REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

Jonah Burgess, Domhnall Carlin, Philip O'Kane, Sakir Sezer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)
907 Downloads (Pure)


This paper proposes REdiREKT, a system which utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains observed in Exploit Kit (EK) attacks and extracts distinguishing features to assist machine learning (ML). We build a ground-truth dataset of EK samples, ensuring that the redirection chains for every sample are accurate and reusable in future experiments. By processing a unique combination of 9 redirection techniques, REdiREKT was able to correctly extract 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and, only failed to extract 0.7% of malicious chains.

Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and family-based categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.
Original languageEnglish
Title of host publication2020 IEEE Conference on Communications and Network Security (CNS): Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages9
ISBN (Electronic)978-1-7281-4760-4
ISBN (Print)978-1-7281-4761-1
Publication statusPublished - 07 Aug 2020
EventIEEE Conference on Communications and Network Security - Virtual, Avignon, France
Duration: 29 Jun 202001 Jul 2020


ConferenceIEEE Conference on Communications and Network Security
Abbreviated titleCNS 2020
Internet address


  • Exploit Kits
  • Web Security
  • Malware
  • Cyber-Security
  • Cloud Security


Dive into the research topics of 'REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic'. Together they form a unique fingerprint.

Cite this