Identification of malicious web pages through analysis of underlying DNS and web server relationships

Seifert, Christian, Welch, Ian, Komisarczuk, Peter, Aval, Chiraag Uday and Endicott-Popovsky, Barbara (2008) Identification of malicious web pages through analysis of underlying DNS and web server relationships. In: 33rd IEEE Conference on Local Computer Networks (LCN 2008), 14-17 Oct 2008, Montreal, Canada.

Full text not available from this repository.


Malicious web pages that launch drive-by-download attacks on web browsers have increasingly become a problem in recent years. High-interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end web pages and centralized exploit servers, merely counting the number of domain name extensions and Domain Name System (DNS) servers used to resolve the host names of all web servers involved in rendering a page is sufficient to determine whether a web page is malicious or benign, independent of the vulnerable web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.

Item Type: Conference or Workshop Item (Paper)
ISSN: 0742-1303
ISBN: 9781424424122
Identifier: 10.1109/LCN.2008.4664306
Page Range: pp. 935-941
Identifier: 10.1109/LCN.2008.4664306
Keywords: Security, Client Honeypots, Drive-by-downloads, Intrusion Detection
Subjects: Computing
Depositing User: Vani Aul
Date Deposited: 21 Mar 2014 14:43
Last Modified: 28 Aug 2021 07:17

Actions (login required)

View Item View Item