Abstract
Many famous attacks take web browsers as transmission channels to make the target computer infected by malwares, such as watering hole and domain name hijacking. In order to protect the data transmission, the SSL/TLS protocol has been widely used to defeat various hijacking attacks. However, the existence of such encryption protection makes the security software and devices confront with the difficulty of analyzing the encrypted malicious traffic at endpoints. In order to better solve this kind of situation, this paper proposes a new efficient and transparent method for large-scale automated TLS traffic analysis, named as hyper TLS traffic analysis (HTTA). It extracts multiple types of valuable data from the target system in the hyper mode and then correlates them to decrypt the network packets in real time, so that overall data correlation analysis can be performed on the target. Additionally, we propose an aided reverse engineering method to support the analysis, which can rapidly identify the target data in different versions of the program. The proposed method can be applied to the endpoints and cloud platforms; there are no trust risk of certificates and no influence on the target programs. Finally, the real experimental results show that the method is feasible and effective for the analysis, which leads to the lower runtime overhead compared with other methods. It covers all the popular browser programs with good adaptability and can be applied to the large-scale analysis.
Highlights
The incidents of malware attack occur so frequently as to cause the serious loss of data and property to internet users
As a supplement to satisfy the special requirement, we propose the rapid TLS session information (TSI) extraction method based on the low fragmentation heap (LFH) mechanism [44], to locate the target in the limited memory region. e operating system provides a special memory management scheme for the memory allocation with small sizes which is named as LFH on Windows
For the kernel driver testing, we install VMware Workstation and create virtual machines with it. e configuration of virtual machine is 4 cores CPU, 8 GB memory and Windows 10 64-bit operating system. Another virtual machine is created for a local gateway, which has 2 core CPU, 1 GB memory, and Ubuntu 16.04 64-bit operating system. e main test browsers are 64 bit Firefox (65.0.1), Chrome (72.0.3626.81), and Edge (38.14393.1066.0), which can represent most of the cases
Summary
The incidents of malware attack occur so frequently as to cause the serious loss of data and property to internet users. Web browsers are the important sources of malware to infect the target computers. Users download and install software bundled with malicious codes from the third-party website, or users encounter phishing attacks and access the fake page, or the web browser loads a web page with vulnerability exploitation codes and triggers the infection of malware [1]. The incorrect con guration of legitimate applications may cause the ex ltration of privacy data. Web browser is an important application in their work and life. It is crucial to inspect the content of web pages in order to create a secure internet environment for computer users
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
