The UMBC Cyber Defense Lab presents
How colorful is your exploit kit?
Professor Charles Nicholas
Computer Science, CSEE Department, UMBC
11:15am-12:30pm Friday 6 November 2015, ITE 325b
Exploit kits have emerged as a significant form of malware in recent years. When a user visits an infected web site, code is executed that inspects the user’s computer for vulnerabilities, and then downloads malicious payloads based on that information. When a user visits an infected site, the so-called “landing page” can then begin its reconnaissance work. These landing pages, and in particular the embedded code, usually Javascript or a Java applet, can be captured and analyzed. Our hypothesis is that exploit kits can be characterized by their landing pages.
We have completed our effort to build a data set of malware domains and the landing pages they send. At this point we have almost seven gigabytes of pcap data, collected from about 4500 web sites, to analyze. The analysis began with informal inspection of pcap files. We parsed the pcap data into n-grams, and applied established numerical analysis techniques to produce some graphs. These graphs were the heart of our presentation at the July, 2014 Malware Technical Exchange Meeting.
Since then, we have succeeded in running the pcap data through the Suricata program, which separates the pcap data into individual HTML files. Some of these contain Javascript code, which we have parsed out into separate objects. These Javascript specimens were then subjected to the same visual cluster analysis that was used with the original pcap data.
Charles Nicholas is a Professor in the Department of Computer Science and Electrical Engineering at UMBC, where he has been on the faculty since 1988. He earned the B.S. degree from the University of Michigan – Flint in 1979, and the M.S. and Ph.D. degrees from The Ohio State University in 1982 and 1988, respectively. He has written more than one hundred scholarly papers, and has advised seven Ph.D. students and more than eighty M.S. students. He served as Chair of the CSEE Department from 2004 to 2010. In addition to his appointment at UMBC, Dr. Nicholas has held appointments at the National Institute of Standards and Technology, and the NASA Goddard Space Flight Center. He spent academic years 1996-97 and 2011-2012 on sabbatical at the National Security Agency. Dr. Nicholas’ research interests include document engineering, information retrieval, and malware analysis. His work has been funded by a number of agencies, including NASA, Maryland Industrial Partnerships, DARPA, AFOSR, and the Department of Defense. He has served five times as the General Chair of the ACM Conference on Information and Knowledge Management (CIKM), and serves on the SIGWEB Executive Committee. Dr. Nicholas is a member of the Board of Directors of UMBC Training Centers, and the Advisory Board of the UMBC Research Park.