SS'08 Proceedings of the 17th conference on Security symposium
Detection and analysis of drive-by-download attacks and malicious JavaScript code
Proceedings of the 19th international conference on World wide web
Cujo: efficient detection and prevention of drive-by-download attacks
Proceedings of the 26th Annual Computer Security Applications Conference
EvilSeed: A Guided Approach to Finding Malicious Web Pages
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Manufacturing compromise: the emergence of exploit-as-a-service
Proceedings of the 2012 ACM conference on Computer and communications security
Anatomy of exploit kits: preliminary analysis of exploit kits as software artefacts
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Hi-index | 0.00 |
Organized cybercrime on the Internet is proliferating due to exploit kits. Attacks launched through these kits include drive-by-downloads, spam and denial-of-service. In this paper, we tackle the problem of detecting whether a given URL is hosted by an exploit kit. Through an extensive analysis of the workflows of about 40 different exploit kits, we develop an approach that uses machine learning to detect whether a given URL is hosting an exploit kit. Central to our approach is the design of distinguishing features that are drawn from the analysis of attack-centric and self-defense behaviors of exploit kits. This design is based on observations drawn from exploit kits that we installed in a laboratory setting as well as live exploit kits that were hosted on the Web. We discuss the design and implementation of a system called WEBWINNOW that is based on this approach. Extensive experiments with real world malicious URLs reveal that WEBWINNOW is highly effective in the detection of malicious URLs hosted by exploit kits with very low false-positives.