Detecting malicious websites by learning IP address features

Daiki Chiba, Kazuhiro Tobe, Tatsuya Mori, Shigeki Goto

Research output: Chapter in Book/Report/Conference proceedingConference contribution

15 Citations (Scopus)

Abstract

Web-based malware attacks have become one of the most serious threats that need to be addressed urgently. Several approaches that have attracted attention as promising ways of detecting such malware include employing various blacklists. However, these conventional approaches often fail to detect new attacks owing to the versatility of malicious websites. Thus, it is difficult to maintain up-to-date blacklists with information regarding new malicious websites. To tackle this problem, we propose a new method for detecting malicious websites using the characteristics of IP addresses. Our approach leverages the empirical observation that IP addresses are more stable than other metrics such as URL and DNS. While the strings that form URLs or domain names are highly variable, IP addresses are less variable, i.e., IPv4 address space is mapped onto 4-bytes strings. We develop a lightweight and scalable detection scheme based on the machine learning technique. The aim of this study is not to provide a single solution that effectively detects web-based malware but to develop a technique that compensates the drawbacks of existing approaches. We validate the effectiveness of our approach by using real IP address data from existing blacklists and real traffic data on a campus network. The results demonstrate that our method can expand the coverage/accuracy of existing blacklists and also detect unknown malicious websites that are not covered by conventional approaches.

Original languageEnglish
Title of host publicationProceedings - 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, SAINT 2012
Pages29-39
Number of pages11
DOIs
Publication statusPublished - 2012 Nov 1
Externally publishedYes
Event2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, SAINT 2012 - Izmir, Turkey
Duration: 2012 Jul 162012 Jul 20

Publication series

NameProceedings - 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, SAINT 2012

Conference

Conference2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, SAINT 2012
CountryTurkey
CityIzmir
Period12/7/1612/7/20

Keywords

  • Blacklist
  • Drive-by-download
  • IP address
  • Machine learning
  • Web-based malware

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Detecting malicious websites by learning IP address features'. Together they form a unique fingerprint.

Cite this