An Approach to Detect Drive-By Download by Observing the Web Page Transition Behaviors

Drive-by download is one of the major threats to the Web infrastructure. It is triggered by user access to a malicious website and forces users to download malware by exploiting the vulnerabilities of web browsers or plug-ins. Since these malicious websites are ephemeral, it is difficult to keep pace with the emerging and disappearing of such websites. To detect and prevent such attacks, we implemented a framework that aims to detect and prevent drive-by download with users´ voluntary monitoring of the web. In this paper, we propose an approach to detect and prevent drive-by download based on the characteristics of web page transition behaviors caused by malicious websites that force users to download malicious software. We evaluated our approach by using a dataset provided by The Anti Malware Engineering Workshop (MWS2013) as samples of malicious websites and web access data collected by a monitoring sensor in our framework. Our evaluation shows that our detection algorithm can accurately detect drive-by downloads if a series of transitions caused by drive-by downloads is completely conducted.