Detecting hiding malicious website using network traffic mining approach

As the Internet continues to broaden its coverage worldwide, it has leaded to a spread of data searching, learning, entertaining, information exchanging, financing, commercial activities and so on via Internet. This tendency makes a serious situation that is the users of the Internet become attacking targets. There are many kind of network attack such as viruses, worms, and many other malicious codes were implemented to get the illegal benefits or for some particular purpose. In recent years, firewall techniques were being used to reject the anomaly Internet connections. And this has made the spreading of malwares gradually shifted from the traditional “Push-based” method to the “Pull-based” method. Therefore, how to prevent the illegitimate access from the attacker and maintaining the quality of service of network becomes an important issue of the network manager. In 2008, there was a new kind malware be found, that have some new features in comparison of the traditional malwares. Further, those codes can be self-updated by Internet. There are many malicious websites propose new version malicious code for the malware infect other computers under the same LAN to download and execute the malicious program automatically. These kinds of malicious websites cannot be easily detected in traditional firewall defense systems. This research proposed a malicious website detection system architecture and use spatial-temporal aggregating variables method to build a detection module from the NetFlow data. In our empirical evaluation results show this module has good performance to detect the malicious web sites. The results are helpful to improve the management of the large range network environment.