智能手机点击劫持攻击检测方法研究被引量：1

ON DETECTION APPROACH FOR CLICKJACKING ATTACKS ON SMARTPHONE

下载PDF

导出

摘要点击劫持通过欺骗用户点击经过伪装的界面元素达到攻击目的。移动互联网环境下,智能手机的屏幕特征、手势识别、HTML5支持度高等特性成为点击劫持新的利用点。深入分析并实验验证智能手机脆弱特性,在此基础上提出点击劫持在智能手机上的潜在攻击方案。进而设计并实现一套有针对性的检测方案。该方案从静态页面和动态行为两个角度提取攻击特征,并进行基于规则的量化评估与组合判定。实验结果表明该方案可以有效地降低传统页面特征检测方案的漏报和误报情况。 Clickjacking reaches its attacking purpose by luring the victims to click the disguised interface elements.In mobile internet environment,the specialities of smartphone such as screen feature,gesture recognition and high-level support of HTML5 become the new available loopholes of clickjacking.In the paper we elaborately analyse and verify through the experiment the vulnerable characteristics of smartphones,and present on this basis the latent attacking scheme of clickjacking on smartphones,thus design and implement a set of targeted detection solution.The solution extracts the attacking features from two perspectives of static webpage and dynamic behaviour,and makes the rulesbased quantitative assessment and combinational judgement.Experimental result illustrates that the solution can effectively reduce the false negatives and false positives of the traditional webpage feature detection scheme.

作者曹娇华苏璞睿应凌云闫佳褚燕琴

机构地区中国科学院软件研究所中国科学院大学

出处《计算机应用与软件》 CSCD 北大核心 2014年第11期312-317,共6页 Computer Applications and Software

关键词智能手机点击劫持触屏劫持数据保护浏览安全 Smartphone Clickjacking Tapjacking Data protection Browsing security

分类号 TN393 [电子电信—物理电子学]

引文网络
相关文献

参考文献16

1Robert Hansen, Jeremiah Grossman. Clickjacking [ EB/OL ]. http :// www. sectheory, com/clickjacking, htm ,2008.
2http ://www. zdnet, com/blog/facebook/symantec-finds-15-of-facebook- videos-are-like jacking-attacks/3316,2011.
3http ://shiflett. org/blog/2OO9/feb/twitter-dont -click-exploit,2009.
4Gustav Rydstedt,Elie Bursztein, Dan Boneh, et al. Busting frame bus- ting:a study of clickjacking vulnerabilities on popular sites [ C ]. W2SP' 10,2010.
5Marcus Niemietz, UI redressing:attacks and countermeasures revisited C [R].2011.
6Stone P. Next generation clickjaeking [ EB/OL]. media, blackhat. com/bh-eu-IO/presantatians/Stone/BlackHat-EU-2OlO.Stone-Next. Generation-Clickjacking-slides. pdf,2010.
7Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, et al. Framing at- tacks on smart phones and dumb touters:tap-jacking and geo-loca]iza- tion attacks [ C ]. USENIX WOOT' I0,2010.
8Jason Lain. Adoption of x-frame-options header[ EB/OL]. http:// blogs, sans. org/appsecstreeghter/2OOg/lO/15/adoption-of.x-frame- options-header, 2009. InformAction. NoScript firefox extension [ EB/OL ]. http ://noscript. net, 2010,.
9InformAction. NoScript firefox extension [ EB/OL ]. http ://noscript. net, 2010.
10Marco Balduzzi, Manuel Egele, Engin Kirda, et al. A solution for the automated detection of clickjacking attacks[ C ]. ASIACCS10,2010.