DbDHunter: An ensemble-based anomaly detection approach to detect drive-by download attacks

Jodavi, Mehran; Abadi, Mahdi; Parhizkar, Elham

doi:10.1109/iccke.2015.7365841

Cited by 12 publications

(7 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Anomaly detection approach [8] have been used to detect DBD. According to [19], attacks by DBDs make use of browser exploit packs (BEPs) that are deployed on compromised servers to spread malware. BEPs that are widely used include sweet orange, Black Hole, Angler, Nuclear, Sakura, Fiesta, Hunter, Magnitude and Styx.…”

Section: Drive-by Download As a Large Scale Web Attacksmentioning

confidence: 99%

Detection and Analysis of Drive-by Downloads and Malicious Websites

Ibrahim

Herami

Naqbi

et al. 2020

Communications in Computer and Information Science

View full text Add to dashboard Cite

A drive-by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive-by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive-by downloads from different standpoints. We provide in-depth understanding of the difficulties in dealing with drive-by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area.

show abstract

Section: Drive-by Download As a Large Scale Web Attacksmentioning

confidence: 99%

Detection and Analysis of Drive-by Downloads and Malicious Websites

Ibrahim

Herami

Naqbi

et al. 2020

Communications in Computer and Information Science

View full text Add to dashboard Cite

show abstract

“…Hence, many methods use additional contents to distinguish malicious traffic from seemingly benign traffic. For instance, some methods analyze JavaScript code to detect them [1].…”

Section: Related Workmentioning

confidence: 99%

“…There are many behavior-based detection methods which extract the features of malicious traffic. These methods extract the features of DbD attacks [1] or C&C traffic [2], [3], [4], and attempt to detect new malicious traffic. Many previous methods, 1 National Defense Academy, Yokosuka, Kanagawa 239-8686, Japan a) mim@nda.ac.jp however, require knowledge of how to extract feature vectors.…”

Section: Introductionmentioning

confidence: 99%

An Attempt to Read Network Traffic with Doc2vec

Mimura

2019

Journal of Information Processing

View full text Add to dashboard Cite

Detecting new malicious traffic is a challenging task. There are many behavior-based detection methods which extract the features of malicious traffic. However, many previous methods require knowledge of how to extract feature vectors. If attackers modify the attack techniques, these previous methods may have to extract new feature representation to detect them. To address this problem, neural networks can be applied to perform feature learning. Doc2vec is one of these models that learn fixed-length feature representation from variable-length documents and has been applied to proxy logs. However, some attackers still use protocols other than http or https. In this paper, we extend the previous method to a generic detection method which supports any protocol. The key idea of this research is reading network packets as a natural language. In our method, a protocol analyzer reads network packets, and summarizes the traffic. Our method extracts the feature representation from the summary with Doc2vec. We apply several classifiers to the automatically extracted feature representation, and classify traffic into benign and malicious traffic. In the fundamental experiment, the best F-measure achieves 0.98 in the timeline analysis and 0.97 in the cross-dataset validation. Furthermore, we generate imbalanced datasets which simulate actual network traffic. In the practical experiment, the best F-measure achieves 0.82 in the timeline analysis and 0.73 in the cross-dataset validation.

show abstract

“…These methods can detect only DbD attacks (e.g., Refs. [2], [3], [4]) or C&C traffic (e.g., Refs. [7], [8]).…”

Section: Introductionmentioning

confidence: 99%

“…Furthermore, many previous methods require monitoring all network traffic. For instance, [4] requires web contents to detect DbD attacks. Countless organizations, however, do not keep all network traffic because of the size.…”

Section: Introductionmentioning

confidence: 99%

Leaving All Proxy Server Logs to Paragraph Vector

Mimura

Tanaka

2018

Journal of Information Processing

View full text Add to dashboard Cite

Cyberattack techniques continue to evolve every day. Detecting unseen drive-by-download attacks or C&C traffic is a challenging task. Pattern-matching-based techniques and using malicious blacklists are not efficient anymore, because attackers easily change the traffic pattern or infrastructure to avoid detection. Therefore, many behaviorbased detection methods have been proposed, which use the immutable characteristic of the traffic. These previous methods, however, focus on the attack technique, and can only detect drive-by-download (DbD) attacks or C&C traffic which have the immutable characteristic. These traditional methods have to devise the feature vectors. This paper proposes a generic detection method, which is independent of attack methods and does not need devising feature vectors. Our method uses Paragraph Vector, an unsupervised algorithm that learns fixed-length feature representations from variable-length texts and classifiers. Our method uses Paragraph Vector to capture the context in proxy server logs. We conducted cross-validation, timeline analysis and cross-dataset validation with multiple datasets. The experimental results show our method can detect unseen DbD attacks and C&C traffic in proxy server logs. The best F-measure achieved 0.97 in the timeline analysis and 0.96 on the other dataset.

show abstract

DbDHunter: An ensemble-based anomaly detection approach to detect drive-by download attacks

Cited by 12 publications

References 13 publications

Detection and Analysis of Drive-by Downloads and Malicious Websites

Detection and Analysis of Drive-by Downloads and Malicious Websites

An Attempt to Read Network Traffic with Doc2vec

Leaving All Proxy Server Logs to Paragraph Vector

Contact Info

Product

Resources

About