An Approach to Detect Drive-By Download by Observing the Web Page Transition Behaviors

Matsunaka, Takashi; Kubota, Ayumu; Kasama, Takahiro

doi:10.1109/asiajcis.2014.21

Cited by 8 publications

(3 citation statements)

References 5 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The small sample size in Matsunaka et al (2014) may be problematic, and, URLs accessed within 2 seconds are labelled as related, but URLs accessed after user interaction, e.g. moving the mouse, labelled as initial entry points (potentially incorrectly).…”

Section: Related Workmentioning

confidence: 99%

LSTM RNN: detecting exploit kits using redirection chain sequences

et al. 2021

View full text Add to dashboard Cite

While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting ‘trusted’ sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim’s browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. The experiment is conducted using a ground-truth dataset of 1279 EK and 5910 benign redirection chains. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.

show abstract

Section: Related Workmentioning

confidence: 99%

LSTM RNN: detecting exploit kits using redirection chain sequences

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Matsunaka et al [26] proposed a Framework for Countering Drive-by Download (FCDBD) which consists of monitoring sensors on the client-side (browser, web proxy and DNS), and, an analysis centre on the server-side. FCDBD identifies executable file downloads and classifies as malicious if the download URL is not present in any of the preceding HTTP headers or HTML/JS content.…”

Section: Related Workmentioning

confidence: 99%

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Burgess

Carlin

O’Kane

et al. 2020

2020 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

This paper proposes REdiREKT, a system which utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains observed in Exploit Kit (EK) attacks and extracts distinguishing features to assist machine learning (ML). We build a ground-truth dataset of EK samples, ensuring that the redirection chains for every sample are accurate and reusable in future experiments. By processing a unique combination of 9 redirection techniques, REdiREKT was able to correctly extract 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and, only failed to extract 0.7% of malicious chains. Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and familybased categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.

show abstract

“…Matsunaka et al [23] proposed FCDBD that includes monitoring sensors on the client side and analysis center on the network. The sensors include web browsers, web sensors or DNS sensors.…”

Section: Approach To Detect Drive-by Download Based On Charactersmentioning

confidence: 99%

Detection and Analysis of Drive-by Downloads and Malicious Websites

Ibrahim

Herami

Naqbi

et al. 2020

Communications in Computer and Information Science

View full text Add to dashboard Cite

A drive-by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive-by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive-by downloads from different standpoints. We provide in-depth understanding of the difficulties in dealing with drive-by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area.

show abstract

An Approach to Detect Drive-By Download by Observing the Web Page Transition Behaviors

Cited by 8 publications

References 5 publications

LSTM RNN: detecting exploit kits using redirection chain sequences

LSTM RNN: detecting exploit kits using redirection chain sequences

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Detection and Analysis of Drive-by Downloads and Malicious Websites

Contact Info

Product

Resources

About