By Topic

Proactive Blacklisting for Malicious Web Sites by Reputation Evaluation Based on Domain and IP Address Registration

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Yoshiro Fukushima ; Dept. of Inf., Kyushu Univ. Fukuoka, Fukuoka, Japan ; Yoshiaki Hori ; Kouichi Sakurai

The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklisting URLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose a blacklisting scheme constructed of the combination of IP address block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites.

Published in:

2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications

Date of Conference:

16-18 Nov. 2011