PhishLive: A View of Phishing and Malware Attacks from an Edge Router

  • Lianjie Cao
  • Thibaut Probst
  • Ramana Kompella
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7799)


Malicious website attacks including phishing, malware, and drive-by downloads have become a huge security threat to today’s Internet. Various studies have been focused on approaches to prevent users from being attacked by malicious websites. However, there exist few studies that focus on the prevalence and temporal characteristics of such attack traffic. In this paper, we developed the PhishLive system to study the behavior of malicious website attacks on users and hosts of the campus network of a large University by monitoring the HTTP connections for malicious accesses. During our experiment of one month, we analyzed over 1 billion URLs. Our analysis reveals several interesting findings.


Hash Table Edge Router Campus Network Check Module Capture Module 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: An empirical study of the effectiveness of web browser phishing warnings. In: CHI, 1065–1074 (April 2008)Google Scholar
  2. 2.
    Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: Evaluating Anti-Phishing tools. In: NDSS (February 2007)Google Scholar
  3. 3.
    Prakash, P., Kumar, M., Kompella, R., Gupta, M.: Phishnet: Predictive blacklisting to detect phishing attacks. In: INFOCOM, pp. 1–5 (March 2010)Google Scholar
  4. 4.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In: KDD, pp. 1245–1254 (June 2009)Google Scholar
  5. 5.
    Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: CCS (October 2007)Google Scholar
  6. 6.
    Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: WORM, 1–8 (2007)Google Scholar
  7. 7.
    Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: A content-based approach to detecting phishing web sites. In: WWW, pp. 639–648 (May 2007)Google Scholar
  8. 8.
    Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: LEET, pp. 1–11 (April 2009)Google Scholar
  9. 9.
    Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., et al.: Sandnet: network traffic analysis of malicious software. In: BADGERS (April 2011)Google Scholar
  10. 10.
    Gu, G., Zhang, J., Wenke, L.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS (February 2008)Google Scholar
  11. 11.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI (April 2010)Google Scholar
  12. 12.
    Song, C., Zhuge, J., Han, X., Ye, Z.: Preventing drive-by download via inter-module communication monitoring. In: ASIACCS, pp. 124–134 (April 2010)Google Scholar
  13. 13.
    Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: NDSS (February 2010)Google Scholar
  14. 14.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: IEEE S&P Conference (Oakland), pp. 1–15 (May 2008)Google Scholar
  15. 15.
    Maier, G., Feldmann, A., Paxson, V., Sommer, R., Vallentin, M.: An Assessment of Overt Malicious Activity Manifest in Residential Networks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 144–163. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
  17. 17.
    Webb, S., Caverlee, J., Pu, C.: Introducing the webb spam corpus: Using email spam to identify web spam automatically. In: CEAS (July 2006)Google Scholar
  18. 18.
    Webb, S., Caverlee, J., Pu, C.: Characterizing web spam using content and http session analysis. In: CEAS (July 2007)Google Scholar
  19. 19.
    Lee, S., Kim, J.: Warningbird: Detecting suspicious URLs in twitter stream. In: NDSS, pp. 1–13 (February 2012)Google Scholar
  20. 20.
    Konte, M., Feamster, N., Jung, J.: Dynamics of Online Scam Hosting Infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 219–228. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and detecting fast-flux service networks. In: NDSS (February 2008)Google Scholar
  22. 22.
    Bhargrava, K., Brewer, D., Li, K.: A study of URL redirection indicating spam. In: CEAS (July 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Lianjie Cao
    • 1
  • Thibaut Probst
    • 2
  • Ramana Kompella
    • 1
  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.INSA de ToulouseToulouseFrance

Personalised recommendations