Statistical detection of malicious web sites through time proximity to existing detection events

We present a novel method of combining and aggregating disparate computer security events with web browsing activity to produce new and extended intrusion information with low false positives. This method integrates web browsing and intrusion-related security events as an unevenly spaced time series, and then aggregates commonalities from these integrated events across a population of monitored computers. This aggregation enables not only increased validation and knowledge about known security events, but also reveals new and previously unknown activity of security concern with very low false positives. This source-oriented information enables more effective defensive measures and increased enterprise-wide security. Using data covering over 24,000 computers and spanning 6 months, we demonstrate the value of our approach. Most importantly, we show a data reduction from 6.4 billion web requests to just 19 from 10 Internet domains requiring a security analyst´s review given our real world data set.