Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences

Takata, Yuta; Akiyama, Mitoshi; Yagi, T.; Hariu, Takeo; Ohkubo, Kazuhiko; Goto, Shigeki

doi:10.1587/transinf.2017icp0005

Cited by 4 publications

(5 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We conclude that only considering the features of the domain which delivers the exploit leads to the loss of important data. Research focusing on the malicious redirection chains [17], [24]- [30] have slightly different goals or methods, as described in section III.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Burgess

Carlin

O’Kane

et al. 2020

2020 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

This paper proposes REdiREKT, a system which utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains observed in Exploit Kit (EK) attacks and extracts distinguishing features to assist machine learning (ML). We build a ground-truth dataset of EK samples, ensuring that the redirection chains for every sample are accurate and reusable in future experiments. By processing a unique combination of 9 redirection techniques, REdiREKT was able to correctly extract 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and, only failed to extract 0.7% of malicious chains. Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and familybased categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Takata et al [17] crawled 20,272 malicious websites over 4 years, extracting 8467 JS samples. They visited each website with a browser emulator (honeyclient), and, a real browser (targeted client) with different JS implementations.…”

Section: Related Workmentioning

confidence: 99%

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Burgess

Carlin

O’Kane

et al. 2020

2020 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

“…The small dataset used in Nagai et al (2019) misses many high profile EKs (Angler, Nuclear, Neutrino, Rig, Fiesta), and, modelling redirects based on time alone is problematic. Redirection chains are mapped in Takata et al (2018), but, content-based redirects are not considered. Shibahara et al (2019) models redirections irrespective of occurrence, e.g.…”

Section: Related Workmentioning

confidence: 99%

LSTM RNN: detecting exploit kits using redirection chain sequences

et al. 2021

View full text Add to dashboard Cite

While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting ‘trusted’ sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim’s browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. The experiment is conducted using a ground-truth dataset of 1279 EK and 5910 benign redirection chains. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.

show abstract

“…Altay et al 17 proposed a context‐sensitive and keyword density‐based method by using three machine learning techniques. Compared with the dynamic method of virtual machine real‐time detection 24,25 and honeypot system, 26 the static method based on machine learning can effectively detect unknown malicious web pages, and can avoid costly in‐depth analysis for all webpages.…”

Section: Background and Related Workmentioning

confidence: 99%

MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud

Liu

Zhu

et al. 2021

Concurrency and Computation

View full text Add to dashboard Cite

In recent years, with the rapid development of mobile social networks and services, the research of mobile malicious webpage detection has become a hot topic. Most of the existing malicious webpage detection systems are deployed on desktop systems and servers. Due to the limitation of network transmission delay and computing resources, these existing solutions fail to provide the real‐time and lightweight properties for mobile webpage detection. In this paper, we propose an advanced mobile malicious webpage detection framework based on deep learning and edge cloud. Inspired by the idea of edge computing, a multidevice load optimization approach is first introduced to improve detection efficiency. Second, an automatic extraction approach based on deep learning model features is presented to enhance detection accuracy. Furthermore, detection systems can be flexibly deployed on edge nodes and servers, thus providing the properties of resource optimization deployment and real‐time detection. Finally, comparative analysis and performance evaluation are presented to show the detection efficiency and accuracy of the proposed framework.

show abstract

Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences

Cited by 4 publications

References 22 publications

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

LSTM RNN: detecting exploit kits using redirection chain sequences

MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud

Contact Info

Product

Resources

About