Interactive Website Filter for Safe Web Browsing.

Though popularly used for safe web browsing, blacklist-based filters have fundamental limitation in the "window of vulnerability", the time between malicious website launch and blacklist update. An effective way of seamless protection is to use an add-on filter based on heuristics, but most of prior heuristics have offered the limited scope of protection against new attacks. Moreover, they have either suffered from low detection accuracy or incurred unacceptable slowdown. This paper presents an interactive website filter based on heuristics for detecting malicious websites. As the key feature, our filter considers the disparity between a website's true identity (e.g., host domain) and its observed identity (e.g., frequent terms or source domains of iFrames). A website with significant disparity is considered as malicious. Users are warned against a website identified as malicious, and determine if it is safe to proceed. Incorporating user-interaction into discovering the true identity of the suspect websites lets our filter avoid false positives caused by automatic detection. Our main contribution is that we found a common and efficient characteristic to filter malicious websites. Not only is such disparity inherent in exploit mechanisms of malicious websites whether to aim for phishing or malware distribution, but its measuring by textual relevance incurs negligible overhead. Experimental results demonstrate that our filter is lightweight while delivering considerably high detection accuracy for both malicious websites.