Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:TRUSTEES OF INDIANA UNIVERSITY
Doing Business As Name:Indiana University
PD/PI:
  • XiaoFeng Wang
  • (812) 856-1862
  • xw7@indiana.edu
Award Date:08/16/2012
Estimated Total Award Amount: $ 478,160
Funds Obligated to Date: $ 478,160
  • FY 2012=$478,160
Start Date:09/01/2012
End Date:08/31/2017
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TWC: Small: Knowing Your Enemy: Understanding and Counteracting Web Malvertising
Federal Award ID Number:1223477
DUNS ID:006046700
Parent DUNS ID:006046700
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Sol Greenspan
  • (703) 292-7841
  • sgreensp@nsf.gov

Awardee Location

Street:509 E 3RD ST
City:Bloomington
State:IN
ZIP:47401-3654
County:Bloomington
Country:US
Awardee Cong. District:09

Primary Place of Performance

Organization Name:Indiana University
Street:901 E. 10th Street
City:Bloomington
State:IN
ZIP:47408-3912
County:Bloomington
Country:US
Cong. District:09

Abstract at Time of Award

With the Internet becoming the dominant channel for marketing and promotion, online advertisements (ad for short) are also increasingly used for propagating malware, committing scams, click frauds and other illegal activities. These activities, which we call malvertising, systematically deliver malicious ad content and victimize visitors through an infrastructure, which includes malicious advertisers, ad networks, redirection servers, exploit servers and others. Our preliminary study shows that most of such malvertising activities are missed by popular detection services such as Google Safe Browsing and Microsoft Forefront. This points to a disturbing lack of understanding of such web malvertising activities, which renders existing countermeasures less effective, and an urgent need to study the features of this threat to better prepares us to defend against it. The proposed research endeavors to gain a holistic, in-depth understanding about the scope and magnitude of malicious display, search and contextual advertising, features of their infrastructures and ad content, behavior of malicious ad-related parties, and economics of this underground business. Based upon such a understanding, we continue to develop novel infrastructure-aware technologies to detect these malicious activities, which include effective malvertising analysis techniques that capture malicious ads, advertisers and ad networks through web patrol, client-side defense that protects a user from stepping into exploit servers and publisher-side countermeasures that empower legitimate publishers and ad networks to shield their customers from such attacks. This research involves industry collaborators and also contributes to mitigation of other related threats such as black-hat Search Engine Optimization, SPAM-based phishing and drive-by-downloads.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

X. Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais, L. Xing and R. Beyah "Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search" the 36th IEEE Symposium on Security and Privacy (IEEE S&P), v., 2016, p..

S. Alrwais, K. Yuan, E. Alowaisheq, X. Liao, A. Oprea, X. Wang and Z.Li "Catching Predators at Watering Holes: Finding and Understanding Strategically Compromised Websites" 2016 Annual Computer Security Applications Conference, v., 2016, p..

S. Alrwais, X. Liao, X. Mi, P. Wang, X. Wang, F. Qian and R. Beyah, D. McCoy "Under the Shadow of Sunshine: Understanding and Detecting BulletPoof Hosting on Legitimate Service Provider Networks" the 38thIEEE Symposium on Security and Privacy (IEEE S&P), v., 2017, p..

Y. Aafer, N. Zhang, Z. Zhang, X. Zhang, K. Chen, X. Wang, X. Zhou, W. Du and M. Grace "Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References" the 22nd ACM Conference on Computer and Communications Security (CCS), v., 2015, p..

L. Xing, X. Bai, T. Li, X. Wang, K. Chen, X. Liao, S. Hu and X. Han "Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS" the 22nd ACM Conference on Computer and Communications Security (CCS), v., 2015, p..

X. Liao, S. Alrwais, K. Yuan, L. Xing, X. Wang, S. Hao and R. Beyah "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service" the 23rd ACM Conference on Computer and Communications Security (CCS), v., 2016, p..

X. Liao, S. Alrwais, K. Yuan, L. Xing, X. Wang, S. Hao and R. Beyah "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service" the 23rd ACM Conference on Computer and Communications Security (CCS), v., 2016, p..


Project Outcomes Report

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

With the Internet becoming the dominant channel for marketing and promotion, online advertisements are also increasingly used for propagating malware, committing scams, click frauds and other illegal activities. These activities, called malvertising, systematically deliver illicit ad content and victimize visitors through various channels and infrastructures. Prior research demonstrates the pervasiveness of the threat, inadequate understanding of the adversary’s strategies, techniques, infrastructures and capabilities, and lack of effective protection against the threat.

Intellectual Merit. This project systematically investigated the ever-evolving malvertising landscape, to gain a holistic, in-depth understanding about this Cybercrime and related illicit activities, and develop effective means to detect and mitigate the threat. More specifically, we first studied the more conventional, redirection based malvertising infrastructure, and built a detection tool to utilize short redirection sequences to characterize the attack infrastructures the adversary uses to hide their operations and deliver their content. Further our research looked into the unique structural features of the infrastructures, identifying its “linchpin”, the traffic redirection systems that plays the central role in the malvertising ecosystem. Further down the road, we leveraged the adversary’s blind attack content injection techniques to automatically detect infected web content, the entries of the redirection chains.

During the project, we continued to monitor the adversary’s evolving strategies, techniques and ecosystems.  We found the emergence of the APT attacks utilizing compromised domains as a strategic target weapon, called watering holes, spread of promotional infections to advertise malicious content on leading .gov, .edu and other sponsored top-level domains, also the use of domain parking, cloud repositories and autocomplete services to perform illicit advertising and even involvement of mobile devices in the malicious operations.  Further observed in our study is the evolution of the attack infrastructure, particular their hosting services for malicious content, which moves from the dedicated dark network to the legitimate ISP’s IP blocks sub-allocated to untrusted parties. Such new malverting and Cybercrimes trends are captured by Cyber Threat Intelligence, which we developed new techniques to automatically collect and analyze to help detect these emerging attacks.

The impacts of the research are significant and far-reaching: the outcomes of the study help the community better understand, continuously monitor Cybercrimes, malvertising in particular, and identify large-scale attack campaigns. Such understanding can also support the effort of the policy maker to regulate online grey businesses often leveraged by the adversary for Cybercrimes and the law enforcement to hit the crimes at their weakest links. Our research has resulted in more than 10 papers, most in the top-tiered security venues. Further the studies led to the discovery of tens of thousands of compromised high-profile domains, including those of government agencies (the US department of state, NIH, etc.) and universities around the world.  Also the discoveries and analysis of watering holes were reported by AlienVault and New York Times.

Broader Impacts. The outcomes of this project have been extensively disseminated.  We will continue to release the systems related to the project whenever the code becomes mature enough.  We communicated with different parties (e.g., Microsoft) to explore the potential of technical transfers. Also, the project involved HBCU students through summer internships, helping them understand Cybercrimes and the techniques to mitigate such threats. We also present our research findings and dissimilate the new techniques developed in the project through conference and invited talks around the world.

 

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

 


Last Modified: 12/16/2017
Modified by: Xiaofeng Wang

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.