Better detection of browser drive-by infections

Better detection of browser drive-by infections

July 9, 2009 22:20 1 comment

motorwayThijs Kinkhorst andĀ Michael van KleijĀ have achieved a big improvement in the detection of drive-by infections through browser exploits. The two Dutch students have devised a method to inspect HTTP network traffic with rulesets to determine if an attack has taken place.

In their research, they analyzed a number of attacks and their characteristics, like host name, TCP port, IP address, user agent strings, request urls, redirection and so on. They applied a scoring mechanism with rules quite similar to the detection rules of modern spam-filters. These rules determined in 14 out of 15 cases correctly if an attack was taking place.

The research is based on a months worth of data, so the rules are probably not 100% future proof. As we know from spam filter rules, they constantly need to be revised to stay one step ahead of the game.

The next step

I think someone should take this and implement a browser plugin with a central ruleset for the detection of drive-by infections. The Firefox browser would be a good candidate, but it should also be possible to develop a plugin for other browsers, like Safari or Internet Explorer.

View the report.

1 Comment