Abstract
Web-based malicious campaigns target internet users across multiple domains to launch various forms of attacks. Extant research exploring the detection of such malicious campaigns involves applying supervised or unsupervised learning techniques on targeted campaign data producing machine learning models that are often expensive to train and are sluggish to react to the ephemeral nature of malicious campaigns. In this paper, we present an automated web-based malicious campaign detection system that produces campaign signatures representing both their static and dynamic behavior. We generated 379 campaign signatures that matched 36,427 unique malicious URLs with an extremely low false-positive rate (0.008%). We further applied our signatures on real world user traffic and identified 471 URLs, which were verified through VirusTotal and manual inspection. Our results provide valuable insight into web-based malicious campaign detection and our system could be utilized to improve existing defenses and the relevant field of threat intelligence.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
alexa.com. Alexa Top Sites. https://www.alexa.com/topsites. Accessed 28 Nov 2021
Calzavara, S., Roth, S., Rabitti, A., Backes, M., Stock, B.: A tale of two headers: a formal analysis of inconsistent click-jacking protection on the web. In: Proceedings of the USENIX Security Symposium (2020)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler : a fast filter for the large-scale detection of malicious web pages categories and subject descriptors. In: Proceedings of the International World Wide Web Conference (WWW) (2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javaScript code. In: Proceedings of the International World Wide Web Conference (WWW) (2010)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: Zozzle: fast and precise in-browser javascript malware detection. In: Proceedings of the USENIX Security Symposium (2011)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of the USENIX Annual Technical Conference (2007)
Fass, A., Backes, M., Stock, B.: HideNoSeek: camouflaging malicious javaScript in benign ASTs. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2019)
Fass, A., Krawczyk, R.P., Backes, M., Stock, B.: JaSt: fully syntactic detection of malicious (obfuscated) javascript. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 303–325. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_14
Feurer, M., Hutter, F.: Hyperparameter optimization. In: Hutter, F., Kotthoff, L., Vanschoren, J. (eds.) Automated Machine Learning. TSSCML, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-05318-5_1
Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing near-optimal malware specifications from suspicious behaviors. In: Proceedings of the IEEE Symposium on Security and Privacy (2010)
Jueckstock, J., Kapravelos, A.: Visiblev8: in-browser monitoring of javascript in the wild. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC) (2019)
Kaplan, S., Livshits, B., Zorn, B., Siefert, C., Curtsinger, C.: “NOFUS: automatically detecting"+ string. fromcharcode (32)+ “obfuscated". tolowercase ()+ “javascript code. In Technical report, Technical Report MSR-TR 2011–57, Microsoft Research (2011)
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of the USENIX Security Symposium (2013)
Kharraz, A., Robertson, W., Kirda, E. : Surveylance: automatically detecting online survey scams. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE(2018)
Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X.Y., Wang. X.: Effective and efficient malware detection at the end host. In: Proceedings of the USENIX Security Symposium (2009)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)
Kutt, B., Hewlett, W., Starov, O., Zhou, Y.: Innocent until proven guilty (IUPG): building deep learning models with embedded robustness to out-of-distribution content. In: 2021 IEEE Security and Privacy Workshops (SPW) (2021)
Lee, S., Kim, J.: WARNINGBIRD: a near real-time detection system for suspicious URLs in twitter stream. IEEE Trans. Dependable Secure Comput. 10(3), 183–195 (2013)
Lu, L., Perdisci, R., Lee., W.: Surf: detecting and measuring search poisoning. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011)
microsoft.com/. HTML smuggling surges: highly evasive loader technique increasingly used in banking malware, targeted attacks. https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/. Accessed 28 Nov 2021
Miramirkhani, N., Starov, O., Nikiforakis, N.: Dial one for scam: a large-scale analysis of technical support scams. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2017)
Muggleton, S., Feng, C., et al.: Efficient induction of logic programs. Citeseer (1990)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: \(\{\)WebWitness\(\}\): investigating, categorizing, and mitigating malware download paths. In: Proceedings of the USENIX Security Symposium (2015)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Towards measuring and mitigating social engineering software download attacks. In: Proceedings of the USENIX Security Symposium (2016)
Oest, A., et al.: Sunrise to sunset: analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In: Proceedings of the USENIX Security Symposium (2020)
Plotkin, G.: Automatic methods of inductive inference. Ph.D. Thesis (1972)
Plotkin, G.D.: A further note on inductive generalization. Mach. Intell. 5(1), 153–163 (1971)
Rafique, M.Z., Van Goethem, T., Joosen, W., Huygens, C., Nikiforakis, N.: It’s free for a reason: exploring the ecosystem of free live streaming services. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2016)
Ratanaworabhan, P., Livshits, V.B., Zorn., B.G.: NOZZLE: a defense against heap-spraying code injection attacks. In: Proceedings of the USENIX Security Symposium (2009)
Srinivasan, B., et al.: Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. In: Proceedings of the International World Wide Web Conference (WWW) (2018)
Starov, O., Zhou, Y., Wang, J.: Detecting malicious campaigns in obfuscated javascript with scalable behavioral analysis. In: 2019 IEEE Security and Privacy Workshops (SPW) (2019)
Starov, O., Zhou, Y., Zhang, X., Miramirkhani, N., Nikiforakis, N.: Betrayed by your dashboard: discovering malicious campaigns via web analytics. In: Proceedings of the International World Wide Web Conference (WWW) (2018)
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
tranco-list.eu. Tranco - A Research-Oriented Top Sites Ranking Hardened Against Manipulation. https://tranco-list.eu/. Accessed 28 Nov 2021
Vadrevu, P., Perdisci, R.: What you see is not what you get: discovering and tracking social engineering attack campaigns. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC) (2019)
virustotal.com. VirusTotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. https://www.virustotal.com/gui/home/upload. Accessed 28 Nov 2021
Xu, W., Zhang, F., Zhu, S.: Jstill: mostly static detection of obfuscated malicious javascript code. In: Proceedings of the third ACM Conference on Data and Application Security and Privacy - CODASPY (2013)
Yujian, L., Bo, L.: A normalized levenshtein distance metric. IEEE Trans. Pattern Anal. Mach. Intell. 29(6), 1091–1095 (2007)
Acknowledgement
We thank the anonymous reviewers for their helpful feedback. This work was supported by the National Science Foundation (NSF) under grants CNS-2138138 and CNS-2047260. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sarker, S., Melicher, W., Starov, O., Das, A., Kapravelos, A. (2025). Automated Generation of Behavioral Signatures for Malicious Web Campaigns. In: Mouha, N., Nikiforakis, N. (eds) Information Security. ISC 2024. Lecture Notes in Computer Science, vol 15258. Springer, Cham. https://doi.org/10.1007/978-3-031-75764-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-75764-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-75763-1
Online ISBN: 978-3-031-75764-8
eBook Packages: Computer ScienceComputer Science (R0)