论文信息 - Exploit Kit Website Detection Using HTTP Proxy Logs

Exploit Kit Website Detection Using HTTP Proxy Logs

Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective. In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process. We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.

Martin Grill | Veronica Valeros | Ivan Nikolaev

[1] Benjamin Livshits,et al. Kizzle: A Signature Compiler for Detecting Exploit Kits , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[2] Jeanna Neefe Matthews,et al. It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[3] Ben Zorn,et al. Kizzle: A Signature Compiler for Exploit Kits , 2017 .

[4] Stefan Savage,et al. Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[5] V. N. Venkatakrishnan,et al. WebWinnow: leveraging exploit kit workflows to detect malicious urls , 2014, CODASPY '14.

[6] References , 1971 .

[7] Gianluca Stringhini,et al. Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[8] Jiyong Jang,et al. Detecting Malicious Exploit Kits using Tree-based Similarity Searches , 2016, CODASPY.

[9] Fabio Massacci,et al. Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[10] Elizabeth Smither,et al. The Blue Coat , 2013 .