A new study from Carnegie Mellon University's CyLab takes a proactive approach to determine when exposure to malicious websites can occur.

"Most traditional security defenses are reactive, and warn users only after or at the time they've visited a malicious website," said Mahmood Sharif, a Ph.D. student in CMU's Department of Electrical and Computer Engineering. "We wanted to figure out: are there hints about a user's behavior that could tell us when something bad is going to happen before it happens?"

Sharif presented the study at the ACM Conference on Computer and Communications Security in Toronto.

The team evaluated three months' worth of web traffic generated by more than 20,000 mobile device users in 2017. The data was obtained with users' consent with the help of collaborators from the research arm of KDDI, a large Japanese cellular provider.

In their analysis, a website was marked as "malicious" if it appeared on the Google Safe Browsing blacklist, which contains a constantly updated list of unsafe websites and web resources, such as phishing or deceptive sites and sites that host malware.

"Out of all the users that we observed, about 11 percent were exposed to malicious websites," Sharif said. "But out of the many browsing sessions, only 1 out of 1,000 sessions were exposed, on average. "The researchers then combed through the data in search of behavioral differences between users who had been exposed versus users who hadn't. They found, for example, that exposed users visited pages with more ads and browsed the web more at night than unexposed users.

Based on their findings, they identified three feature types that could help predict whether a user would be exposed or not: contextual features (e.g. number of links clicked, session length, time of day, etc.); past behavior (e.g. average links clicked per session, whether the user had been exposed in the past or not, etc.); and self-reported behaviors reported via a survey (e.g. whether the user runs anti-virus software, whether the user has had previous online security incidents, etc.). The team tested the predictive system, and found it can accurately predict exposure seconds before it occurs.

"Our system was even able to detect malicious web pages before they had been added to blacklists," Sharif said. "Now we can use the predictions to proactively protect users, thus adding a complementary line of defense to the existing reactive defenses."

Other authors on the study include Institute for Software Research and Engineering and Public Policy professor Nicolas Christin, and KDDI researchers Jumpei Urakawa, Ayumu Kubota and Akira Yamada.