Real-Time Malware Uniform Resource Locator Detection: Identification of Novel Discriminative Features through Manual Examination and Empirical Analysis

Abstract

Gone are the days when attackers used to introduce malware into enterprise network through storage devices. With the rapid proliferation of internet technologies and web applications, attackers now use web as a means of introducing malware into enterprise network. This development has forced many enterprises to subscribe to manually created blacklist of malware Uniform Resource Locator (URLs). Manually created blacklist is faced with challenges of wrong detection due to human error and inability to detect newly created malware URL that has not been added to the blacklist. This make blacklisting approach inadequate for detection of any malware URL encountered. Therefore, a real-time malware URL detection that is based on machine learning is required. To achieve this, there is a need to identify discriminative features of malware URL. This need motivated this study. Consequently, the authors of this study identified novel discriminative lexical features of malware URL and study the prevalence of these features. To identify discriminative lexical features, two methods including manual examination of malware URL and empirical analysis were employed. Manual examination of malware URLs was carried out using existing blacklist of malware URLs. This allowed the authors to identify discriminative lexical features. To determine whether there is consistency in the way the attackers craft malware URLs, empirical analysis was carried on both the existing blacklisted malware URLs and newly collected malware URLs. Empirical analysis revealed that there is consistency in the way malware URLs is crafted by the attackers. Therefore, these features can be used to build real-time malware URLs detection.