Detecting malicious HTTP redirections using trees of user browsing activity

Hesham Mekky; Ruben Torres; Zhi-Li Zhang; Sabyasachi Saha; Antonio Nucci

doi:10.1109/INFOCOM.2014.6848047

Detecting malicious HTTP redirections using trees of user browsing activity

Hesham Mekky, Ruben Torres, Zhi-Li Zhang, Sabyasachi Saha, Antonio Nucci

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

46 Scopus citations

Abstract

The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.

Original language	English (US)
Title of host publication	IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1159-1167
Number of pages	9
ISBN (Print)	9781479933600
DOIs	https://doi.org/10.1109/INFOCOM.2014.6848047
State	Published - 2014
Event	33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014 - Toronto, ON, Canada Duration: Apr 27 2014 → May 2 2014

Publication series

Name	Proceedings - IEEE INFOCOM
ISSN (Print)	0743-166X

Other

Other	33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014
Country/Territory	Canada
City	Toronto, ON
Period	4/27/14 → 5/2/14

Access

10.1109/INFOCOM.2014.6848047

OpenUrl availability

Full text

Cite this

Mekky, H., Torres, R., Zhang, Z.-L., Saha, S., & Nucci, A. (2014). Detecting malicious HTTP redirections using trees of user browsing activity. In IEEE INFOCOM 2014 - IEEE Conference on Computer Communications (pp. 1159-1167). Article 6848047 (Proceedings - IEEE INFOCOM). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/INFOCOM.2014.6848047

Detecting malicious HTTP redirections using trees of user browsing activity. / Mekky, Hesham; Torres, Ruben; Zhang, Zhi-Li et al.
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications. Institute of Electrical and Electronics Engineers Inc., 2014. p. 1159-1167 6848047 (Proceedings - IEEE INFOCOM).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Mekky, H, Torres, R, Zhang, Z-L, Saha, S & Nucci, A 2014, Detecting malicious HTTP redirections using trees of user browsing activity. in IEEE INFOCOM 2014 - IEEE Conference on Computer Communications., 6848047, Proceedings - IEEE INFOCOM, Institute of Electrical and Electronics Engineers Inc., pp. 1159-1167, 33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014, Toronto, ON, Canada, 4/27/14. https://doi.org/10.1109/INFOCOM.2014.6848047

@inproceedings{45146bc18d7144a8b78ec1d7fadc9a7a,

title = "Detecting malicious HTTP redirections using trees of user browsing activity",

abstract = "The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.",

author = "Hesham Mekky and Ruben Torres and Zhi-Li Zhang and Sabyasachi Saha and Antonio Nucci",

year = "2014",

doi = "10.1109/INFOCOM.2014.6848047",

language = "English (US)",

isbn = "9781479933600",

series = "Proceedings - IEEE INFOCOM",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1159--1167",

booktitle = "IEEE INFOCOM 2014 - IEEE Conference on Computer Communications",

}

TY - GEN

T1 - Detecting malicious HTTP redirections using trees of user browsing activity

AU - Mekky, Hesham

AU - Torres, Ruben

AU - Zhang, Zhi-Li

AU - Saha, Sabyasachi

AU - Nucci, Antonio

PY - 2014

Y1 - 2014

N2 - The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.

AB - The web has become a platform that attackers exploit to infect vulnerable hosts, or deceive victims into buying rogue software. To accomplish this, attackers either inject malicious scripts into popular web sites or manipulate content delivered by servers to exploit vulnerabilities in users' browsers. To hide malware distribution servers, attackers employ HTTP redirections, which automatically redirect users' requests through a series of intermediate web sites, before landing on the final distribution site. In this paper, we develop a methodology to identify malicious chains of HTTP redirections. We build per-user chains from passively collected traffic and extract novel statistical features from them, which capture inherent characteristics from malicious redirection cases. Then, we apply a supervised decision tree classifier to identify malicious chains. Using a large ISP dataset, with more than 15K clients, we demonstrate that our methodology is very effective in accurately identifying malicious chains, with recall and precision values over 90% and up to 98%.

UR - http://www.scopus.com/inward/record.url?scp=84904440777&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84904440777&partnerID=8YFLogxK

U2 - 10.1109/INFOCOM.2014.6848047

DO - 10.1109/INFOCOM.2014.6848047

M3 - Conference contribution

AN - SCOPUS:84904440777

SN - 9781479933600

T3 - Proceedings - IEEE INFOCOM

SP - 1159

EP - 1167

BT - IEEE INFOCOM 2014 - IEEE Conference on Computer Communications

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 33rd IEEE Conference on Computer Communications, IEEE INFOCOM 2014

Y2 - 27 April 2014 through 2 May 2014

ER -

Detecting malicious HTTP redirections using trees of user browsing activity

Abstract

Publication series

Other

Access

OpenUrl availability

Other files and links

Fingerprint

Cite this