Tracing And Scene Reconstruction Technology On Drive-by Download Attacks

Drive-by download attack has a huge amount of potential victims, and has become the most widespread and the most fatal client-side attack. The analysis of the drive-by download attacks tracing and scene reconstruction is the prerequisite and foundation for its research. In this paper, we focused on research of tracing and scene reconstruction technology on drive-by download attacks. Those technologies can be effectively helpful for us while analyzing and doing research on drive-by download attacks.Firstly, this paper introduces the mechanism of the drive-by download attacks, analyzes the characteristics of its page distribution. This paper then introduces the corresponding common detection methods, including static detection and dynamic detection technology. This paper then introduces the technology of tracing location and scene reconstruction. The tracing technology refers to the technology that analyzes the malicious web pages and traces the inline links in them. These inline links is turned into nodes of the link tree and the information about these node is grabbed. The scene reconstruction technology is based on The tracing technology. Its goal is to realize the function that can save the attack sce ne and related information of the d rive-by downloads attack in a particular time and a particular enviro nment. This paper then introduces the concept of dynamic page view. Through the concept of the dynamic page view, we can find a practical way to realize the tracing technology and the scene reconstruction technology. This paper then carries on requirement analysis and verified the feasibility of the prototype system we need to achieve, including tracing module and scene reconstruction module.Next, this paper introduces the low- interaction client-side honeypot PhoneyC, analyzes the structure and function of it in depth and carries out some tests on it. We have made some modifications to the PhoneyC framework, build a data structure to realize the inline link recognition and recursive analysis functions, thus completed the tracing module. Then we realized the persistence and reconstruction of the dynamic page view based on SQLite database and wxPython GUI framework, thus completed the scene reconstruction module. The tracing module includes the following sub modules: 1) DOM emulating and alert sub module, 2) Page parsing sub module 3) Dynamic script execution and analysis sub module 4) Dynamic page view constructor sub module. The scene reconstruction module ncludes the following sub modules:1) Scene reconstruction database 2) Dynamic page view persisting sub module 3) Dynamic page view reconstructing sub module 4) Visual interface. Based on the above two modules, This paper has completed the development of a prototype of tracing and scene reconstruction system. This prototype system can automatically analyze the web pages from user inputs, build the dynamic page view and display the dynamic page view visually in order to support the analysis of the drive-by downloads attack. This prototype system has the fo llowing features: 1)Automation 2) Good Persistence 3) Good Visual Interface 4) Flexible result.Finally, this paper has some verified tests and contrast tests on this prototype system. The testing results show that the prototype has strong recognition ability and good scene display and reconstruct ability. The system can store the scene effectively and provide adequate help for analyzing drive-by download attacks, has more powerful tracking ability than similar research projects.