Detecting Malicious Websites by Query Templates

With the development of the Internet, web content is exponentially increasing. Along with this, web-based attacks such as drive-by download attacks and phishing have grown year on year. To prevent such attacks, URL blacklists are widely used. However, URL blacklists are not enough because they lack the ability to detect newly generated malicious URLs. In this paper, we propose an automatic query template generation method to detect malicious websites. Our method focus on URL query strings that contained similarities on malicious website groups. Additionally, we evaluate our proposed method with large-scale dataset and verify effectiveness. Consequently, our proposed method can grasp the characteristics of malicious campaigns; it can detect 11,292 malicious unique domains not detected by Google Safe Browsing. Moreover, our method achieved high precision in the seven months of experiments.