By Topic

Identification of malicious web pages through analysis of underlying DNS and web server relationships

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Seifert, C. ; Victoria Univ. of Wellington, Wellington ; Welch, I. ; Komisarczuk, P. ; Aval, C.U.
more authors

Malicious Web pages that launch drive-by-download attacks on Web browsers have increasingly become a problem in recent years. High-interaction client honeypots are security devices that can detect these malicious Web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious Web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end Web pages and centralized exploit servers, merely counting the number of domain name extensions and Domain Name System (DNS) servers used to resolve the host names of all Web servers involved in rendering a page is sufficient to determine whether a Web page is malicious or benign, independent of the vulnerable Web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.

Published in:

Local Computer Networks, 2008. LCN 2008. 33rd IEEE Conference on

Date of Conference:

14-17 Oct. 2008