A Multi-Layered Approach to Detecting Malicious Mobile Advertising

Federation University and La Trobe University

What we will cover today

• Problem statement • How to block malicious advertising (malvertising) but retain legitimate ads?

• The team• Federation University and La Trobe University

• The approach• Description of demonstrators and future work

• Commercial opportunities

About us

• Project leads• Prof Iqbal Gondal (Fed Uni) and Prof Paul Watters (La Trobe)

• Key staff• Paul Black (Fed Uni) and Daniel Hussey (La Trobe)

• Fed Uni – data mining• La Trobe – system architecture and implementation

Defining the problem

• The vast majority of internet services rely on paid advertising• Advertising is also a vector for delivering malware

• Including ransomware, cryptojacking, redirection• Current solutions like Adblock stop all ads, undermining

the commercial model of the internet• We need a system that can detect and block ads that deliver

known malware as well as ‘0 day’ attacks

The solution

• Real-time detection of malicious ads• Browser plug-in identifies all ads in a page, passes them

to cloud-based sandbox for malicious behaviour identification (slow)

• If malware detected, then database updated with webpage features andwebpage metadata, block ad

• As database grows and classifier trained, less reliance on running new samples in the sandbox

• Classifier can make decisions based on features alone (fast)• Support for mobile and desktop devices

Example

The competitive advantage

• GeoEdge finds malvertising cost ad networks US$1.13b in 2019 with growth rates of 30% pa• Our product can detect and block known and novel

malvertising – pop-up ads, in-text ads, drive-by-downloads,hidden iframes etc.• Backed by proprietary data mining algorithms and a validated

system architecture• IP protection through Fed Uni and La Trobe Uni

Application of use

• Target market is all end-users who own a phone or PC or enterprises who want to protect the corporate network• Sold through download/subscription

• Legitimate ad networks feel the pain – redirects stop real users viewing their ads• Advertisers lose legitimate views as well

Scalability

• Initial database seeded with 100,000 pages with known-bad advertising (based on previous research)• Cloud-based architecture is highly scalable but

algorithm-dependent• Novel samples take significant time to process

• Need to build a web-based crawler to identify and train the classifier to reduce wait times for plug-in analysis for new samples

• Crawler should operate continuously gathering valuable intelligence on current threats

Our value proposition

• Rapid, real-time detection and blocking of threats delivered through ads• Performance, scalability and accuracy improved through

the use of intelligence gathering on current threats• Low-cost, competitive solution available to a very broad

marketplace