Everyone is invited to join the CS department for this colloquium: Investigating, Categorizing, and Mitigating Malware Download Paths

== Abstract:
Most modern malware download attacks occur via the browser, typically due to social engineering or drive-by downloads. In this talk, we will explore how real network users reach attack pages on the web, with the objective of improving network defenses. Specifically, I will present a study of the web paths followed by users who eventually fall victim to different types of malware downloads.

I will first present a brief overview of different approaches we have developed to study malware downloads. Then, I will present a recent incident investigation system named WebWitness, which targets the following two main goals: 1) automatically trace back and label the sequence of events (e.g., visited web pages) preceding malware downloads, to highlight how users reach attack web pages; and 2) leverage these automatically labeled in-the-wild malware download paths to better understand current attack trends, and to develop more effective defenses.

To evaluate its efficacy, we have deployed WebWitness on a large academic network for a period of ten months, where we collected and categorized thousands of live malicious download paths. An analysis of this labeled data allowed us to design a new defense against drive-by downloads that rely on injecting malicious content into (hacked) legitimate web pages. For example, we show that by leveraging the incident investigation information output by WebWitness we can decrease the infection rate for this type of drive-by downloads by almost six times, on average, compared to existing URL blacklisting approaches.

== Bio:
Roberto Perdisci is an Associate Professor in the Computer Science department at the University of Georgia and an Adjunct Associate Professor in the Georgia Tech School of Computer Science. Before joining UGA, he earned a PhD degree at the University of Cagliari, Italy, and then joined Georgia Tech first as Research Scholar and then as Post-Doctoral Fellow in the College of Computing.

His research interests are in Computer and Network Security, with an emphasis on network-centric malware defenses, web security, forensic analysis, and telephony security. He has published over 40 papers, several of which in flagship security and networking conferences, including IEEE Security and Privacy, Usenix Security Symposium, ACM CCS, Usenix NSDI, and ACM SIGCOMM. In 2012, he received a US National Science Foundation CAREER award on a project titled Automatic Learning of Adaptive Network-Centric Malware Detection Models.

Hosted by Rezaul C.