Development and Evaluation of Behavioral Models for the Detection of Malicious Web Accesses

In recent decades, Internet services have become an essential component of modern society, providing a wide spectrum of applications. The diversity of users, some of whom have limited security knowledge, increases the likelihood of accessing malicious websites, specifically developed by attackers to steal sensitive information, money, or personal data. Traditional defense countermeasures, such as blocklists - manually curated lists of known malicious domains maintained by specialized companies - rely on comparing a website's identifier against those contained within the blocklist. Although this approach is widely adopted, it is purely reactive: it protects users only after the malicious site has been detected and included in the list. To overcome this limitation, smart blocklists have been proposed. These rely on algorithms, heuristics or machine learning models that evaluate features of a web resource to classify it as malicious or benign. However, because these characteristics are directly linked to the resource itself, attackers can deliberately manipulate them to avoid detection. This thesis explores an alternative approach: instead of analyzing the intrinsic characteristics of a website, it examines the possibility of classifying a web resource by evaluating users' specific navigational patterns. In other words, the idea is to demonstrate that a malicious access is not isolated with respect to the previous ones, on the contrary, they are strongly correlated and can therefore be predicted. To validate this idea, we developed a behavioral recognition model starting from a dataset of real users' browsing histories. The work starts with the collection and evaluation of open-source blocklists in order to understand their reliability and the extent of false positives. On this basis, we labeled the browsing data and extracted relevant features, which were then used to train and compare different machine learning models. The results show that behavioral models can effectively distinguish malicious from benign accesses, providing preventive protection that is more robust than both traditional blocklists and smart blocklists. This work represents a step toward more resilient online security solutions, capable of anticipating attacks rather than merely reacting to them.