Rewinding the Web’s Clock -- Enabling a Fine-Grained Reconstruction of Web-Driven Security Incidents

Friday, March 9, 2018 - 11:00am EST

Speaker: Roberto Perdisci,  University of Georgia


Many modern network security incidents originate from the Web. For instance, it is not uncommon for users to stumble upon a website that hosts malicious advertisement, which in turn may redirect to phishing sites or promote the installation of malicious software via social engineering attacks. In corporate networks, such attacks can have devastating consequences. For example, an initial web-driven malware infection may be used as a stepping stone for larger scale network intrusions and costly data breaches.

When such high-profile incidents are discovered, often weeks or even months after the initial attack took place, a digital forensics team is typically called in to reconstruct the root causes of the incident, so that better network defenses and security policies can be developed. However, a forensic analyst may not be able to reconstruct the entire chain of events up to the initial web attack that is the true root cause of the network breach. This is because modern browsers lack the ability to produce detailed audit logs, and information contained in the existing navigation history and browser cache is typically too sparse or short lived to allow for a detailed reconstruction of complex web attacks.

In this talk, I will present two novel in-browser audit logging systems, called ChromePic and JSgraph, that aim to fill this gap. Both ChromePic and JSgraph are designed to continuously record detailed events internal to the browser, to enable the reconstruction of a variety of web-based attacks, including social engineering attacks and web-driven malware downloads. I will also show that such detailed audit logs can be continuously and transparently recorded without significantly impacting the browser’s performance and usability, and provide evidence that the obtained audit logs can be preserved for long periods of time, thus allowing for a detailed post-mortem analysis of web-driven security incidents that occurred far back in the past.


Roberto Perdisci is an Associate Professor in the Department of Computer Science at the University of Georgia, and an Adjunct Associate Professor in the Georgia Tech School of Computer Science. He is also a founding faculty member of the UGA Institute of Cybersecurity and Privacy, and a member of the Georgia Tech Institute of Information Security and Privacy. His research interests include network and web security, malware defense, and telephony security.

Prof. Perdisci is the recipient of a 2012 NSF CAREER Award, and of the 2015 UGA Fred C. Davison Early Career Scholar Award. He has published over fifty peer-reviewed papers, many of which have appeared in the most selective computer security and systems conferences and journals. His research is sponsored by several grants, including multiple grants from the National Science Foundation, the US Department of Homeland Security (DHS), DARPA, and an industry grant from Intel. His recent research on malware download defenses has been selected by DHS for the Technology Transition to Practice (TTP) program, and has been promoted at prestigious industry venues, including the RSA Conference.