Emre Suren scite author profile

The prevalence and nonstop evolving technical sophistication of exploit kits (EKs) is one of the most challenging shifts in the modern cybercrime landscape. Over the last few years, malware infections via drive-by download attacks have been orchestrated with EK infrastructures. Malicious advertisements and compromised websites redirect victim browsers to web-based EK families that are assembled to exploit client-side vulnerabilities and finally deliver evil payloads. A key observation is that while the webpage contents have drastic differences between distinct intrusions executed through the same EK, the patterns in URL addresses stay similar. This is due to the fact that autogenerated URLs by EK platforms follow specific templates. This practice in use enables the development of an efficient system that is capable of classifying the responsible EK instances. This paper proposes novel URL features and a new technique to quickly categorize EK families with high accuracy using machine learning algorithms. Rather than analyzing each URL individually, the proposed overall URL patterns approach examines all URLs associated with an EK infection automatically. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 100% classification accuracy with the tested estimators.

show abstract

ZEKI: unsupervised zero-day exploit kit intelligence

Suren¹

2020

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

Over the last few years, exploit kits (EKs) have become the de facto medium for large-scale spread of malware.Drive-by download is the leading method that is widely used by EK flavors to exploit web-based client-side vulnerabilities.Their principal goal is to infect the victim's system with a malware. In addition, EK families evolve quickly, where they port zero-day exploits for brand new vulnerabilities that were never seen before and for which no patch exists. In this paper, we propose a novel approach for categorizing malware infection incidents conducted through EKs by leveraging the inherent "overall URL patterns" in the HTTP traffic chain. The proposed approach is based on the key finding that EKs infect victim systems using a specially designed chain, where EKs lead the web browser to download a malicious payload by issuing several HTTP requests to more than one malicious domain addresses. This practice in use enables the development of a system that is capable of clustering the responsible EK instances. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 93.7% clustering accuracy with the estimators experimented.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Emre Suren

ARTEMIS: An Intrusion Detection System for MQTT Attacks in Internet of Things

I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains

ZEKI: unsupervised zero-day exploit kit intelligence

Contact Info

Product

Resources

About