• Documents
  • Authors
  • Tables
  • Other Seers ▼
    RefSeer AckSeer CollabSeer SeerSeer
  • Log in
  • Sign up
  • MetaCart

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

Spectator: Detection and Containment of JavaScript Worms

Cached

  • Download as a PDF

Download Links

  • [www.usenix.org]
  • [research.microsoft.com]
  • [www.cs.berkeley.edu]
  • [research.microsoft.com]
  • [research.microsoft.com]
  • [research.microsoft.com]
  • [www.research.microsoft.com]
  • [www.research.microsoft.com]
  • [www.cs.berkeley.edu]
  • [research.microsoft.com]
  • [research.microsoft.com]
  • [research.microsoft.com]
  • [www.research.microsoft.com]
  • [research.microsoft.com]
  • [www.research.microsoft.com]

  • Save to List
  • Add to Collection
  • Correct Errors
  • Monitor Changes
by Benjamin Livshits , Weidong Cui
Citations:8 - 3 self
  • Summary
  • Active Bibliography
  • Co-citation
  • Clustered Documents
  • Version History

BibTeX

@MISC{Livshits_spectator:detection,
    author = {Benjamin Livshits and Weidong Cui},
    title = {Spectator: Detection and Containment of JavaScript Worms},
    year = {}
}

Bookmark

citeulike Connotea Bibsonomy Del.icio.us Digg Reddit

OpenURL

 

Abstract

Recent popularity of interactive AJAX-based Web 2.0 applications has given rise to a new breed of security threats: JavaScript worms. In this paper we propose Spectator, the first automatic detection and containment solution for JavaScript worms. Spectator performs distributed data tainting by observing and tagging the traffic between the browser and the Web application. When a piece of data propagates too far, a worm is reported. To prevent worm propagation, subsequent upload attempts performed by the same worm are blocked. Spectator is able to detect fast and slow moving, monomorphic and polymorphic worms with a low rate of false positives. In addition to our detection and containment solution, we propose a range of deployment models for Spectator, ranging from simple intranet-wide deployments to a scalable load-balancing scheme appropriate for large Web sites. In this paper we demonstrate the effectiveness and efficiency of Spectator through both large-scale simulations as well as a case study that observes the behavior of a real-life JavaScript worm propagating across a social networking site. Based on our case study, we believe that Spectator is able to detect all JavaScript worms released to date while maintaining a low detection overhead for a range of workloads. 1

Citations

380 Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software - Newsome, Song - 2005
239 Automated worm fingerprinting - Singh, Estan, et al. - 2004
206 Vigilante: End-to-end containment of internet worms - Cost, Crowcroft, et al. - 2005
181 Polygraph: Automatically generating signatures for polymorphic worms - Newsome, Karp, et al. - 2005
170 Throttling viruses: Restricting propagation to defeat malicious mobile code - Williamson - 2002
136 Securing web application code by static analysis and runtime protection - Huang, Yu - 2004
122 D.: Automatically hardening web applications using precise tainting - Nguyen-Tuong, Guarnieri, et al.
111 Static detection of security vulnerabilities in scripting languages - Xie, Aiken - 2006
102 Pixy: A static analysis tool for detecting web application vulnerabilities - Jovanovic, Kruegel, et al. - 2006
67 Defending against injection attacks through contextsensitive string evaluation - Pietraszek, Berghe - 2006
50 M.S.: Finding security errors in Java programs with static analysis - Livshits, Lam - 2005
48 Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks - Kirda, Kruegel, et al. - 2006
47 Dynamic taint propagation for java - Haldar, Chandra, et al. - 2005
41 A behavioral approach to worm detection - Ellis, Aiken, et al. - 2004
38 containment in the Potemkin virtual honeyfarm - Scalability - 2005
34 Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis - Vogt, Nentwich, et al. - 2007
27 AjaxScope: A platform for remotely monitoring the client-side behavior of Web 2.0 applications - Kıcıman, Livshits - 2007
22 Preventing cross site request forgery attacks - Jovanovic, Kirda, et al. - 2006
20 Power-law distribution of the world wide web - Barabási, Albert, et al. - 2000
17 GQ: Realizing a System to Catch Worms in a Quarter Million Places - Cui, Paxson, et al.
17 Self-stopping worms - Ma, Voelker, et al. - 2005
13 BEEP: Browser-enforced embedded policies - Jim, Swamy, et al. - 2007
12 RequestRodeo: Client side protection against session riding - Johns, Winter - 2006
12 SecuriFly: Runtime vulnerability protection for Web applications - Martin, Livshits, et al. - 2006
12 Internet security threat report volume XIV. http://www.symantec.com/business/theme.jsp?themeid=threatreport - Corporation - 2009
10 Eds.), Dynamic Social Network Modeling and Analysis - Carley, Pattison
9 ACT: Attachment chain tracing scheme for email virus detection and control - Xiong - 2004
7 Only 10% of Web applications are secured against common hacking techniques.http://www.imperva.com/ company/news/2004-feb-02.html - WebCohort - 2004
5 Cross-site Scripting Worms and Viruses: The Impending Threat and the Best Defense - Grossman
4 The honeynet project. http://www.honeynet.org - Honeynet
4 Live Monitoring: Using Adaptive Instrumentation and Analysis to Debug and MaintainWeb Applications - Kiciman, Wang - 2007
4 How safe is it out there? http:// www.imperva.com/download.asp?id=23 - Surf, Shulman - 2004
3 Malicious Yahooligans. http://www. symantec.com/avcenter/reference/malicious. yahooligans.pdf - Chien - 2006
2 Private Members in JavaScript.http: //www.crockford.com/javascript/private.html - Crockford - 2001
2 The Samy worm. http://namb.la/popular - Samy - 2005
1 Siteframe: a lightweight content-management system - Campbell - 2006
1 http://www.symantec.com/security response/writeup - spaceflash - 2006
1 JS.Qspace worm. http://www.symantec. com/enterprise/security response/writeup.jsp - Corporation - 2006
1 Analysis of Web application worms and viruses. http://www.blackhat.com/ presentations/bh-federal-06/BH-Fed-06-Hoffman/ BH-Fed-06-Hoffman-up.pdf - Hoffman - 2006
1 JSON RPC: Cross site scripting and client side Web services - Meschkat - 2006
1 Mitigating cross-site scripting with http-only cookies - Online - 2007
1 Xanga hit by script worm. http://blogs.securiteam.com/index.php/archives - Murphy - 2005
1 The generic XSS worm. http://www.gnucitizen. org/blog/the-generic-xss-worm - Petkov - 2007
1 Adultspace XSS worm. http://ha.ckers.org/ blog/20061214/adultspace-xss-worm - RSnake - 2006
1 reflective XSS worm hits Gaiaonline.com. http://ha.ckers.org/blog/ 20070104/semi-reflective-xss-worm-hits-gaiaonlinecom - Semi - 2007
1 deploys protection against MySpace worm. http://sonic-wall.blogspot.com/2006/12/ sonicwall-deploys-protection-against.html - SonicWALL - 2006
1 com/security response/writeup.jsp?docid - symantec - 2006
1 Xanga hit by script worm. http://blogs. securiteam.com/index.php/archives/166 - Murphy - 2005
1 reflective XSS worm hits Gaiaonline. com. http://ha.ckers.org/blog/20070104/ semi-reflective-xss-worm-hits-gaiaonlinecom - Semi - 2007
The National Science Foundation
  • About CiteSeerX
  • Submit Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2010 The Pennsylvania State University