Web site defacement, the process of introducing unauthorized
modifications to a web site, is a very common form of attack. In this
paper we describe and evaluate experimentally a framework that may
constitute the basis for a defacement detection service capable of
monitoring thousands of remote web sites systematically and
In our framework an organization may join the service by simply
providing the URLs of the resources to be monitored along with the
contact point of an administrator. The monitored organization may thus
take advantage of the service with just a few mouse clicks, without
installing any software locally nor changing its own daily operational
processes. Our approach is based on anomaly detection and allows
monitoring the integrity of many remote web resources automatically
while remaining fully decoupled from them, in particular, without
requiring any prior knowledge about those resources.
We evaluated our approach over a selection of dynamic resources and a set of publicly available defacements. The results are very satisfactory: all attacks are detected while keeping false positives to a minimum. We also assessed performance and scalability of our proposal and we found that it may indeed constitute the basis for actually deploying the proposed service on a large-scale.