On the heels of the widespread adoption of web services such as social networks and URL shorteners, scams, phishing, and malware have become regular threats. Despite extensive research, email-based spam filtering techniques generally fall short for protecting other web services. To better address this need, we present Monarch, a real-time system that crawls URLs as they are submitted to web services and determines whether the URLs direct to spam. We evaluate the viability of Monarch and the fundamental challenges that arise due to the diversity of web service spam. We show that Monarch can provide accurate, real-time protection, but that the underlying characteristics of spam do not generalize across web services. In particular, we find that spam targeting email qualitatively differs in significant ways from spam campaigns targeting Twitter. We explore the distinctions between email and Twitter spam, including the abuse of public web hosting and redirector services. Finally, we demonstrate Monarch’s scalability, showing our system could protect a service such as Twitter— which needs to process 15 million URLs/day—for a bit under $800/day.

A Redirection Botnet (RBnet) is a vast collection of compromised computers (called bots) used as a redirection/proxy infrastructure and under the control of a botmaster. We present the design, implementation and evaluation of a system called Redirection Botnet Seeker (RB-Seeker) for automatic detection of RBnets by utilizing three cooperating subsystems. Two of the subsystems are used to generate a database of domains participating in redirection: one detects redirection bots by following links embedded in spam emails, and the other detects redirection behavior based on network traces at a large university edge router using sequential hypothesis testing. The database of redirection domains generated by these two subsystems is fed into the final subsystem, which then performs DNS query probing on the domains over time. Based on certain behavioral attributes extracted from the DNS queries, the final subsystem makes use of a 2-tier detection strategy utilizing hyperplane decision functions. This allows it to quickly identify aggressive RBnets with a low false-positive rate (< 0.008%), while also accurately detecting stealthy RBnets (i.e., those mimicking valid DNS behavior, such as CDNs) by monitoring their behavior over time. Using DNS behavior as a means of detecting RBnets, RB-Seeker is impervious to the botmaster’s choice of Command-and-Control (C&C) channel (i.e., how the botmaster communicates and controls the bots) or use of encryption. 1

The security of most password authentication mechanisms hinges on the secrecy of only a single word – if an adversary obtains knowledge of a victim’s password, the adversary will be able to impersonate the victim and gain access to the resources to which the victim is entitled. Although cryptographic means and protocols offer some degree of protection during the transmission and storage of passwords, users are often left unprotected by nothing but security policies and guidelines which are often neglected. Various literatures have shown that users are the ‘weakest link ’ in any password authentication mechanism, due to their propensity to create weak passwords and reuse passwords on multiple accounts. While various identity management solutions have been developed to address the prevalence of users ’ insecure password practices, these solutions still suffer from their own problems and drawbacks. Before we could work towards a more appropriate solution to users ’ insecure password practices, it would be necessary to study the underlying cause of these practices, which lies within users ’ perceptions of their accounts and passwords. In this thesis, we present

Abstract—JavaScript-based malware attacks have increased in recent years and currently represent a significant threat to the use of desktop computers, smartphones, and tablets. While static and runtime methods for malware detection have been proposed in the literature, both on the client side, for just-intime in-browser detection, as well as offline, crawlerbased malware discovery, these approaches encounter the same fundamental limitation. Web-based malware tends to be environment-specific, targeting a particular browser, often attacking specific versions of installed plugins. This targeting occurs because the malware exploits vulnerabilities in specific plugins and fails otherwise. As a result, a fundamental limitation for detecting a piece of malware is that malware is triggered infrequently, only showing itself when the right environment is present. We observe that, using fingerprinting techniques that capture and exploit unique properties of browser configurations, almost all existing malware can be made virtually impossible for malware scanners to detect. This paper proposes Rozzle, a JavaScript multiexecution virtual machine, as a way to explore multiple execution paths within a single execution so that environment-specific malware will reveal itself. Using large-scale experiments, we show that Rozzle increases the detection rate for offline runtime detection by almost seven times. In addition, Rozzle triples the effectiveness of online runtime detection. We show that Rozzle incurs virtually no runtime overhead and allows us to replace multiple VMs running different browser configurations with a single Rozzle-enabled browser, reducing the hardware requirements, network bandwidth, and power consumption. Index Terms—malware; cloaking; JavaScript I.

The ubiquitous use of search engines to discover and access Web content shows clearly the success of information retrieval algorithms. However, unlike controlled collections, the vast majority of Web pages lack an authority asserting their quality. This openness of the Web has been the key to its rapid growth and success, but this openness is also a major source of new adversarial challenges for information retrieval methods.