The exploit kits (EKs) are used by attackers to distribute malware automatically and silently. Existing approaches to EKs detection usually need to perform dynamic analysis on the content contained in the network traffic, which requires dumping all the network traffic and thus causes high detection overhead. Although some approaches detect EKs based on static analysis, they usually fail to restore the complete attack path because of the obstruction set by the attackers. In this paper, we propose an approach that can detect EKs based on only information extracted by static analysis. Our method builds a graph for web sessions and extracts features from the graph to perform EKs detection. The built graph catches important structural characteristics of the interaction during EK attacks that were not revealed in existing methods, with which EKs can be detected with high accuracy. The experiments show that our method works well in both the ground-truth datasets and the latest practical cases. Our method can also identify the malicious websites concealed in EKs, which can further improve the efficiency of analysis.

中文翻译：

---

一种基于HTTP消息图的漏洞利用工具检测方法


攻击者使用漏洞利用工具包 (EK) 自动且静默地分发恶意软件。现有的EK检测方法通常需要对网络流量中包含的内容进行动态分析，这需要转储所有网络流量，从而导致较高的检测开销。尽管一些方法基于静态分析来检测EK，但由于攻击者设置的障碍，它们通常无法恢复完整的攻击路径。在本文中，我们提出了一种仅基于静态分析提取的信息来检测 EK 的方法。我们的方法为 Web 会话构建一个图，并从图中提取特征来执行 EK 检测。构建的图捕获了 EK 攻击期间交互的重要结构特征，这些特征在现有方法中没有揭示，通过该图可以高精度地检测 EK。实验表明，我们的方法在真实数据集和最新的实际案例中都效果良好。我们的方法还可以识别隐藏在EK中的恶意网站，这可以进一步提高分析效率。