An Analysis of Network Flow Records for Inferring Web Browser Redirection

Abstract

Legitimate web browser redirection is often used to take users to web pages that have moved or to help users find the correct website when they have entered the web address incorrectly. Unfortunately, computer network attackers can use web browser redirection to manage malware-serving hosts and conceal their activity. An analysis of network flow records yields heuristics for flow size, flow duration, and inter-flow duration that indicate flows where web browser redirection is likely to have occurred. Results show that flows matching these redirection heuristics are indeed several times more likely to communicate with Internet hosts that have exhibited a history of malicious behavior. A network security administrator can thus filter large sets of network flow records to reveal flows most likely to contain web browser redirection. This capability reduces the sample space when looking for evidence of malicious activity targeting web browsers and contributes more generally to the expanding field of flow-based application recognition.