The behavior analysis engine can also detect malicious network addresses that are sent to networked devices in the local network. The network traffic hub identifies network communications that are transmitted through the local network that contain network addresses. The network traffic hub transmits (or sends) the network address to the behavior analysis engine and the behavior analysis engine extracts network address features from the network address. The behavior analysis engine then applies an execution model to the execution features to determine a confidence score for the network address that represents the execution model's certainty that the network address is malicious. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to receive the network address.