MalWebID_Autodetection and Identification of Malicious Web Hosts Through Live Traffic Analysis

Abstract

This thesis investigates the ability for recently devised packet-level Transmission Control Protocols (TCP) transport classifiers to discover abusive traffic flows, especially those not found via traditional methods, e.g., signatures and real-time blocklists. Transport classification is designed to identify hosts considered to be part of abusive infrastructure without deep packet inspection. A particular focus is to understand the applicability of such methods to live, real-world network traffic obtained from the Naval Postgraduate School campus enterprise network. This research evaluates both how consistent and how complimentary transport traffic classification is with known blocklists. In particular, the system has a 97.8% average accuracy with respect to blocklist ground-truth, while also correctly identifying 94% of flows to abusive hosts unknown to the blocklists as verified through manual sampling.