LSTM RNN: Detecting Exploit Kits using Redirection Chain Sequences

Jonah Burgess, Philip O'Kane, Sakir Sezer, Domhnall Carlin

Research output: Contribution to journalArticlepeer-review

205 Downloads (Pure)


While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting `trusted' sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim's browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. The ground-truth dataset contains 1279 EK and 5910 benign redirection chains. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.
Original languageEnglish
Article number25
Number of pages15
Publication statusPublished - 12 Jul 2021


  • Exploit Kits
  • Malware
  • LSTM
  • Deep Learning


Dive into the research topics of 'LSTM RNN: Detecting Exploit Kits using Redirection Chain Sequences'. Together they form a unique fingerprint.

Cite this