Identification of malicious web pages through analysis of underlying DNS and web server relationships

Malicious Web pages that launch drive-by-download attacks on Web browsers have increasingly become a problem in recent years. High-interaction client honeypots are security devices that can detect these malicious Web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious Web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end Web pages and centralized exploit servers, merely counting the number of domain name extensions and Domain Name System (DNS) servers used to resolve the host names of all Web servers involved in rendering a page is sufficient to determine whether a Web page is malicious or benign, independent of the vulnerable Web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.