With JavaScript and images at their disposal, web authors can create content that is immediately understandable to a person, but is beyond the direct analysis capability of computer programs, including security tools. Conversely, information can be deceiving for humans even if unable to fool a program. In this paper, we explore the discrepancies between user perception and program perception, using content obfuscation and counterfeit “seal” images as two simple but representative case studies. In a dataset of 149,700 pages we found that benign pages rarely engage in these practices, while uncovering hundreds of malicious pages that would be missed by traditional malware detectors. We envision that this type of heuristics could be a valuable addition to existing detection systems. To show this, we have implemented a proof-of-concept detector that, based solely on a similarity score computed on our metrics, can already achieve a high precision (95%) and a good recall (73%).
@inproceedings{Corbetta2015Eyes_of, title = {{Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection}}, author = {Corbetta, Jacopo and Invernizzi, Luca and Kruegel, Christopher and Vigna, Giovanni}, booktitle = {Proceedings of the 17th Symposium on Research in Attacks, Intrusions and Defenses}, series = {Lecture Notes in Computer Science}, month = {September}, year = {2014}, copyright = {©2014 Springer International Publishing Switzerland}, doi = {10.1007/978-3-319-11379-1_7}, isbn = {978-3-319-11378-4 978-3-319-11379-1}, language = {en}, pages = {130--149}, publisher = {Springer International Publishing}, url = {https://doi.org/10.1007/978-3-319-11379-1_7} }