ZEKI: unsupervised zero-day exploit kit intelligence

2020-01-01
Suren, Emre
Over the last few years, exploit kits (EKs) have become the de facto medium for large-scale spread of malware. Drive-by download is the leading method that is widely used by EK flavors to exploit web-based client-side vulnerabilities. Their principal goal is to infect the victim's system with a malware. In addition, EK families evolve quickly, where they port zero-day exploits for brand new vulnerabilities that were never seen before and for which no patch exists. In this paper, we propose a novel approach for categorizing malware infection incidents conducted through EKs by leveraging the inherent "overall URL patterns" in the HTTP traffic chain. The proposed approach is based on the key finding that EKs infect victim systems using a specially designed chain, where EKs lead the web browser to download a malicious payload by issuing several HTTP requests to more than one malicious domain addresses. This practice in use enables the development of a system that is capable of clustering the responsible EK instances. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 93.7% clustering accuracy with the estimators experimented.
TURKISH JOURNAL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

Suggestions

SIMULATION CONCEPTS FOR INFORMATION-SYSTEM
MOURANT, RR; Tarı, Zehra Sibel (Elsevier BV, 1993-09-01)
Recent Improvements in document image systems and their low-cost implementation on networks of microcomputers is leading to the reengineering of many information systems. We describe how document image systems can be applied to information systems. In order to compare the performance of a conventional information system with one implemented with document imaging processing capability we conducted a discrete event simulation. We modeled the conventional information system for processing graduate student ...
Application of subspace clustering to scalable malware clustering
Işıktaş, Fatih; Betin Can, Aysu; Department of Information Systems (2019)
In recent years, massive proliferation of malware variants has made it necessary to employ sophisticated clustering techniques in malware analysis. Choosing an appropriate clustering approach is very important especially for rapidly and accurately mining clustering information from a large malware set with high number of attributes. In this study, we propose a clustering method that is based on subspace clustering and graph matching techniques and presents an enhanced clustering ability and scalable runtime...
EACF: extensible access control framework for cloud environments
Mehak, Faria; Masood, Rahat; Shibli, Muhammad Awais; Elgedway, Islam (Springer Science and Business Media LLC, 2017-06-01)
The dynamic authorization and continuous monitoring of resource usage in cloud environments is a challenge. Moreover, the extant access control techniques are not well-suited for all types of the cloud-hosted applications predominantly for two reasons. Firstly, these techniques lack in providing features such as generality, extensibility, and flexibility. Secondly, they are static in nature, such that once the user is authorized, they do not evaluate the access request during and after the resource usage. E...
Hybrid cdn p2p architecture for multimedia streaming
Öztoprak, Kasım; Atalay, Mehmet Volkan; Department of Computer Engineering (2008)
In this thesis, the problems caused by peer behavior in peer-to-peer (P2P) video streaming is investigated. First, peer behaviors are modeled using two dimensional continuous time markov chains to investigate the reliability of P2P video streaming systems. Then a metric is proposed to evaluate the dynamic behavior and evolution of P2P overlay network. Next, a hybrid geographical location-time and interest based clustering algorithm is proposed to improve the success ratio and reduce the delivery time of req...
Content delivery networks and their roles in eLearning
Turker, MA (2004-04-30)
Content Delivery Networks (CDN) utilize the large caching capacities at the edges of the network to case down the media serving requirements of Internet sites and to enable faster delivery of content to the end users. CDN technology can scale from small enterprise networks to large global networks. In the case of eLearning content, a heterogeneous network with a mixture of options can be used. CDN caches are updated frequent enough to mirror the right content of the site, yet the updates are at times which ...
Citation Formats
E. Suren, “ZEKI: unsupervised zero-day exploit kit intelligence,” TURKISH JOURNAL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCES, pp. 1859–1870, 2020, Accessed: 00, 2020. [Online]. Available: https://hdl.handle.net/11511/64284.