An evaluation of lightweight classification methods for identifying malicious URLs

Egan, Shaun P; Irwin, Barry V W

Title: An evaluation of lightweight classification methods for identifying malicious URLs
Creator: Egan, Shaun P, Irwin, Barry V W
Subject: To be catalogued
Date: 2011
Type: text
Type: article
Identifier: http://hdl.handle.net/10962/429839
Identifier: vital:72644
Identifier: 10.1109/ISSA.2011.6027532
Description: Recent research has shown that it is possible to identify malicious URLs through lexical analysis of their URL structures alone. This paper intends to explore the effectiveness of these lightweight classification algorithms when working with large real world datasets including lists of malicious URLs obtained from Phishtank as well as largely filtered be-nign URLs obtained from proxy traffic logs. Lightweight algorithms are defined as methods by which URLs are analysed that do not use exter-nal sources of information such as WHOIS lookups, blacklist lookups and content analysis. These parameters include URL length, number of delimiters as well as the number of traversals through the directory structure and are used throughout much of the research in the para-digm of lightweight classification. Methods which include external sources of information are often called fully featured classifications and have been shown to be only slightly more effective than a purely lexical analysis when considering both false-positives and false-negatives. This distinction allows these algorithms to be run client side without the introduction of additional latency, but still providing a high level of accu-racy through the use of modern techniques in training classifiers. Anal-ysis of this type will also be useful in an incident response analysis where large numbers of URLs need to be filtered for potentially mali-cious URLs as an initial step in information gathering as well as end us-er implementations such as browser extensions which could help pro-tect the user from following potentially malicious links. Both AROW and CW classifier update methods will be used as prototype implementa-tions and their effectiveness will be compared to fully featured analysis results. These methods are interesting because they are able to train on any labelled data, including instances in which their prediction is cor-rect, allowing them to build a confidence in specific lexical features. This makes it possible for them to be trained using noisy input data, making them ideal for real world applications such as link filtering and information gathering.
Format: 6 pages, pdf
Language: English
Relation: Information Security for South Africa, Egan, S. and Irwin, B., 2011, August. An evaluation of lightweight classification methods for identifying malicious URLs. In 2011 Information Security for South Africa (pp. 1-6). IEEE, Information Security for South Africa volume 2011 number 1 1 6 2011 2330-9881
Rights: Publisher
Rights: Use of this resource is governed by the terms and conditions of the IEEE Xplore Terms of Use Statement (https://ieeexplore.ieee.org/Xplorehelp/overview-of-ieee-xplore/terms-of-use)

Hits: 105
Visitors: 110
Downloads: 9

Collections

Irwin, Barry V W (Prof)

RU Department of Computer Science

SDG 09. Industry, Innovation and Infrastructure

		Thumbnail	File	Description	Size	Format
View Details			SOURCE1	An evaluation of lightweight classification methods for identifying malicious URLs.pdf	700 KB	Adobe Acrobat PDF	View Details