Thijs Kinkhorst and Michael van Kleij have achieved a big improvement in the detection of drive-by infections through browser exploits. The two Dutch students have devised a method to inspect HTTP network traffic with rulesets to determine if an attack has taken place.

In their research, they analyzed a number of attacks and their characteristics, like host name, TCP port, IP address, user agent strings, request urls, redirection and so on. They applied a scoring mechanism with rules quite similar to the detection rules of modern spam-filters. These rules determined in 14 out of 15 cases correctly if an attack was taking place.

The research is based on a months worth of data, so the rules are probably not 100% future proof. As we know from spam filter rules, they constantly need to be revised to stay one step ahead of the game.

The next step

I think someone should take this and implement a browser plugin with a central ruleset for the detection of drive-by infections. The Firefox browser would be a good candidate, but it should also be possible to develop a plugin for other browsers, like Safari or Internet Explorer.

View the report.

Tweet This Post

Subscribe Did you like this post? Subscribe for more! Subscribe via RSS (What is RSS?)

No related posts.