Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker Computer Science.

Published byJasmin Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker Computer Science."— Presentation transcript:

1 Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker Computer Science & Engineering UC San Diego Presentation for KDD 2009 June 30, 2009

2 2 Detecting Malicious Web Sites Predict what is safe without committing to risky actions Safe URL? Web exploit? Spam-advertised site? Phishing site? URL = Uniform Resource Locator http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll http://fblight.com http://mail.ru http://www.sigkdd.org/kdd2009/index.html

3 3 Problem in a Nutshell URL features to identify malicious Web sites No context, no content Different classes of URLs Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious facebook.comfblight.com

4 4 State of the Practice Current approaches Blacklists [SORBS, URIBL, SURBL, Spamhaus] Learning on hand-tuned features [Garera et al, 2007] Limitations Cannot predict unlisted sites Cannot account for new features Arms race More automated approach?

5 5 Today's Talk Motivation System overview Training data Algorithms Features ← focus of today's talk Experimental results Conclusion

6 6 URL Classification System LabelExampleHypothesis

7 7 Data Sets Malicious URLs 5,000 from PhishTank (phishing) 15,000 from Spamscatter (spam, phishing, etc) Benign URLs 15,000 from Yahoo Web directory 15,000 from DMOZ directory Malicious x Benign → 4 Data Sets 30,000 – 55,000 features per data set

8 8 Algorithms Logistic regression w/ L1-norm regularization Other models Naive Bayes Support vector machines (linear, RBF kernels) Implicit feature selection Easier to interpret

9 9 Today's Focus Example

10 10 Feature vector construction http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll WHOIS registration: 3/25/2009 Hosted from 208.78.240.0/22 IP hosted in San Mateo Connection speed: T1 Has DNS PTR record? Yes Registrant “Chad”... [ _ _ … 0 0 0 1 1 1 … 1 0 1 1 …] Real-valued Host-basedLexical

11 11 Features to consider? 1)Blacklists 2)Simple heuristics 3)Domain name registration 4)Host properties 5)Lexical

12 12 (1) Blacklist Queries List of known malicious sites Providers: SORBS, URIBL, SURBL, Spamhaus http://www.bfuduuioo1fp.mobi In blacklist? Yes http://fblight.com No In blacklist? http://www.bfuduuioo1fp.mobi Blacklist queries as features........................................

13 13 stopgap.cn registered 28 June 2009 (2) Manually-Selected Features Considered by previous studies IP address in hostname? Number of dots in URL WHOIS (domain name) registration date [Fette et al., 2007][Zhang et al., 2007][Bergholz et al., 2008] http://72.23.5.122/www.bankofamerica.com/ http://www.bankofamerica.com.qytrpbcw.stopgap.cn/

14 14 (3) WHOIS Features Domain name registration Date of registration, update, expiration Registrant: Who registered domain? Registrar: Who manages registration? http://sleazysalmon.com http://angryalbacore.com http://mangymackerel.com http://yammeringyellowtail.com Registered on 29 June 2009 By SpamMedia

15 15 (4) Host-Based Features Blacklisted? (SORBS, URIBL, SURBL, Spamhaus) WHOIS: registrar, registrant, dates IP address: Which ASes/IP prefixes? DNS: TTL? PTR record exists/resolves? Geography-related: Locale? Connection speed? 75.102.60.0/2269.63.176.0/20 facebook.comfblight.com

16 16 (5) Lexical Features Tokens in URL hostname + path Length of URL Number of dots http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll

17 17 Which feature sets? Blacklist Manual WHOIS Host-based Lexical 4,000 # Features 13,000 4 7 17,000 More features → Better accuracy

18 18 Which feature sets? Blacklist Manual WHOIS Host-based Lexical Full 96—99% accuracy 4,000 # Features 13,000 4 7 17,000 30,000

19 19 Which feature sets? Blacklist Manual WHOIS Host-based Lexical Full w/o WHOIS/Blacklist 4,000 # Features 13,000 4 7 17,000 30,000 26,000

20 20 Beyond Blacklists Blacklist Full features Yahoo-PhishTank Higher detection rate for given false positive rate

21 21 Limitations False positives Sites hosted in disreputable ISP Guilt by association False negatives Compromised sites Free hosting sites Redirection (but we consider TinyURL malicious :) Hosted in reputable ISP Future work: Web page content

22 22 Conclusion Detect malicious URLs with high accuracy Only using URL Diverse feature set helps: 99% w/ 30,000+ features Model analysis (more in paper) Our related efforts Online learning for URL reputation [ICML 2009] Future work Scaling up for deployment

Download ppt "Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker Computer Science."

Similar presentations

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.

Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Detecting Social Spam Campaigns on Twitter Zi Chu & Haining Wang The College of William & Mary Indra Widjaja Bell Laboratories, Alcatel-Lucent, USA Presented.

Detecting Social Spam Campaigns on Twitter Zi Chu & Haining Wang The College of William & Mary Indra Widjaja Bell Laboratories, Alcatel-Lucent, USA Presented.
Paper Reading: Reporter: Shao-Yu Peng( 彭少瑜 ) Date: 2013/10/28.

Paper Reading: Reporter: Shao-Yu Peng( 彭少瑜 ) Date: 2013/10/28.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
“Identifying Suspicious URLs: An Application of Large-Scale Online Learning” Paper by Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker.

“Identifying Suspicious URLs: An Application of Large-Scale Online Learning” Paper by Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
1 Learning User Interaction Models for Predicting Web Search Result Preferences Eugene Agichtein Eric Brill Susan Dumais Robert Ragno Microsoft Research.

1 Learning User Interaction Models for Predicting Web Search Result Preferences Eugene Agichtein Eric Brill Susan Dumais Robert Ragno Microsoft Research.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
Presented by Li-Tal Mashiach Learning to Rank: A Machine Learning Approach to Static Ranking 049011 - Algorithms for Large Data Sets Student Symposium.

Presented by Li-Tal Mashiach Learning to Rank: A Machine Learning Approach to Static Ranking Algorithms for Large Data Sets Student Symposium.
Announcements Blog Projects Next class: spam infrastructure Next next class: Dave Aucsmith 1.

Announcements Blog Projects Next class: spam infrastructure Next next class: Dave Aucsmith 1.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Detection of Internet Scam Using Logistic Regression

Detection of Internet Scam Using Logistic Regression

Similar presentations

Ads by Google