Classification of Exploit-Kit behaviors via machine learning approach

Abstract

© 2018 Global IT Research Institute (GiRI). An Exploit-Kit (EK) is the cyber attacking tool which targets in finding vulnerabilities appeared on a web browser instance such as web-plugins, add-on instances usually installed in a web browser. Such instances may send some suitable malware payload through the vulnerabilities they found. This kind of such cyber-attack is known as the drive-by-download attack where malware downloading do not require any interaction from users. In addition, EK can do self-protection by imitating a benign website or responding to end-users with HTTP 404 error code whenever it encountered an unsupported target web browser. As a result, detecting EK requires a lot of effort. However, when an EK launches an attack, there are some patterns of interactions between a host and a victim. In this work, we obtain a set of data from www.malware-traffic-analysis.net and analyze those interactions in order to identify a set of features. We use such features to build a model for classifying interaction patterns of each EK type. Our experiments show that, with 5,743 network flows and 45 features, our model using Decision tree approach can classify EK traffic and EK type with accuracy of 97.74% and 97.11% respectively. In conclusion, our proposed work can help detect the behavior of EK with high accuracy.