See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/337791784

A Contribution to Detect and Prevent a Website Defacement

Conference Paper · October 2019

DOI: 10.1109/CW.2019.00062

CITATIONS READS
6 149

2 authors, including:

Damnam Bagolibe
ARCEP
1 PUBLICATION 6 CITATIONS

SEE PROFILE

All content following this page was uploaded by Damnam Bagolibe on 27 December 2022.

The user has requested enhancement of the downloaded file.

 2019 International Conference on Cyberworlds (CW)
A contribution to detect and prevent a website
defacement
Barerem-Melgueba Mao
Centre Informatique et de Calcul
Université de Lomé
Lome, Togo
bmao@univ-lome.tg
Abstract—One of the most common hackers attacks on
organizations public communication infrastructure is website
defacement. This attack consists of modifying the appearance of
a website by affixing a signature or a particular message or
making the website inactive. The goals of web defacement are
diverse and range from simply recognizing the technical
prowess of the hacker to claims messages posted on the victim's
website by minority groups, referred to as hacktivism. The main
consequence of this attack is the loss of credibility of the hacked
organization. This can, in some cases, lead to indirect economic
losses because of the distorted web content conveyed by the
hacked organization. Since websites carry a very large amount
of information, it is very important to protect them from this
form of attack. In most cases, the defense against web
defacement relies on monitoring websites and restoring the
system after the incident occurred. The time between the
execution of the attack and the system's restoration time is
highly dependent on the performance of the website's
monitoring tool and the response capacity of the technical
teams. Most of website defacement defense tools available on the
market are generally based on the verification of the integrity of
the data and the notification of the administrators when
signatures change. This technique is more or less effective for
static websites subjected to weak modification cycles. For
dynamic websites, interfaced with databases or syndicated,
where the changes are relatively short and random, it becomes
almost impossible to use techniques based solely on signature
verification and data integrity to know if a website was attacked.
This work proposes a model that combines several techniques
(data integrity analysis, changes of the value of an artifice and
the adoption of high availability architecture) to be used to
develop a tool against this type of attacks.
Keywords—hacking, website defacement, detection,
prevention, integrity
I. INTRODUCTION
Digital technologies hold countless resources and are now
a powerful growth driver. They promote the evolution of
human society, induce profound and continuous changes in
the political, economical and social environments. To be
convinced of this, one can mention the amount of information
available on the Internet through various websites. A website
consists of several web pages that are interconnected. A web
978-1-7281-2297-7/19/$31.00 ©2019 IEEE
DOI 10.1109/CW.2019.00062
Kanlanfei Damnam Bagolibe
Autorité de Réglementation des
secteurs de Postes et de
Télécommunications
Lome, Togo
bagolibe@artp.tg
browser is used to display a web page. A web server is a
computer hosting a website [1, 2]. Websites disseminate a vast
amount of information that can be accessible on a global scale
by using a web browser.
In this socio-political context, which presages the strong
dependence on information systems, it is essential to be aware
of the seriousness of the new forms of threats inherent to
cyberspace. These are manifested by attacks on the
availability, integrity, confidentiality and traceability of
information systems. They are more and more elaborated
despite the modern methods implemented to reduce their
impacts. Among these cyber threats, one can mention viruses,
Torjan horses, ransomwares, distributed denial attacks,
websites defacement. The latest attack seems to be the most
popular [3,4,5] because it denotes the willingness of malicious
individuals to compromise the image of an organization by
altering the integrity of its website. The motivations of such
an attack are various, they can be the expression of the
notoriety of a hacker [6] or simply a tool of political or
religious claim (hacktivism) [1].
Website defacement is an attack that consists of modifying
the appearance of a website by affixing a signature or a
particular message or making the website inactive. It is the
result of the combination and coordination of attacks of
different types. The variety of vectors makes it difficult to
design a defensive approach that is adapted to all situations.
Several research works have led to design some tools to
reduce the impacts of the website defacement. However,
public web-based archives and surveys from computer
security institutes show that website defacement is still present
in the panorama of cyberattacks [3, 5].
Several cases of website defacement have been reported in
countries in West Africa, particularly in Togo [7].
This work presents an approach to tackle website
defacement. This approach is based on the adoption of a
highly available architecture and the integration of a control
artifice to detect in real time any unwanted modification of a
website.
344
 II. BACKGROUND
After a website defacement attack, the new appearance of
the website can be uniformly black, white or contain
messages, images, logos and videos that are not related to the
initial message of the website, or a short mention like "owned"
or "hacked". Defacement is the visible sign that a website has
been hacked and that the hacker has obtained the rights,
allowing him to modify its contents.
Website defacement can have several consequences. It can
affect the reputation and the credibility of the organization
whose website has been attacked. It can lead to the loss of
integrity and business, loss of the revenue.
The statistics [7] on website defacement show an increase
in defacements. The figure (Fig. 1) below shows the evolution
of attacks from 2010 to 2018 in the world.
Figure 1. Defaced websites in the world from the year from 2011 to 2019
In Togo, the websites that are more concerned by
defacement are those from government and multinational
corporations.
As any cyberattack, website defacement occurs in five
steps, including recognition, intrusion, discovery, capture and
exfiltration.
Recognition allows the hacker to gather as much
information as possible about the target organization, while
the the intrusion is the active phase of the attack where the
attacker uses different methods to force access to the system
(for example: rootkit, malware, bruteforce). Once access to the
system is achieved, the attacker is discreet to avoid being
detected. He then maps the company's defenses from inside
and creates a battle plan to retrieve the targeted information.
Depending on the profile of the compromised users, it will be
more or less fast to reach the target data server. This step can
be repeated several times if the information collected does not
allow to take control of the targeted servers. Once the privilege
escalation is done, the hacker then has the ideal profile to
proceed to the modification of the data on the website.
According to the case, the hacker can replace the index page
with an initially prepared page, or he can add or delete files as
appropriate, or he can inject or modify the record in the
database. During the last step, some hackers carefully erase
their tracks. This allows them to not raise suspicions about
exploited vulnerabilities or that investigators can not trace
back to the source of the attack.
Despite the fact that website defacements become more
prominent, its detection and prevention has not attracted much
attention from the scientific community [3].
345
To fight the website defacement, several approaches have
been developed. Most approaches focus on website
monitoring and notification to administrators in case of
defacement. Some other approaches offer self-defense
mechanisms in the event of an attack.
Eric Medvet et al. [8] presented, in 2007, an approach to
detect automatically a website defacement. In this approach,
Genetic Programming is used. Genetic Programming is a
computation paradigm, that is established and allows to
generate algorithms automatically using artificial evolution
[9]. An algorithm that is based on a sequence of readings of
the remote page to be monitored and on a sample set of attacks
is built by using Genetic Programming. After this process, a
remote web page is monitored at regular intervals of time and
the algorithm is applied ; when a suspicious modification is
found, an alert is raised. The authors developed a prototype
and tested it using a dataset of 15 dynamic web pages, during
one month. The results showed that Genetic Programming
may be an effective approach for detecting web site
defacements
In 2010, Alberto Bartoli et al. [10] proposed a framework
for large-scale detection of web site defacements based on
anomaly detection technique. A tool (called Goldrake) for
defacement detection was designed and evaluated
experimentally. With this tool, websites of several
organizations could be monitored by a single organization. Its
main feature is that it does not require any involvement from
the monitored site. A profile of the monitored website is built
during a preliminary learning phase. During the monitoring
phase, the tool will periodically recover the remote resource;
an alert will be generated in case a suspicious behavior is
detected.
Tushar Kanti et al. [6], in 2011, proposed a mechanism to
detect web defacement that is based on a checksum. A web
browser used to investigate the defacement of a website was
developed; and a recovery mechanism based on the same
checksum was also proposed.
In 2013, Rajiv Kumar Gurjwar et al. [11] developed a
system that explores and detects web site defacement
automatically. During the first step of the process, the contents
of the web site are processed and stored in the web domain
dictionary; during the second phase, the integrity of the web
contents are checked using some techniques such as SSIM,
CRC32, MD5, SHA 512 and PSNR.
Kevin Borgolte et al. [3] presented a monitoring system
called MEERKAT used to detect defacement of a website. It
is used for detecting automatically a defaced website. The
system learns the appearance or the representation of defaced
and legitimate websites. Based on this experience (learned
features), a model that differentiates legitimates and defaced
websites is generated. This model is used to detect. The
proposed model offers the possibility to notify the
administrator of the website once an attack is detected when a
defacement is detected.
Mfundo Masango et al. proposed in 2017 [1] and in 2018
[12] a web defacement and intrusion monitoring tool to
quickly identify the web pages that are deleted or altered. The
tool offers two main possibilities: defacement intrusion and
intrusion detection. After a website has been defaced, the
proposed solution can be used to regenerate the original
content of this website.
 III. PROPOSED APPROACH
Contrary to some previous studies, the proposed approach
focuses not only on detection, but also on prevention and self-
protection mechanisms to minimize the impact of website
defacement. The proposed model is proactive and responsive.
The model includes an offline integrity check engine, a control
variable scheme, an imposed backup directory, and a
notification system.
For web hosting providers and for some organizations
which have their own web application hosting platform, the
approach proposes a prediction and self-protection
mechanism based on a highly available architecture.
A. Offline Integrity Check Engine
Its function is to check the data integrity of the website. It
is a client/server application.
The client component is a sensor (python script) deployed
on the monitored web server. At each execution of the script,
a json file containing the "hashes" of all website files is
generated. This file is then uploaded to the offline server.
The server component is files comparing script that
compares json file received from clients with their reference
values stored on the offline server.
B. Integration of a Control Variable
This variable is an artifice introduced to serve as control
variable when there is a change (updates) on monitored
websites. Inspired by the serial setting of the DNS systems ,
this variable is incremented by the administrators of the
website at every legitimate modification. The changing of the
variable automatically triggers the client script on the web
server to reevaluate the website files hashes. The new hashes
file generated is sent on the offline server to replace the
previous reference hashes file.
The values of the variable follow a well-defined
progression step. A good management of the control variable
reduces the number of false positives. The control variable is
stored in a database on the offline server.
The communication between the client and the offline
server is done through a secure shell encrypted channel (ssh).
The figure below (Fig. 2) shows the scenario for updating
the condensate reference file.
Figure 2. Process for updating the condensate reference file
346
C. Basic Defense Mechanism
The basic defense mechanism allows the system to self-
regenerate once the attack is detected. When comparing a new
condensate file with its reference value, non-compatible
entries are saved in a file. The entries in this file correspond to
either added files or illegally modified files. Depending on the
case, these files are purely and simply deleted (in case of
addition of an illegitimate new file) or they are deleted and
restored thanks to the data backuped on the client (illegally
modified file).
The self-defense mechanism is triggered when the client
probe detects changes not reported by an administrator (value
of the control variable not changed).
The update of the backup directory is performed under the
same conditions as that of the condensate file: it is triggered
by a legitimate modification of the control variable. The figure
below (Fig. 3) describes the basic defense mechanism.
Figure 3. Basic Defense Mechanism
IV. CONCLUSION AND FUTURE WORK
Website defacement is an attack that consists of modifying
the appearance of a website by affixing a signature or a
particular message or making the website inactive. It happens
when the content of the website is altered or a web page has
been visually altered. It is still one of the most common attacks
in cyber space. it is highly appreciated by hackers because it
is such that it affects the credibility and ability of organizations
to ensure their own security. Depending on the type of the
organization whose website has been defaced, the impacts of
website defacement can be disastrous: loss of the credibility,
loss of the reputation and loss of the revenue. These attacks
have become a weapon for activists as part of political or
ideological demands propaganda tool.
Several approaches have been proposed to foil website
defacement; they are limited to supervision and actions to
limits the impacts of the attack.
In this work, we have proposed an approach to tackle
website defacement. The proposed approach focuses not only
on detection, but also on prevention and self-protection
mechanisms to minimize the impact of website defacement.
Future work will concern the implementation of the model
and its validation through several experiments and tests. An
advanced defense mechanism will be designed and its
reliability will be evaluated.
 REFERENCES
[1] M. Masango, F. Mouton, P. Antony and B. Mangoale, “Web
Defacement and Intrusion Monitoring Tool: WDIMT,” Proc.
International Conference on Cyberworlds (CW), IEEE, Sept. 2017, pp.
72-79, doi: 10.1109/CW.2017.55.
[2] Lady Ninja86. (2016, Dec.) What is the difference between webpage,
website, web server, and search engine? Mozilla Developer Network.
[Online].
Available:https://developer.mozilla.org/enUS/docs/Learn/Commonqu
estions/Pages-sites-servers-and-search-engines
[3] K. Borgolte, C. Kruegel, and G. Vigna, “Meerkat: Detecting Website
Defacements through Image-based Object Recognition,” Proc. of the
24th USENIX Security Symposium, Aug. 2015, pp 595-610.
[4] J. Lyon. (2014) What are the 5 most common attacks on websites?
Quora. [Online]. Available: https://www.quora.com/What-are-the-5-
most-common-attacks-on-websites
[5] G. Davanzo, E. Medvet, and A. Bartoli, “Anomaly Detection
Techniques for a Web Defacement Monitoring Service,” Expert
Systems with Applications, vol. 38, issue 10, Sept. 2011, pp. 12521-
12530, doi: doi.org/10.1016/j.eswa.2011.04.038.
[6] T Kanti, V Richariya, and V Richariya, “Implementing a Web Browser
with Web Defacement Detection Techniques,” World of Computer
347
View publication stats
Science and Information Technology Journal (WCSIT), vol. 1, no. 7,
2011, pp. 307-310.
[7] http://www.zone-h.org/stats
[8] E. Medvet, C. Fillon, and A. Bartoli, “Detection of Web Defacements
by means of Genetic Programming,” Proc. Third International
Symposium on Information Assurance and Security, IEEE, Aug. 2007,
pp. 227-234, doi: 10.1109/IAS.2007.13.
[9] J. R. Koza, Genetic Programming: On the Programming of Computers
by Means of Natural Selection (Complex Adaptive Systems), MIT
Press, 1992.
[10] A. Bartoli, G. Davanzo, and E. Medvet, "A Framework for Large-Scale
Detection of Web Site Defacements," ACM Transactions on Internet
Technology (TOIT), vol. 10, no. 3, 2010, p. 10, doi:
10.1145/1852096.1852098.
[11] R. K. Gurjwar, D. R. Sahu, and D. S. Tomar, “An Approach to Reveal
Website Defacement,” International Journal of Computer Science and
Information Security, vol. 11, no. 6, Jun. 2013, pp. 73-79.
[12] M. Masango, F. Mouton, P. Antony, and B. Mangoale, An Approach
for Detecting Web Defacement with Self-Healing Capabilities, In:
Gavrilova M., Tan C., Sourin A. (eds) Transactions on Computational
Science XXXII. Lecture Notes in Computer Science, vol 10830.
Springer, Berlin, Heidelberg, 2018.