Abstract
While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting `trusted' sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim's browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. The ground-truth dataset contains 1279 EK and 5910 benign redirection chains. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.
Original language | English |
---|---|
Article number | 25 |
Number of pages | 15 |
Journal | Cybersecurity |
Volume | 4 |
DOIs | |
Publication status | Published - 12 Jul 2021 |
Keywords
- Exploit Kits
- Malware
- LSTM
- Deep Learning
Fingerprint
Dive into the research topics of 'LSTM RNN: Detecting Exploit Kits using Redirection Chain Sequences'. Together they form a unique fingerprint.Student theses
-
Investigation of browser and web-based threats
Burgess, J. (Author), McLaughlin, K. (Supervisor) & Sezer, S. (Supervisor), Jul 2023Student thesis: Doctoral Thesis › Doctor of Philosophy
File