As the Internet becomes more widespread, new features are constantly being added to increase communication between systems. However, these new features are often hidden from the view of users. For example, rendering a web page of a website within a domain may include (1) a request for a resource from a different domain, (2) executing a script (e.g., JavaScript) in the web page that causes a communication to be sent to a different domain, and/or (3) a redirection to a different web page hosted on a different domain. As a result, a final state of a web page is often what is deemed as malicious. However, identifying the final state of the web page as malicious may miss a source of the malicious behavior when there is a different web page that is used by several web pages during rendering, the different web page being the true source of the malicious behavior. Therefore, there is a need in the art to detect sources of malicious behavior.