Detecting Drive-by Download Attacks from Proxy Log Information using Convolutional Neural Network

Many hosts are still infected by drive-by download attacks despite the efforts of many security researchers and venders. In the drive-by download attacks, the attackers maliciously change popular web sites. Then, the users are redirected via the redirect URLs to the exploit URLs. At the exploit URLs, an exploit code is executed, and malware is downloaded from malware distribution URLs [1]. By using the redirections via multiple URLs, which is called a redirection chain, the attacker can separate functions such as redirections and attack. As a result, the attacker can easily change the URLs for the redirections and attack in a short time, which makes it difficult for researchers and vendors to analyize them [1]. Blacklists including URLs and domains related to malicious web sites are widely implemented [2]. The blacklists are created by using honeyclients [3], which have decoy browsers. However, the URLs used for attacks are frequently changed. Thus, there may be many web sites that are used by the drive-by download attacks but are not included in the blacklists. When a drive-by download attack occurs, the corresponding URL sequence includes the redirection chain. In this thesis, we focus on the features of the URL sequences, including the features of malicious URLs and their order. We propose the method to detect drive-by download attacks using the convolutional neural network (CNN), which achieves high accuracy in the field of analyzing sequence data [4]. In addition to simply applying CNNs, we introduce an Event De-noising CNN (EDCNN) [5], which is a neural network extended from the CNN so as to mitigate the impact of the benign URLs included in the URL sequence. To detect drive-by download attacks from the proxy logs, we need to consider the case that multiple web sites are accessed simultaneously. In this case, the URL sequence includes the URLs