LAUSR

The exploit kits (EKs) are used by attackers to distribute malware automatically and silently. Existing approaches to EKs detection usually need to perform dynamic analysis on the content contained in the network traffic, which requires dumping all the network traffic and thus causes high detection overhead. Although some approaches detect EKs based on static analysis, they usually fail to restore the complete attack path because of the obstruction set by the attackers. In this paper, we propose an approach that can detect EKs based on only information extracted by static analysis. Our method builds a graph for web sessions and extracts features from the graph to perform EKs detection. The built graph catches important structural characteristics of the interaction during EK attacks that were not revealed in existing methods, with which EKs can be detected with high accuracy. The experiments show that our method works well in both the ground-truth datasets and the latest practical cases. Our method can also identify the malicious websites concealed in EKs, which can further improve the efficiency of analysis.