Detecting Malicious Websites from the Perspective of System Provenance Analysis

Malicious websites are considered one of the top threats to the modern Internet. Thus, it is critical to effectively detect malicious websites for the security of the Internet. Conventional technologies typically rely on URL blacklists, or static and dynamic code analysis, which are known to have limitations. In order to effectively detect malicious websites, in this paper, we study malicious websites from the perspective of system provenance analysis for the first time. We first conduct a systematic feature engineering study on thousands of benign and malicious websites from the perspective of system provenance data. In our study, we discover eight useful features for malicious website detection. Based on these eight features, we propose ProvWeb, a novel non-intrusive system provenance-based tool, for malicious website detection. In our evaluation, ProvWeb can achieve an F1 score of 93.7% ∼ 99.7% for the four combinations of browsers and OSes (Windows Chrome, Windows Firefox, Linux Chrome, Linux Firefox). This result confirms that the features discovered in provenance graphs are effective in detecting malicious websites.