group. This is one of the challenges faced by security researchers and organisations involved in the detection of new malware and exploits, using client honeypots. Client honeypots are detection systems used in the identification of malicious web sites. The client honeypot needs to mimic users in a pre-defined location, system, network and personality for which the malware is intended. The case is amplified by the use of Browser Exploit Packs/kits (BEPs), supporting these features. BEPs provide simplicity in deployment of targeted malicious web sites. They allow attackers to utilise specific geographical locations, network information, visit patterns or browser header information obtained from a visiting user to determine if a user should be subjected to an attack. Malicious web sites that operate based on targeted techniques can disguise themselves as legitimate web sites and bypass detection. Benign content is delivered to attacker-specified users while avoiding delivery to suspicious systems such as well-known or possible subnets that may host client honeypots. A client honeypot deployed in a single location with a single IP address will fail to detect an attack targeted at users in different demographic and network subnets. Failure in detection of such attacks results in high rates of false negatives which affect all honeypots regardless of detection technique or interaction level. BEPs are hugely popular and most include tracking features. The number of malicious web sites that utilise these features is currently unknown. There are very few studies that have addressed identifying the rate and number of malicious web sites utilising these techniques and no available client honeypot system is currently able to detect them. Any failure to detect these web sites will result in unknown numbers of users being exploited and infected with malware. The false negatives resulting from failing to detect these web sites can incorrectly be interpreted as a decline in the number of attacks. In this work, a study of information that can potentially expose users to targeted attack through a browser is examined through experimental analysis. Concrete approaches by attackers to obtain user-specific information in the deployment of targeted attacks through browsers are…
Subjects/Keywords Geolocation Attacks; HAZOP; Client Honeypots; Browser Based Attacks; IP Tracking; Browser Exploit Kits; YALIH; Localized Attacks; Targeted attacks; Honeypots; Honey clients; Hazard and Operability
Contributors Welch, Ian
Language en_nz; en_nz
Rights Author Retains Copyright
Country of Publication nz
Record ID handle:10063/6567
Repository vuw-diss
Date Retrieved
Date Indexed 2019-06-26

Sample Search Hits | Sample Images

…7 1.4 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Part I – Why are Attacks Targeted and How Do They Do It? 10 2 Targeted Attacks: The Motivation 13 2.1 Social factor…

…Retrieval algorithm to detect geolocation and targeted attacks . xv 173 179 185 187 199 200 209 211 214 223 225 229 230 231 232 List of Tables 3.1 HTTP header fields which could be used to geo-locate a user . 33 3.2 HTTP header information of a…

…give rise to concerns about users’ security. Targeted attacks can be deployed against users from a particular demographic, using current events, and cultural or social information to achieve better return rates [3, 4, 5]. Spam campaigns take…

…monitoring, be present within the geographical boundaries, or pose as a member of the demographic being targeted to be able to detect the attacks. The availability of such techniques for an attacker allows them to identify and bypass security systems or…

…domains where those systems might be located, by refusing to provide services or providing benign content [1]. Localisation and targeted attacks are not only limited to spam campaigns, but seen across other types of attacks. Statistics provided…

…by research organisations running server honeypots have indicated patterns of attack that are unique to a particular region or environment (i.e. academic, corporate) [6]. Localisation and targeted attacks are believed to be factors…

…toolkits (e.g. MPack, IcePack, Blackhole) [15, 16] are used to facilitate the deployment of targeted attacks. Attackers are also able to monitor and log IP addresses of a user and deliver an exploit based on the suspicious behaviour of a…

…required to assess and understand the magnitude of the problem [16]. The challenges facing research in detection of localised and targeted attacks are multifold. The numbers of sensors, types of detection systems, and cost/analysis ratios are all…

.