Learning from Authoritative Security Experiment Results
A Flow-Based, Blacklist Approach for Associating Web Browser Redirection with Malicious Activity
Frank Hemingway, University of Maryland
Ben Klimkowski, University of Maryland
Max Potasznik, University of Maryland
B. Avery Greene, University of Maryland
Dr. Michel Cukier, University of Maryland
Background. Increasingly attackers are using web browser redirection to conceal their activity and to manage their malicious content-serving nodes. Previous work has analyzed NetFlow and DNS records to identify malicious redirects. We explore this previous work on a different university campus using different tools and techniques, seeking to reproduce and better understand it.
Aim. We aim to confirm that redirects are a worthwhile topic of security interest and show that flow-based tools have promise in intrusion detection.
Method. We use the previously established features of flow size, flow duration, and inter-flow duration, where smaller values for each of these features are more likely to indicate a redirection. However, instead of conducting a historical analysis of domain names to associate a flow with malicious activity as done in previous work, we use blacklists of malicious IP addresses due to unavailability of domain names in NetFlow records.
Results. Our initial results confirm that previously established features of flow size (less than 2,500 bytes), flow duration (less than 500 ms), and inter-flow duration (less than 1,200 ms) are effective for identifying traffic that is more likely to be malicious. The filtered flows were 5-10 times more likely to visit IP addresses on publicly available blacklists than the general population of flows.
Conclusions. Web browser redirection is widely used for legitimate purposes and is therefore not an absolute indicator of malicious activity in and of itself. However, it is useful for the security community to recognize the strong association between redirects and malicious activity. We confirm the association of redirects for malicious activity using a master blacklist. Although it is difficult to detect malicious activity using flow-based techniques, such approaches do show potential and are worth further investigation.