Abstract
Since an exploit kit (EK) was first developed, an increasing number of attempts has been made to infect users’ PCs by transmitting malware via EKs. To tackle such malware distribution, we propose herein an enhanced similarity-matching technique that determines whether the test sets are similar to the pattern sets in which the structural properties of EKs are defined. A key characteristic of our similarity-matching technique is that, unlike typical pattern-matching, it can detect isomorphic variants derived from EKs. In an experiment involving 36,950 datasets, our similarity-matching technique provides a TP rate of 99.9% and an FP rate of 0.001% with a performance of 0.003 s/page.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To avoid detection, attackers use split(), escape(), eval(), XOR/8-bit ASCII/BASE64 or their own encoding, and JavaScript compression tools. The outputs of these methods yield obfuscated strings with %, +, \(\setminus \)x, or $ as the first character. In recent years, EKs often hide JavaScript functions.
- 2.
- 3.
The feature extraction uses the JavaScript, HTML, and VBScript codes. We use the original code before it is interpreted by JavaScript engines, such as jscript.dll or V8.
- 4.
See https://drive.google.com/open?id=1UVg-gbfIv7NTabq90UkVKt3CeleBEBY9. Patterns for classification (left) and clustered patterns for matching (right).
- 5.
- 6.
We offer brief sample outputs for both TNs and FP cases at this website:
https://drive.google.com/open?id=1QDl1Kpyq85arwHCuvU7qiJGVoWOhUuhP.
References
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 133–144. ACM (2013)
Eshete, B., Venkatakrishnan, V.N.: Webwinnow: leveraging exploit kit workflows to detect malicious URLs. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, pp. 305–312. ACM (2014)
Šrndić, N., Laskov, P.: Hidost: a static machine-learning-based detector of malicious files. EURASIP J. Inf. Secur. 22 (2016)
Thug. https://www.honeynet.org/taxonomy/term/218. Accessed 6 Nov 2017
Kim, S., Kim, S., Kim, D.: LoGos internet-explorer-based malicious webpage detection. ETRI J. 39, 406–416 (2017). https://doi.org/10.4218/etrij.17.0116.0810
Edwards, D.: http://dean.edwards.name/packer/. Accessed 12 Oct 2017
Levenshtein distance. https://en.wikipedia.org/wiki/Levenshtein_distance. Accessed 12 Oct 2017
Ratcliff, J.W., Metzener, D.E.: Pattern-matching-the gestalt approach. Dr Dobbs J. 13(7), 46 (1988)
Dice similarity coefficient. https://en.wikipedia.org/wiki/sorensen-Dice_coefficient. Accessed 12 Oct 2017
Jaccard, P.: Distribution de la flore alpine dans le bassin des Dranses et dans quelques régions voisines. Bulletin de la Société Vaudoise des Sciences Naturelles pp. 241–272 (1901)
Taylor, T., et al.: Detecting malicious exploit kits using tree-based similarity searches. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255–266. ACM (2016)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: NSDI, vol. 10, p. 14 (2010)
Cui, Q., Jourdan, G.V., Bochmann, G.V., Couturier, R., Onut, I.V.: Tracking phishing attacks over time. In: Proceedings of the 26th International Conference on World Wide Web International World Wide Web Conferences Steering Committee, pp. 667–676 (2017)
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: USENIX Security Symposium, pp. 637–652 (2013)
Stock, B., Livshits, B., Zorn, B.: Kizzle: a signature compiler for detecting exploit kits. In: 46th Annual IEEE/IFIP International Conference Dependable Systems and Networks (DSN), IEEE (2016)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)
Eshete, B., Villafiorita, A., Weldemariam, K.: BINSPECT: holistic analysis and detection of malicious web pages. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 149–166. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36883-7_10
Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. WebApps 11, 11 (2011)
YARA. https://virustotal.github.io/yara/. Accessed 25 Nov 2017
PhantomJS. http://phantomjs.org/. Accessed 25 Nov 2017
Malware-Traffic-Analysis.Net. http://www.malware-traffic-analysis.net/. Accessed 20 Feb 2018
Alexa. http://www.alexa.com/topsites. Accessed 18 Nov 2017
VirusTotal. https://www.virustotal.com/. Accessed 18 Nov 2017
Acknowledgements
This research was supported by the Ministry of Science, ICT and Future Planning, Korea, under the Human Resource Development Project for Brain Scouting Program (IITP-2017-0-01889) supervised by the IITP.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kim, S., Kang, B.B. (2018). FriSM: Malicious Exploit Kit Detection via Feature-Based String-Similarity Matching. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-01701-9_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01700-2
Online ISBN: 978-3-030-01701-9
eBook Packages: Computer ScienceComputer Science (R0)