EKnad: Exploit Kits’ network activity detection

Web Exploit Kits (EKs) are designed to exploit browsers and browsers plugins vulnerabilities, in order to serve malware without drawing user’s attention. Despite their longevity, EKs have adapted their modus operandi to new malware trends and pose an imminent threat to individual and organizations. This paper proposes EKnad, a methodology to detect EK exclusively from network-level traces using machine learning algorithms. To capture the network-level behavior of EK, a comprehensive set of features from the network traffic is presented. Moreover, HTTP flows are suitably grouped into the so-called potential EK sessions, in order to improve the detection accuracy and reduce the training time. Using various well-known machine learning algorithms, a comparative experimental study is performed, employing real-world, publicly available network traffic files from 26 different EK families. Numerical results show that the Multilayer Perceptron algorithm outperforms all other machine learning algorithms yielding F1-score equal to 0.983 and at the same time outweighs the detection capabilities of rule-based intrusion detection systems including Snort and Suricata.