BrowserGuard: A behavior-based solution to drive-by-download attacks

Fu Hau Hsu, Chang Kuo Tso, Yi Chun Yeh, Wei Jen Wang, Li Han Chen

Research output: Contribution to journalArticlepeer-review

22 Scopus citations

Abstract

Along with an increasing user population of various web applications, browser-based drive-by-download attacks soon become one of the most common security threats to the cyber community. A user using a vulnerable browser or browser plug-ins may become a victim of a drive-by-download attack right after visiting a vicious web site. The end result of such attacks is that an attacker can download and execute any code on the victim's host. This paper proposes a runtime, behavior-based solution, BrowserGuard, to protect a browser against drive-by-download attacks. BrowserGuard records the download scenario of every file that is loaded into a host through a browser. Then based on the download scenario, BrowserGuard blocks the execution of any file that is loaded into a host without the consent of a browser user. Due to its behavior-based detection nature, BrowserGuard does not need to analyze the source file of any web page or the run-time states of any script code, such as Javascript. BrowserGuard also does not need to maintain any exploit code samples and does not need to query the reputation value of any web site. We utilize the standard BHO mechanism of Windows to implement BrowserGuard on IE 7.0. Experimental results show that BrowserGuard has low performance overhead (less than 2.5%) and no false positives and false negatives for the web pages used in our experiments.

Original languageEnglish
Article number5963164
Pages (from-to)1461-1468
Number of pages8
JournalIEEE Journal on Selected Areas in Communications
Volume29
Issue number7
DOIs
StatePublished - Aug 2011

Keywords

  • Web browser
  • drive-by-download attack
  • heap spray
  • intrusion detection
  • malware
  • system security

Fingerprint

Dive into the research topics of 'BrowserGuard: A behavior-based solution to drive-by-download attacks'. Together they form a unique fingerprint.

Cite this