Automated Generation of Behavioral Signatures for Malicious Web Campaigns

Abstract

Web-based malicious campaigns target internet users across multiple domains to launch various forms of attacks. Extant research exploring the detection of such malicious campaigns involves applying supervised or unsupervised learning techniques on targeted campaign data producing machine learning models that are often expensive to train and are sluggish to react to the ephemeral nature of malicious campaigns. In this paper, we present an automated web-based malicious campaign detection system that produces campaign signatures representing both their static and dynamic behavior. We generated 379 campaign signatures that matched 36,427 unique malicious URLs with an extremely low false-positive rate (0.008%). We further applied our signatures on real world user traffic and identified 471 URLs, which were verified through VirusTotal and manual inspection. Our results provide valuable insight into web-based malicious campaign detection and our system could be utilized to improve existing defenses and the relevant field of threat intelligence.

Publication
Proceedings of the 27th Information Security Conference