TY - GEN
T1 - Detecting malicious HTTP redirections using trees of user browsing activity
AU - Mekky, Hesham
AU - Torres, Ruben
AU - Zhang, Zhi-Li
AU - Saha, Sabyasachi
AU - Nucci, Antonio
N1 - Copyright:
Copyright 2014 Elsevier B.V., All rights reserved.
PY - 2014
Y1 - 2014
N2 - The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.
AB - The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.
UR - http://www.scopus.com/inward/record.url?scp=84904440777&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84904440777&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2014.6848047
DO - 10.1109/INFOCOM.2014.6848047
M3 - Conference contribution
AN - SCOPUS:84904440777
SN - 9781479933600
T3 - Proceedings - IEEE INFOCOM
SP - 1159
EP - 1167
BT - IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014
Y2 - 27 April 2014 through 2 May 2014
ER -