{"title":"利用HTTP代理日志进行网站检测","authors":"Ivan Nikolaev, Martin Grill, Veronica Valeros","doi":"10.1145/3033288.3033354","DOIUrl":null,"url":null,"abstract":"Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective.\n In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process.\n We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.","PeriodicalId":253625,"journal":{"name":"International Conference on Network, Communication and Computing","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Exploit Kit Website Detection Using HTTP Proxy Logs\",\"authors\":\"Ivan Nikolaev, Martin Grill, Veronica Valeros\",\"doi\":\"10.1145/3033288.3033354\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective.\\n In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process.\\n We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.\",\"PeriodicalId\":253625,\"journal\":{\"name\":\"International Conference on Network, Communication and Computing\",\"volume\":\"35 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-12-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Conference on Network, Communication and Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3033288.3033354\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Network, Communication and Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3033288.3033354","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Exploit Kit Website Detection Using HTTP Proxy Logs
Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective.
In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process.
We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
