The widespread access to the Internet and the ubiquity of web-based services
makes it easy to communicate and interact globally. Unfortunately, the
software implementing the functionality of web sites is often vulnerable to
attacks, such as code injection, or administrative access might not be
restricted correctly. In turn, an attacker can exploit these vulnerabilities
to compromise and abuse a website for nefarious purposes. In my research, I
aim to better understand, detect, and prevent these attacks.
First, we look at a visible way in which websites are being compromised:
website defacements, which can inflict significant harm on its owner through
the loss of sales, the loss in reputation, or because of legal ramifications.
I introduce Meerkat, a defacement detection system that requires no prior
knowledge about the website's content or its structure, but only its URL.
Meerkat uses computer vision techniques to recognize if a website was defaced,
similarly to how a human analyst decides if a website was defaced when viewing
it in a web browser.
Second, an attacker is not limited to abuse compromised websites in a way that
is visible to users. Instead, she can infect them with malware. Although this
is a known problem, identifying malicious web sites has become a major
challenge in today's Internet. I introduce Delta, a novel, purely static
analysis approach that extracts change-related features between two versions
of the same website, uses a machine-learning algorithm to derive a model of
web site changes, detects if an introduced change was malicious or benign,
identifies the underlying infection vector campaign based on clustering, and
generates an identifying signature.
Finally, we glance at my ongoing work on the practicality and impact of domain
takeover attacks, which an attacker can similarly abuse to spread
misinformation or malware, and we perform a preliminary analysis of how these
attacks can be foiled.