BINSPECT: Holistic Analysis and Detection of Malicious Web Pages

Eshete, Birhanu; Villafiorita, Adolfo; Weldemariam, Komminist

doi:10.1007/978-3-642-36883-7_10

Cited by 61 publications

(49 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Davide Canali et al [10] combined previous work extracting HTML and JavaScript features to detect drive-by download exploit. Birhanu Eshete et al [11] first detect overall malicious websites, including malware, phishing, drive-by download and injection pages. URL, Page-Source and social reputation features are extracted.…”

Section: B Static Methodsmentioning

confidence: 99%

Malicious Websites Detection and Search Engine Protection

Zhou¹,

Sun²,

Chen³

2013

JACN

View full text Add to dashboard Cite

Abstract-With the development of the Internet, the amount of information is expanding rapidly. Naturally, search engine becomes the backbone of information management. Nevertheless, the flooding of large number of malicious websites on search engine has posed tremendous threat to our users. Most of exiting systems to detect malicious websites focus on specific attack. At the same time, available browser extensions based on blacklist are powerless to countless websites. In this paper, we present a lightweight approach using static analysis techniques to quickly discriminate malicious sites comprising malware, drive-by-download and phishing sites. We extract comprehensive features to classify labeled dataset using various machine learning algorithms. Large scale evaluation of our dataset shows that the classification accuracy reaches 97.5% with low overhead. Furthermore, we achieved a chrome plugin to detect malicious search result websites based on our classification model.

show abstract

Section: B Static Methodsmentioning

confidence: 99%

Malicious Websites Detection and Search Engine Protection

Zhou¹,

Sun²,

Chen³

2013

JACN

View full text Add to dashboard Cite

show abstract

“…Different from these algorithms, we formulate the task as an optimization problem and incorporate different misclassification cost into its objective function, considering links between hosts and domains. Network anomaly detection [5,12,13,15,19,21] has attracted much attention. These algorithms adopt different data mining techniques to learn models on hosts and domains separately.…”

Section: Related Workmentioning

confidence: 99%

“…An important task is to judge whether a host/domain is malicious or benign (i.e., negative or positive labels). To learn their labels, existing approaches [5,12,13,15,16,19,21] usually train two different models on hosts and domains, separately. Among these approaches, classification algorithms [1][2][3]9,10,17] are widely used to detect if a host/domain is malicious.…”

mentioning

confidence: 99%

Detecting Malicious Behavior in Computer Networks via Cost-Sensitive and Connectivity Constrained Classification

Xiao

Gao

et al. 2017

Proceedings of the 2017 SIAM International Conference on Data Mining

View full text Add to dashboard Cite

The detection of malicious behavior, that is, judging if a host/domain is malicious or benign (i.e., negative or positive labels), is complicated by the issue of imbalanced label distributions, as well as the limited amount of ground truth available to train supervised models or build rules. To tackle these challenges, we propose a novel framework to learn cost-sensitive models on both network hosts and external domains simultaneously, based on a bipartite connectivity graph constructed between them. We also explicitly incorporate behavioral features of the hosts computed from the network data as well as lexical and reputational features computed for the external domains into the proposed framework. Specifically, we model the predicted labels, measure the misclassification errors by the Hamming distance between the predicted and true labels, incorporate different costs for different misclassification types (i.e., false negative or false positive), and constrain connected nodes to share the same labels in high probability. The proposed framework is then formulated as an optimization problem, which minimizes the total cost, that is, the misclassification costs multiplied by the misclassification errors. As the Hamming distance function is non-differentiable, we introduce a continuous loss function to approximate it with performance guaranteed. We develop an effective algorithm with good convergence property via Stochastic Gradient Descent technique. Experimental results on both synthetic and a real network dataset collected from an enterprise demonstrate the effectiveness of the proposed framework.

show abstract

“…They determined that a logistic regression classifier is optimal for malicious URL detection in terms of learning time and false-positive rate. Eshete et al [6] constructed multiple classifiers that contain features such as URL strings and web content. They also evaluated the performance of multiple classifiers.…”

Section: Machine Learning-based Approachesmentioning

confidence: 99%

Automating URL Blacklist Generation with Similarity Search Approach

Sun

Akiyama

Yagi

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYModern web users may encounter a browser security threat called drive-by-download attacks when surfing on the Internet. Drive-by-download attacks make use of exploit codes to take control of user's web browser. Many web users do not take such underlying threats into account while clicking URLs. URL Blacklist is one of the practical approaches to thwarting browser-targeted attacks. However, URL Blacklist cannot cope with previously unseen malicious URLs. Therefore, to make a URL blacklist effective, it is crucial to keep the URLs updated. Given these observations, we propose a framework called automatic blacklist generator (AutoBLG) that automates the collection of new malicious URLs by starting from a given existing URL blacklist. The primary mechanism of AutoBLG is expanding the search space of web pages while reducing the amount of URLs to be analyzed by applying several pre-filters such as similarity search to accelerate the process of generating blacklists. AutoBLG consists of three primary components: URL expansion, URL filtration, and URL verification. Through extensive analysis using a high-performance web client honeypot, we demonstrate that AutoBLG can successfully discover new and previously unknown drive-by-download URLs from the vast web space. key words: drive-by-download, URL blacklist, search space, machine learning, web client honeypot

show abstract

BINSPECT: Holistic Analysis and Detection of Malicious Web Pages

Cited by 61 publications

References 17 publications

Malicious Websites Detection and Search Engine Protection

Malicious Websites Detection and Search Engine Protection

Detecting Malicious Behavior in Computer Networks via Cost-Sensitive and Connectivity Constrained Classification

Automating URL Blacklist Generation with Similarity Search Approach

Contact Info

Product

Resources

About