Exploit Kit Website Detection Using HTTP Proxy Logs

Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective. In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process. We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.