Drive-by Downloads Defense Based On Kernel Level Filtering

Drive-by download attacks based on web browser have become one of the mostthreatening malicious attacks. Unlike a pop-up download, drive-by download attacksare stealthily complete the attacks without user’s interactions. After successfulinvasion of the user’s system, the hacker can obtain very important financialinformation such as online banking credentials and credit card details.According to the characteristics of the Drive-by download attacks, thetraditional defense methods are generally divided into three types: web code analysistechnology based on static or dynamic technology, HoneyPot technology anddetection methods based on the malware code layer. After the analysis of theiradvantages, this paper to eliminate drive-by malware installations present abrowser-independent system architecture based on windows kernel layer file systemfilter driver and user-level hook technology according to the characteristics ofWindows operation systems and Drive-by downloads. The main innovations of thispaper are the two follows:Firstly, in order to correctly distinguish stealthily download and pop-updownload, this paper introduces the critical concepts called File Full-Pathcorrelating to be a downloading file. By analyzing the user download behavior,judging the moment began to downloading and intercepting the file downloadprocedure, we take the file’s storage directory extracted from pop-up downloaddialog as the File Full-Path, which may be delivered down to Executable file filterdriver module located at kernel level.Secondly, the introduction of the Special Zone in kernel level is to prohibit theexecutable files to run which have saved into Special Zone. Executable file filtermodule based on MiniFilter redirects the executable file downloaded from thebrowser to the Special Zone and then matches the file’s download method in term ofFull-Path, which will be restored to the original save directory if it is downloaded byuser. Because malicious programs into kernel level must be redirected to the SpecialZone, it can block the automatic installation of malicious codes and effectivelyguarantee the system security.In term of the two indexes of effectiveness and performance overheads, theexperimental results present that our defense system has a good protection of the injection of drive-by download exploits because of the good interception rate andlower running overheads at little impacts to user.