Detecting malicious HTTP redirections using trees of user browsing activity

Hesham Mekky, Ruben Torres, Zhi-Li Zhang, Sabyasachi Saha, Antonio Nucci

Research output: Chapter in Book/Report/Conference proceedingConference contribution

47 Scopus citations

Abstract

The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.

Original languageEnglish (US)
Title of host publicationIEEE INFOCOM 2014 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1159-1167
Number of pages9
ISBN (Print)9781479933600
DOIs
StatePublished - 2014
Event33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014 - Toronto, ON, Canada
Duration: Apr 27 2014May 2 2014

Publication series

NameProceedings - IEEE INFOCOM
ISSN (Print)0743-166X

Other

Other33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014
Country/TerritoryCanada
CityToronto, ON
Period4/27/145/2/14

Fingerprint

Dive into the research topics of 'Detecting malicious HTTP redirections using trees of user browsing activity'. Together they form a unique fingerprint.

Cite this