Abstract
This paper proposes REdiREKT, a system which utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains observed in Exploit Kit (EK) attacks and extracts distinguishing features to assist machine learning (ML). We build a ground-truth dataset of EK samples, ensuring that the redirection chains for every sample are accurate and reusable in future experiments. By processing a unique combination of 9 redirection techniques, REdiREKT was able to correctly extract 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and, only failed to extract 0.7% of malicious chains.
Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and family-based categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.
Using the VirusTotal API to filter out domains flagged as malicious, we build a benign dataset from the Alexa top 10k websites, extracting 12,783 domains from 5910 redirection chains. The malicious redirection data is divided into yearly and family-based categories and compared to the benign results. Based on our analysis of the collected data, we extract and store 48 key features from websites within the redirection chains that could aid future ML-based detection efforts. Finally, we evaluate the performance of REdiREKT, compare it with existing research, and, suggest use-cases and future areas of work.
| Original language | English |
|---|---|
| Title of host publication | 2020 IEEE Conference on Communications and Network Security (CNS): Proceedings |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Number of pages | 9 |
| ISBN (Electronic) | 978-1-7281-4760-4 |
| ISBN (Print) | 978-1-7281-4761-1 |
| DOIs | |
| Publication status | Published - 07 Aug 2020 |
| Event | IEEE Conference on Communications and Network Security - Virtual, Avignon, France Duration: 29 Jun 2020 → 01 Jul 2020 https://cns2020.ieee-cns.org/ |
Conference
| Conference | IEEE Conference on Communications and Network Security |
|---|---|
| Abbreviated title | CNS 2020 |
| Country/Territory | France |
| City | Avignon |
| Period | 29/06/2020 → 01/07/2020 |
| Internet address |
Keywords
- Exploit Kits
- Web Security
- Malware
- Cyber-Security
- Cloud Security
Fingerprint
Dive into the research topics of 'REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic'. Together they form a unique fingerprint.Datasets
-
Dataset for "REdiREKT" (code and data)
Burgess, J. (Creator), Queen's University Belfast, 08 Feb 2021
DOI: 10.17034/737748f3-6e7b-4dbe-af29-a9bf77a14152
Dataset
File
Student theses
-
Investigation of browser and web-based threats
Author: Burgess, J., Jul 2023Supervisor: McLaughlin, K. (Supervisor) & Sezer, S. (Supervisor)
Student thesis: Doctoral Thesis › Doctor of Philosophy
File