KNOWNSEC

Internet Monitoring Platform

Overview
Knownsec WebMon Malicious Websites Monitoring Platform (AKA WebMon System) began working online at June, 2008. Based on secured-cloud technology, the system is composed of server farm with many honey clients which actively visit the millions of web pages via Internet Explorer every day. Once the compromised websites occur abnormal and sensitive behaviors including attempting to run executable programs, downloading executable files etc., they will be marked as malicious and added into Knownsec Internet Website Reputation Database that updates dynamically each day.

Background
The widely-used Internet applications in the Web 2.0 era facilitate the Internet users, on the other hand, open the door to evil. Driven by huge interests, malware related underground economy which distributes malware through compromised websites becomes more and more severe. According to the statistics and report from Google, 6% of the global websites have been compromised and planted malicious links or codes, 52% of the websites compromised to distribute malware are from China. Internet users, whether home users, business users or government users, cannot distinguish malicious links or websites landing web-based malwares. While browsing websites on the Internet, these users a suffer from Trojan horse or virus from the compromised websites which leads to lost their accounts including Email, online banks, securities and instant messages and causes direct or indirect economic losses.

After years of research and technology accumulation, Knownsec develops and operates an online malware monitor platform for Chinese Internet web-based malware. The platform is able to identify the websites malicious or not, maintain a constantly updated list of compromised websites for malware distributing. The list will help the Internet users not to visit the websites which behavior are malicious and keep them away from compromised websites and web-based malware.

Cloud-security based technology
Knownsec WebMon platform (Hereinafter referred to as WebMon ) is a distributed computing system embedded with hundreds of honey clients. The platform determines the websites in China malicious or not with central and high-load computing.

Actively monitoring
WebMon actively visits millions of Chinese websites via Internet Explorer every day and has more advantages (including flexibility and wider coverage) than the feedback mechanism that widely-used by most anti-virus vendors.

Covering all Chinese Websites
WebMon daily visits more than 4,000,000 Chinese websites covering all industries in China, covering different varieties of domain name suffix.

Comprehensive coverage of software in honey client
The honey client simulates varieties of commonly used systems and software combinations. More than 30 software and 70 version-combinations are involved including Internet Explorer, Flash, Windows Media Player, Real Player, Thunder, Baidu Toolbar, Google toolbar, AliIM and QQ etc. All the attacks to commonly used software do not escape WebMon’s monitor.

99.9% accuracy rate from behavior-based technology
The core technology in WebMon is the behavior-based malware identification which records malicious behaviors of the web pages and adds the website into the blacklist during the browsing process when the compromised websites occur sensitive behaviors or operations including attempting to run executable programs, downloading executable files etc. The recognition rate of the malicious websites via Knownsec behavior-based technology is more than 99.9%, while the other widely-used methods via traditional signature-based technology have low recognition rate that is about 40%.

Unknown web-based malware identification
WebMon is able to indentify unknown web-based malware precisely which is benefited from the behavior-based technology. The system does not depend on what malicious websites are, what vulnerabilities exploited are, what kinds of Trojan horse are.

Real-time updates
WebMon maintains a dynamic malicious websites backend database which updates in each 2-day detecting cycle covering all the Chinese websites. The websites latest security status will be changed when the malicious links or codes on the compromised websites have been removed, but the compromised websites have a bad reputation in the history database.