Investigation of browser and web-based threats

Jonah Burgess

School of Electronics, Electrical Engineering and Computer Science

Student thesis: Doctoral Thesis › Doctor of Philosophy

Abstract

This thesis explores the evolution of browser and web-based threats, focusing on the emerging CryptoJacking threat and the well-established Exploit Kit (EK) industry. Two ground-truth datasets are compiled for the experiments. The first is a set of 887 CryptoJacking samples comprising 11 miner families, extracted from the Alexa top 1m websites using a lightweight, static crawler and subject to manual analysis. The second is a set of 1279 EK samples compiled from network traffic samples obtained from reputable sources, representing various public and private networks, and encompassing the entire history of EK families.

Subsequently, knowledge gained from a large-scale analysis of EK samples is used to develop REdiREKT, a system that utilises the open-source Zeek Intrusion Detection System (IDS) to map HTTP redirection chains and extract distinguishing features for machine learning (ML). By processing a unique combination of 9 redirection techniques, REdiREKT correctly extracted 96.52% of malicious domains from 1279 EK samples, spanning 28 families and 8 campaigns, and only failed to extract 0.7% of malicious chains.

REdiREKT extracted 12,783 domains from 5910 redirection chains when applied to the benign dataset. A range of 48 HTTP, URL, redirect, and content-based features are subsequently extracted for each node (domain) in each redirection chain and stored appropriately to ensure the intrinsic, sequential structure is maintained. The malicious and benign features are assessed to identify common trends, as is the evolution of EK families.

Finally, the first known application of a Long Short-Term Memory (LSTM) network to detect EK traffic is presented. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. Hyper-parameters are tuned via 5-fold cross-validation (CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, isolated feature categories are contrasted to assess their importance.

Date of Award	Jul 2023
Original language	English
Awarding Institution	Queen's University Belfast
Supervisor	Kieran McLaughlin (Supervisor) & Sakir Sezer (Supervisor)

Keywords

Malware detection
malware analysis
cyber-security
cybercrime
machine learning
information and technology

Cite this

Documents

Investigation of browser and web-based threats
File: application/pdf, 2.52 MB
Type: Thesis

Investigation of browser and web-based threats

Abstract

Keywords

Cite this

Documents

Links

Related content

Research output

LSTM RNN: Detecting Exploit Kits using Redirection Chain Sequences

Detecting Cryptomining Using Dynamic Analysis

REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic

You Could Be Mine(d): The Rise of Cryptojacking

MANiC: Multi-step Assessment for Crypto-miners

Datasets

Dataset for "MANiC: Multi-step Assessment for Crypto-miners"

Dataset for "REdiREKT" (code and data)