Thijs Kinkhorst and Michael van Kleij have achieved a big improvement in the detection of drive-by infections through browser exploits. The two Dutch students have devised a method to inspect HTTP network traffic with rulesets to determine if an attack has taken place.
In their research, they analyzed a number of attacks and their characteristics, like host name, TCP port, IP address, user agent strings, request urls, redirection and so on. They applied a scoring mechanism with rules quite similar to the detection rules of modern spam-filters. These rules determined in 14 out of 15 cases correctly if an attack was taking place.
The research is based on a months worth of data, so the rules are probably not 100% future proof. As we know from spam filter rules, they constantly need to be revised to stay one step ahead of the game.
The next step
I think someone should take this and implement a browser plugin with a central ruleset for the detection of drive-by infections. The Firefox browser would be a good candidate, but it should also be possible to develop a plugin for other browsers, like Safari or Internet Explorer.
View the report.