Advertisement

FriSM: Malicious Exploit Kit Detection via Feature-Based String-Similarity Matching

  • Sungjin Kim
  • Brent ByungHoon KangEmail author
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)

Abstract

Since an exploit kit (EK) was first developed, an increasing number of attempts has been made to infect users’ PCs by transmitting malware via EKs. To tackle such malware distribution, we propose herein an enhanced similarity-matching technique that determines whether the test sets are similar to the pattern sets in which the structural properties of EKs are defined. A key characteristic of our similarity-matching technique is that, unlike typical pattern-matching, it can detect isomorphic variants derived from EKs. In an experiment involving 36,950 datasets, our similarity-matching technique provides a TP rate of 99.9% and an FP rate of 0.001% with a performance of 0.003 s/page.

Keywords

Exploit kits Pattern matching Similarity matching 

Notes

Acknowledgements

This research was supported by the Ministry of Science, ICT and Future Planning, Korea, under the Human Resource Development Project for Brain Scouting Program (IITP-2017-0-01889) supervised by the IITP.

References

  1. 1.
    Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 133–144. ACM (2013)Google Scholar
  2. 2.
    Eshete, B., Venkatakrishnan, V.N.: Webwinnow: leveraging exploit kit workflows to detect malicious URLs. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, pp. 305–312. ACM (2014)Google Scholar
  3. 3.
    Šrndić, N., Laskov, P.: Hidost: a static machine-learning-based detector of malicious files. EURASIP J. Inf. Secur. 22 (2016)Google Scholar
  4. 4.
  5. 5.
    Kim, S., Kim, S., Kim, D.: LoGos internet-explorer-based malicious webpage detection. ETRI J. 39, 406–416 (2017).  https://doi.org/10.4218/etrij.17.0116.0810CrossRefGoogle Scholar
  6. 6.
    Edwards, D.: http://dean.edwards.name/packer/. Accessed 12 Oct 2017
  7. 7.
    Levenshtein distance. https://en.wikipedia.org/wiki/Levenshtein_distance. Accessed 12 Oct 2017
  8. 8.
    Ratcliff, J.W., Metzener, D.E.: Pattern-matching-the gestalt approach. Dr Dobbs J. 13(7), 46 (1988)Google Scholar
  9. 9.
    Dice similarity coefficient. https://en.wikipedia.org/wiki/sorensen-Dice_coefficient. Accessed 12 Oct 2017
  10. 10.
    Jaccard, P.: Distribution de la flore alpine dans le bassin des Dranses et dans quelques régions voisines. Bulletin de la Société Vaudoise des Sciences Naturelles pp. 241–272 (1901)Google Scholar
  11. 11.
    Taylor, T., et al.: Detecting malicious exploit kits using tree-based similarity searches. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255–266. ACM (2016)Google Scholar
  12. 12.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: NSDI, vol. 10, p. 14 (2010)Google Scholar
  13. 13.
    Cui, Q., Jourdan, G.V., Bochmann, G.V., Couturier, R., Onut, I.V.: Tracking phishing attacks over time. In: Proceedings of the 26th International Conference on World Wide Web International World Wide Web Conferences Steering Committee, pp. 667–676 (2017)Google Scholar
  14. 14.
    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: USENIX Security Symposium, pp. 637–652 (2013)Google Scholar
  15. 15.
    Stock, B., Livshits, B., Zorn, B.: Kizzle: a signature compiler for detecting exploit kits. In: 46th Annual IEEE/IFIP International Conference Dependable Systems and Networks (DSN), IEEE (2016)Google Scholar
  16. 16.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)Google Scholar
  17. 17.
    Eshete, B., Villafiorita, A., Weldemariam, K.: BINSPECT: holistic analysis and detection of malicious web pages. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 149–166. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36883-7_10CrossRefGoogle Scholar
  18. 18.
    Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. WebApps 11, 11 (2011)Google Scholar
  19. 19.
    YARA. https://virustotal.github.io/yara/. Accessed 25 Nov 2017
  20. 20.
    PhantomJS. http://phantomjs.org/. Accessed 25 Nov 2017
  21. 21.
    Malware-Traffic-Analysis.Net. http://www.malware-traffic-analysis.net/. Accessed 20 Feb 2018
  22. 22.
    Alexa. http://www.alexa.com/topsites. Accessed 18 Nov 2017
  23. 23.
    VirusTotal. https://www.virustotal.com/. Accessed 18 Nov 2017

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.Graduate School of Information Security, School of ComputingKorea Institute of Science Technology (KAIST)DaejeonRepublic of Korea

Personalised recommendations