Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration

Yoshiro Fukushima; Yoshiaki Hori; Kouichi Sakurai

doi:10.1109/TrustCom.2011.46

Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration

Yoshiro Fukushima, Yoshiaki Hori, Kouichi Sakurai

Mathematical Informatics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

21 Citations (Scopus)

Abstract

The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklisting URLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose a blacklisting scheme constructed of the combination of IP address block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites.

Original language	English
Title of host publication	Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011
Pages	352-361
Number of pages	10
DOIs	https://doi.org/10.1109/TrustCom.2011.46
Publication status	Published - 2011
Event	10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on Frontier of Computer Science and Technology, FCST 2011 - Changsha, China Duration: Nov 16 2011 → Nov 18 2011

Publication series

Name	Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011

Other

Other	10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on Frontier of Computer Science and Technology, FCST 2011
Country/Territory	China
City	Changsha
Period	11/16/11 → 11/18/11

All Science Journal Classification (ASJC) codes

Hardware and Architecture
Software

Access to Document

10.1109/TrustCom.2011.46

Cite this

Fukushima, Y., Hori, Y., & Sakurai, K. (2011). Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. In Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011 (pp. 352-361). Article 6120839 (Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011). https://doi.org/10.1109/TrustCom.2011.46

Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. / Fukushima, Yoshiro; Hori, Yoshiaki; Sakurai, Kouichi.
Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011. 2011. p. 352-361 6120839 (Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Fukushima, Y, Hori, Y & Sakurai, K 2011, Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. in Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011., 6120839, Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011, pp. 352-361, 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on Frontier of Computer Science and Technology, FCST 2011, Changsha, China, 11/16/11. https://doi.org/10.1109/TrustCom.2011.46

Fukushima Y, Hori Y, Sakurai K. Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. In Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011. 2011. p. 352-361. 6120839. (Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011). doi: 10.1109/TrustCom.2011.46

Fukushima, Yoshiro ; Hori, Yoshiaki ; Sakurai, Kouichi. / Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011. 2011. pp. 352-361 (Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011).

@inproceedings{9def248845554a7080e91a7c1d033578,

title = "Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration",

abstract = "The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklisting URLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose a blacklisting scheme constructed of the combination of IP address block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites.",

author = "Yoshiro Fukushima and Yoshiaki Hori and Kouichi Sakurai",

year = "2011",

doi = "10.1109/TrustCom.2011.46",

language = "English",

isbn = "9780769546001",

series = "Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011",

pages = "352--361",

booktitle = "Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011",

note = "10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on Frontier of Computer Science and Technology, FCST 2011 ; Conference date: 16-11-2011 Through 18-11-2011",

}

TY - GEN

T1 - Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration

AU - Fukushima, Yoshiro

AU - Hori, Yoshiaki

AU - Sakurai, Kouichi

PY - 2011

Y1 - 2011

N2 - The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklisting URLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose a blacklisting scheme constructed of the combination of IP address block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites.

AB - The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklisting URLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose a blacklisting scheme constructed of the combination of IP address block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites.

UR - http://www.scopus.com/inward/record.url?scp=84856138825&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84856138825&partnerID=8YFLogxK

U2 - 10.1109/TrustCom.2011.46

DO - 10.1109/TrustCom.2011.46

M3 - Conference contribution

AN - SCOPUS:84856138825

SN - 9780769546001

T3 - Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011

SP - 352

EP - 361

BT - Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. FCST 2011

T2 - 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on Frontier of Computer Science and Technology, FCST 2011

Y2 - 16 November 2011 through 18 November 2011

ER -

Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this