BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks

Along with an increasing user population of various web applications, browser-based drive-by-download attacks soon become one of the most common security threats to the cyber community. A user using a vulnerable browser or browser plug-ins may become a victim of a drive-by-download attack right after visiting a vicious web site. The end result of such attacks is that an attacker can download and execute any code on the victim's host. This paper proposes a runtime, behavior-based solution, BrowserGuard, to protect a browser against drive-by-download attacks. BrowserGuard records the download scenario of every file that is loaded into a host through a browser. Then based on the download scenario, BrowserGuard blocks the execution of any file that is loaded into a host without the consent of a browser user. Due to its behavior-based detection nature, BrowserGuard does not need to analyze the source file of any web page or the run-time states of any script code, such as Javascript. BrowserGuard also does not need to maintain any exploit code samples and does not need to query the reputation value of any web site. We utilize the standard BHO mechanism of Windows to implement BrowserGuard on IE 7.0. Experimental results show that BrowserGuard has low performance overhead (less than 2.5%) and no false positives and false negatives for the web pages used in our experiments.