Countermeasure against Drive by Download Attack by Analyzing Domain Information

In recent years, malware infections by Drive by Download (DbD) attacks carried out with the cooperation of malicious web sites have caused serious damage. The blacklist method is a current typical countermeasure that blocks access to a malicious web site registered to a blacklist when the user's PC does a redirect. However, the attacker can install malicious web sites one after another, and it is impossible to add the malicious web sites to the blacklist immediately. Thereby, countermeasures against new malicious web sites are difficult using this method. To cope with this issue, we propose a method that utilizes a support vector machine (SVM) and the data in a domain name system (DNS) to identify the domain used in the DbD attack. The result of an experiment showed a detection rate of 92.75%.