Carnegie Mellon Researchers Use Mobile Users Behavior to Predict Exposure to Malicious Websites

February 25, 2019

A new study from Carnegie Mellon University's CyLab takes a proactive approach to determine when exposure to malicious websites can occur.

"Most traditional security defenses are reactive, and warn users only after or at the time they've visited a malicious website," said Mahmood Sharif, a Ph.D. student in CMU's Department of Electrical and Computer Engineering. "We wanted to figure out: are there hints about a user's behavior that could tell us when something bad is going to happen before it happens?"

Sharif presented the study at the ACM Conference on Computer and Communications Security in Toronto.

The team evaluated three months' worth of web traffic generated by more than 20,000 mobile device users in 2017. The data was obtained with users' consent with the help of collaborators from the research arm of KDDI, a large Japanese cellular provider.

In their analysis, a website was marked as "malicious" if it appeared on the Google Safe Browsing blacklist, which contains a constantly updated list of unsafe websites and web resources, such as phishing or deceptive sites and sites that host malware.

"Out of all the users that we observed, about 11 percent were exposed to malicious websites," Sharif said. "But out of the many browsing sessions, only 1 out of 1,000 sessions were exposed, on average. "The researchers then combed through the data in search of behavioral differences between users who had been exposed versus users who hadn't. They found, for example, that exposed users visited pages with more ads and browsed the web more at night than unexposed users.

Based on their findings, they identified three feature types that could help predict whether a user would be exposed or not: contextual features (e.g. number of links clicked, session length, time of day, etc.); past behavior (e.g. average links clicked per session, whether the user had been exposed in the past or not, etc.); and self-reported behaviors reported via a survey (e.g. whether the user runs anti-virus software, whether the user has had previous online security incidents, etc.). The team tested the predictive system, and found it can accurately predict exposure seconds before it occurs.

"Our system was even able to detect malicious web pages before they had been added to blacklists," Sharif said. "Now we can use the predictions to proactively protect users, thus adding a complementary line of defense to the existing reactive defenses."

Other authors on the study include Institute for Software Research and Engineering and Public Policy professor Nicolas Christin, and KDDI researchers Jumpei Urakawa, Ayumu Kubota and Akira Yamada.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Carnegie Mellon Researchers Use Mobile Users Behavior to Predict Exposure to Malicious Websites

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

Carnegie Mellon Researchers Use Mobile Users Behavior to Predict Exposure to Malicious Websites

Related Articles

Related Products

Related Events

The latest news and information

Content written for business-minded executives who manage enterprise risk and security