While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting ‘trusted’ sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim’s browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. The experiment is conducted using a ground-truth dataset of 1279 EK and 5910 benign redirection chains. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.

当消费者使用网络进行日常活动时，他们不断受到恶意网站攻击的威胁。即使在访问“受信任”站点时，也始终存在站点被破坏和托管恶意脚本的风险。在这种情况下，注入的脚本通常会强制受害者的浏览器在到达攻击者控制的域之前进行一系列重定向，从而提供实际的恶意软件。尽管这些恶意重定向链旨在挫败检测和分析工作，但它们可用于帮助识别基于 Web 的攻击。在先前工作的基础上，本文介绍了长短期记忆 (LSTM) 网络的第一个已知应用，它利用 HTTP 重定向的结构来检测漏洞利用套件 (EK) 流量。样本被处理为序列，其中每个时间步长代表一个重定向并包含 48 个特征的独特组合。该实验是使用 1279 EK 和 5910 良性重定向链的真实数据集进行的。超参数通过 K 折交叉验证 (5f-CV) 进行调整，最佳配置针对看不见的测试集实现了 0.9878 的 F1 分数。此外，我们比较孤立特征类别的结果以评估它们的重要性。