WebWinnow: leveraging exploit kit workflows to detect malicious urls

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy Pub Date : 2014-03-03 DOI:10.1145/2557547.2557575

Birhanu Eshete, V. Venkatakrishnan

{"title":"WebWinnow: leveraging exploit kit workflows to detect malicious urls","authors":"Birhanu Eshete, V. Venkatakrishnan","doi":"10.1145/2557547.2557575","DOIUrl":null,"url":null,"abstract":"Organized cybercrime on the Internet is proliferating due to exploit kits. Attacks launched through these kits include drive-by-downloads, spam and denial-of-service. In this paper, we tackle the problem of detecting whether a given URL is hosted by an exploit kit. Through an extensive analysis of the workflows of about 40 different exploit kits, we develop an approach that uses machine learning to detect whether a given URL is hosting an exploit kit. Central to our approach is the design of distinguishing features that are drawn from the analysis of attack-centric and self-defense behaviors of exploit kits. This design is based on observations drawn from exploit kits that we installed in a laboratory setting as well as live exploit kits that were hosted on the Web. We discuss the design and implementation of a system called WEBWINNOW that is based on this approach. Extensive experiments with real world malicious URLs reveal that WEBWINNOW is highly effective in the detection of malicious URLs hosted by exploit kits with very low false-positives.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"105 1","pages":"305-312"},"PeriodicalIF":0.0000,"publicationDate":"2014-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"43","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2557547.2557575","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 43

Abstract

Organized cybercrime on the Internet is proliferating due to exploit kits. Attacks launched through these kits include drive-by-downloads, spam and denial-of-service. In this paper, we tackle the problem of detecting whether a given URL is hosted by an exploit kit. Through an extensive analysis of the workflows of about 40 different exploit kits, we develop an approach that uses machine learning to detect whether a given URL is hosting an exploit kit. Central to our approach is the design of distinguishing features that are drawn from the analysis of attack-centric and self-defense behaviors of exploit kits. This design is based on observations drawn from exploit kits that we installed in a laboratory setting as well as live exploit kits that were hosted on the Web. We discuss the design and implementation of a system called WEBWINNOW that is based on this approach. Extensive experiments with real world malicious URLs reveal that WEBWINNOW is highly effective in the detection of malicious URLs hosted by exploit kits with very low false-positives.

查看原文本刊更多论文

WebWinnow:利用漏洞利用工具包工作流来检测恶意url

互联网上有组织的网络犯罪由于漏洞利用工具包而激增。通过这些工具包发起的攻击包括下载驱动、垃圾邮件和拒绝服务。在本文中，我们解决了检测给定URL是否由漏洞利用工具包托管的问题。通过对大约40种不同漏洞利用工具包的工作流程进行广泛分析，我们开发了一种使用机器学习来检测给定URL是否托管漏洞利用工具包的方法。我们的方法的核心是设计区分特征，这些特征是从分析攻击中心和攻击工具的自卫行为中得出的。这种设计是基于从我们在实验室环境中安装的漏洞利用工具包以及托管在Web上的实时漏洞利用工具包中得出的观察结果。我们讨论了基于这种方法的WEBWINNOW系统的设计和实现。对真实世界恶意url的大量实验表明，WEBWINNOW在检测由漏洞利用工具包托管的恶意url方面非常有效，误报率非常低。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy

自引率

0.00%

发文量