Cross-Layer Detection of Malicious Websites Cross-Layer Detection of Malicious Websites∗

Malicious websites have become a major attack tool of the adversary. There are two main approaches to detect malicious websites: static and dynamic. The static approach is centered on the static analysis of website contents and can scale up to a large number of websites in cyberspace. However, this approach has limited success in dealing with sophisticated attacks that include obfuscation. The dynamic approach is centered on the analysis of website contents via their run-time behaviors, and can cope with these sophisticated attacks. However, this approach is often expensive and cannot scale up to the magnitude of the number of websites in cyberspace. This research aims to achieve the best performance of two malicious website detection approaches simultaneously. In this paper, we propose an analysis of the corresponding network-layer traffic between the browser and the web server by incorporating the static analysis of website contents, which is conducted at the application layer. The insight of this approach is that the network-layer may expose useful information about malicious websites from a different perspective. Evaluation based on the data collected during 37 days shows that certain cross-layer detection methods can be almost as effective as the dynamic approach. Performance experiments show that, when both approaches are deployed as a service, the crosslayer detection approach is about 50 times faster than the dynamic approach.