16th USENIX Security Symposium – Abstract
Pp. 27–42 of the Proceedings
SpyProxy: Execution-based Detection of Malicious Web Content
Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy, University of Washington
Abstract
This paper explores the use of execution-based Web content
analysis to protect users from Internet-borne malware. Many
anti-malware tools use signatures to identify malware infections on a
user's PC. In contrast, our approach is to render and observe active
Web content in a disposable virtual machine before it reaches
the user's browser, identifying and blocking pages whose behavior is
suspicious. Execution-based analysis can defend against undiscovered
threats and zero-day attacks. However, our approach faces challenges,
such as achieving good interactive performance, and limitations, such
as defending against malicious Web content that contains
non-determinism. To evaluate the potential for our execution-based technique, we
designed, implemented, and measured a new proxy-based anti-malware
tool called SpyProxy. SpyProxy intercepts and evaluates Web content
in transit from Web servers to the browser. We present the
architecture and design of our SpyProxy prototype, focusing in
particular on the optimizations we developed to make on-the-fly
execution-based analysis practical. We demonstrate that with careful
attention to design, an execution-based proxy such as ours can be
effective at detecting and blocking many of today's attacks while
adding only small amounts of latency to the browsing experience. Our
evaluation shows that SpyProxy detected every malware threat to which
it was exposed, while adding only 600 milliseconds of latency to the
start of page rendering for typical content.
- View the full text of this paper from the published proceedings in HTML and PDF.
See also the version updated on 14 August 2007 in HTML and PDF. Listen to the presentation in MP3 format.
Until August 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|