Exploit Kit Website Detection Using HTTP Proxy Logs

Nikolaev, Ivan; Grill, Martin; Valeros, Veronica

doi:10.1145/3033288.3033354

Cited by 7 publications

(9 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of the main goals of this project was to collect a dataset of features for ML, so this is a primary focus area for future research. Some existing research use similar features to those currently collected by REdiREKT [18], [21] but these experiments typically focus on identifying a malicious URL rather than a malicious chain. Those which do consider redirections, only extract node-based features from the domain which delivers the exploit/malware.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Burgess

Carlin

O’Kane

et al. 2020

2020 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

This paper proposes REdiREKT, a system which utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains observed in Exploit Kit (EK) attacks and extracts distinguishing features to assist machine learning (ML). We build a ground-truth dataset of EK samples, ensuring that the redirection chains for every sample are accurate and reusable in future experiments. By processing a unique combination of 9 redirection techniques, REdiREKT was able to correctly extract 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and, only failed to extract 0.7% of malicious chains. Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and familybased categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Nikolaev et al [18] presented a method of detecting EKs using features solely obtained from HTTP proxy logs, which are commonly available to organisations. The system was tested against HTTP logs from 200+ networks of various sizes over 6 months, identifying hundreds of EKs with 99% precision.…”

Section: Related Workmentioning

confidence: 99%

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Burgess

Carlin

O’Kane

et al. 2020

2020 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

“…Towards this direction, Nikolaev et al [25] present a method that detects EKs' by deploying traits entirely from HTTP proxy logs. Five traits were extracted from the HTTP proxy logs and fed in the detection algorithm and used regular expressions to classify the malicious activities in one of the following EK families: Angler, Neutrino, and Rig.…”

Section: Network Trafficmentioning

confidence: 99%

EKnad: Exploit Kits’ network activity detection

Bountakas

Ntantogian

Xenakis

2022

Future Generation Computer Systems

View full text Add to dashboard Cite

“…The existing works have potential limitations or contrasting properties that distinguish it from this experiment. Nikolaev et al (2016) aims to detect a single malicious flow rather than chain of redirections, ignores content-based redirects and fails to properly validate dataset. Similarly, (Harnmetta and Ngamsuriyaroj 2018) focuses on individual network flows rather than the full sequence of flows that make up an EK attack.…”

Section: Related Workmentioning

confidence: 99%

LSTM RNN: detecting exploit kits using redirection chain sequences

et al. 2021

View full text Add to dashboard Cite

While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting ‘trusted’ sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim’s browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. The experiment is conducted using a ground-truth dataset of 1279 EK and 5910 benign redirection chains. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.

show abstract

Exploit Kit Website Detection Using HTTP Proxy Logs

Cited by 7 publications

References 7 publications

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

EKnad: Exploit Kits’ network activity detection

LSTM RNN: detecting exploit kits using redirection chain sequences

Contact Info

Product

Resources

About