| With the rapid development of internet application, website has gradually become the most important way to access and release infomation. At the same time, website brought users many new security risks. According to the statistics, trojan horse has become the main threat instead of virus, and more than 90% of them are propagated through webpages. Therefore, research on how to protect users from webpage trojans in web-base applications is attracting more and more attention.Different from the traditional trojans, webpage trojans spread faster and wider, with more serious threat. As webpage trojans are always coded by script which is more likely to be encoded and encrypted. As such, traditional detect models could not be adapted for the webpage trojan detection. However, webpage trojan detection still relies mainly on statical feature matching based on the traditional trojan horse detection nowadays. It's unresponsitive to unkonwn samples, and the efficiency would decline seriously as the featuer-databases increase. Other researches proposed to detect trojans through monitoring the dynamic behavior of the host. Unfortunately, the detection is taken after infection. Therefore, novel webpage trojan detection methods which target the interpretation of webpage are urgently needed. Such methods could detect threats before the trojans infect into localhost by the webpages.To overcome the above problems, we firstly made a detailed survey on the principles of webpage trojan attack and the DOM structure of webpages, based on which, we proposed a novel webpage inspect model based on DOM structure(WIM-DOM). Then we design our decision tree based classifier with the WIM-DOM model as the input. Compared with previous work, we have made the following contributions:First, we propose a novel webpage inspect model based on the DOM structure,called WIM-DOM. The model uses the inherent DOM structure to map the source document into a sequence of DOM elements, which could reflect the two characteristic of webpage trojan attack: hidden and locality. The model enhances the attributes of DOM elements, and reserves the hierarchy among neighboring nodes as well. As such, local features could contribute more in the classification than other methods.Second, we design a classifier based on WIM-DOM which could be used for webpage-trojan detection. In the classifier, we proposed to use the attributes of DOM elements as the main classifier features, including some statistics to decrease the influence brought by the diversity of webpages. In addition, we are the first to use sequential patterns of the DOM elements for webpage trojan detection, which is proved to be effective in improving the performance of malicious sample with multi-step attack behavior.Finally, we designed several comparative experiments for the WIM-DOM classification from two aspects: the accuracy and efficiency. |
PDF Full Text Request