URL 리디렉션을 악용한 웹 보안 공격에 대한 탐지 및 방어 기법

Abstract

URL redirection is a well-known technique that redirects visitors from one webpage to another webpage. This technique allows a website to associate with many domain names or to change its domain name while allowing visitors to use the old name temporally. Recently, URL shortening services (USSes) based on URL redirection have been introduced. The purpose of USSes is making a short alias of a long URL for sharing it between users. USSes are frequently used on Twitter, which is a famous microblogging and social networking service, because Twitter restricts the length of messages shorter than 140 characters. However, Web attackers also frequently use the URL redirection and shortening services to cloak their attack URLs for spam, phishing, or malware distribution because they can hide the real destination of a URL exploiting these services. Moreover, attackers have proposed a number of attack methods for USSes to track users’ activities or maliciously use them. Therefore, in this dissertation, we focus on detection of the most advanced web security attacks exploiting URL redirection, and design and prevention of new security threats exploiting it.First, we propose a detection scheme of suspicious URL redirection for Twitter. Twitter is prone to malicious tweets containing suspicious URLs for Web attacks. Conventional Twitter spam detection schemes utilize account features such as the ratio of tweets containing URLs and the account creation date, or relation features in the Twitter graph. These detection schemes are ineffective against feature fabrications or consume much time and resources. Conventional suspicious URL detection schemes utilize several features including lexical features of URLs, URL redirection, HTML content, and dynamic behavior. However, evading techniques such as time-based evasion and crawler evasion exist. In this dissertation, we propose WarningBird, a suspicious URL detection system for Twitter. Our system investigates correlations of URL redirect chains extracted from several tweets. Because attackers have limited resources and usually reuse them, their URL redirect chains frequently share the same URLs. We develop methods to discover correlated URL redirect chains using the frequently shared URLs and to determine their suspiciousness. We collect numerous tweets from the Twitter public timeline and build a statistical classifier using them. Evaluation results show that our classifier accurately and efficiently detects suspicious URLs. We also present WarningBird as a near real-time system for classifying suspicious URLs in the Twitter stream.Second, we design a botnet, an advanced security attack, exploiting USSes and propose countermeasures of it. Despite the popularity of USSes, researchers do not carefully consider their security problems. In this dissertation, we explore botnet models based on USSes to prepare for the new security threats before they evolved. Specifically, we consider using USSes for alias flux to hide botnet command and control (C&C) channels or for indirect botnet control. In alias flux, a botmaster obfuscates the IP addresses of his C&C servers, encodes them as URLs, and then registers them to USSes with custom aliases generated by an alias generation algorithm. Later, each bot obtains the encoded IP addresses by contacting USSes using the same algorithm. For USSes that do not support custom aliases, the botmaster can use shared alias lists instead of the shared algorithm. DNS-based botnet detection schemes cannot detect an alias flux botnet, and network-level detection and blacklisting of the fluxed aliases are difficult. In the indirect botnet control method, a botmaster encodes obfuscated commands as URLs, and then registers them with aliases. Thereafter, each bot obtains commands by contacting USSes with these aliases. We analyze the explored botnet models and discuss countermeasures.