While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting `trusted' sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim's browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. The ground-truth dataset contains 1279 EK and 5910 benign redirection chains. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.
- Exploit Kits
- Deep Learning