Identification of malicious web pages through analysis of underlying DNS and web server relationships

Seifert, C., Komisarczuk, Peter, Welch, I., Aval, C. and Endicott-Popovsky, B. (2008) Identification of malicious web pages through analysis of underlying DNS and web server relationships. In: 4th IEEE LCN Workshop on Network Security (WNS 2008), 14-17 October 2008, Montreal, Canada.

Full text not available from this repository.

Abstract

Malicious web pages that launch drive-by-download
attacks on web browsers have increasingly become a problem
in recent years. High-interaction client honeypots are security
devices that can detect these malicious web pages on a network.
However, high-interaction client honeypots are both resourceintensive
and unable to handle the increasing array of vulnerable
clients. This paper presents a novel classification method
for detecting malicious web pages that involves inspecting the
underlying server relationships. Because of the unique structure
of malicious front-end web pages and centralized exploit servers,
merely counting the number of domain name extensions and
Domain Name System (DNS) servers used to resolve the host
names of all web servers involved in rendering a page is
sufficient to determine whether a web page is malicious or benign,
independent of the vulnerable web browser targeted by these
pages. Combining high-interaction client honeypots and this new
classification method into a hybrid system leads to performance
improvements

Item Type: Conference or Workshop Item (Paper)
Subjects: Computer science, knowledge and information systems
Depositing User: Vani Aul
Date Deposited: 21 Mar 2014 14:43
Last Modified: 07 Dec 2015 09:58
URI: http://repository.uwl.ac.uk/id/eprint/799

Actions (login required)

View Item View Item

Menu