Automated Link Tracing for Classification of Malicious Websites in Malware Distribution Networks

Malicious code distribution on the Internet is one of the most critical Internet-based threats and distribution technology has evolved to bypass detection systems. As a new defense against the detection bypass technology of malicious attackers, this study proposes the automated tracing of malicious websites in a malware distribution network (MDN). The proposed technology extracts automated links and classifies websites into malicious and normal websites based on link structure. Even if attackers use a new distribution technology, website classification is possible as long as the connections are established through automated links. The use of a real web-browser and proxy server enables an adequate response to attackers’ perception of analysis environments and evasion technology and prevents analysis environments from being infected by malicious code. The validity and accuracy of the proposed method for classification are verified using 20,000 links, 10,000 each from normal and malicious websites.

[1]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[2]  Elijah Blessing Rajsingh,et al.  Intelligent phishing url detection using association rule mining , 2016, Human-centric Computing and Information Sciences.

[3]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[4]  Daehyeok Kim,et al.  ELPA: Emulation-Based Linked Page Map Analysis for the Detection of Drive-by Download Attacks , 2016, J. Inf. Process. Syst..

[5]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[6]  Christopher Krügel,et al.  Nazca: Detecting Malware Distribution in Large-Scale Networks , 2014, NDSS.

[7]  Kirti Mathur,et al.  A Survey on Techniques in Detection and Analyzing Malware , 2013 .

[8]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[9]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[10]  Mitsuaki Akiyama,et al.  Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks , 2010, IEICE Trans. Commun..

[11]  Lawrence K. Saul,et al.  Identifying suspicious URLs: an application of large-scale online learning , 2009, ICML '09.

[12]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[13]  Katsuyoshi Iida,et al.  Lightweight Approach to Detect Drive-by Download Attacks Based on File Type Transition , 2014, CoNEXT Student Workshop '14.

[14]  Byung-Ik Kim,et al.  Suspicious Malicious Web Site Detection with Strength Analysis of a JavaScript Obfuscation , 2010 .

[15]  Guofei Gu,et al.  WebPatrol: automated collection and replay of web-based malware scenarios , 2011, ASIACCS '11.

[16]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[17]  Gang Wang,et al.  Detecting malicious landing pages in Malware Distribution Networks , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).