{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T23:29:21Z","timestamp":1759879761705,"version":"3.37.3"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,7,12]],"date-time":"2021-07-12T00:00:00Z","timestamp":1626048000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,7,12]],"date-time":"2021-07-12T00:00:00Z","timestamp":1626048000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecur"],"published-print":{"date-parts":[[2021,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>While consumers use the web to perform routine activities, they are under the constant threat of attack from malicious websites. Even when visiting \u2018trusted\u2019 sites, there is always a risk that site is compromised, and, hosting a malicious script. In this scenario, the injected script would typically force the victim\u2019s browser to undergo a series of redirects before reaching an attacker-controlled domain, which, delivers the actual malware. Although these malicious redirection chains aim to frustrate detection and analysis efforts, they could be used to help identify web-based attacks. Building upon previous work, this paper presents the first known application of a Long Short-Term Memory (LSTM) network to detect Exploit Kit (EK) traffic, utilising the structure of HTTP redirects. Samples are processed as sequences, where each timestep represents a redirect and contains a unique combination of 48 features. The experiment is conducted using a ground-truth dataset of 1279 EK and 5910 benign redirection chains. Hyper-parameters are tuned via K-fold cross-validation (5f-CV), with the optimal configuration achieving an F1 score of 0.9878 against the unseen test set. Furthermore, we compare the results of isolated feature categories to assess their importance.<\/jats:p>","DOI":"10.1186\/s42400-021-00093-7","type":"journal-article","created":{"date-parts":[[2021,7,11]],"date-time":"2021-07-11T23:03:28Z","timestamp":1626044608000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["LSTM RNN: detecting exploit kits using redirection chain sequences"],"prefix":"10.1186","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4378-483X","authenticated-orcid":false,"given":"Jonah","family":"Burgess","sequence":"first","affiliation":[]},{"given":"Philip","family":"O\u2019Kane","sequence":"additional","affiliation":[]},{"given":"Sakir","family":"Sezer","sequence":"additional","affiliation":[]},{"given":"Domhnall","family":"Carlin","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,7,12]]},"reference":[{"key":"93_CR1","unstructured":"Analysis, B (2020) Broad Analysis. https:\/\/broadanalysis.com\/. Accessed 7 May 2021."},{"key":"93_CR2","unstructured":"Brownlee, J (2017) Long Short-term Memory Networks with Python: Develop Sequence Prediction Models with Deep Learning. Machine Learning Mastery."},{"key":"93_CR3","doi-asserted-by":"crossref","unstructured":"Burgess, J, Carlin D, O\u2019Kane P, Sezer S (2020) REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic In: 2020 IEEE Conference on Communications and Network Security (CNS).. IEEE.","DOI":"10.1109\/CNS48642.2020.9162304"},{"key":"93_CR4","unstructured":"c, 0fec0de (2020) Python AnyTree Module. https:\/\/anytree.readthedocs.io\/en\/latest\/. Accessed 7 May 2021."},{"issue":"2","key":"93_CR5","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1109\/MSEC.2019.2920585","volume":"18","author":"D Carlin","year":"2019","unstructured":"Carlin, D, Burgess J, O\u2019Kane P, Sezer S (2019) You could be mine (d): the rise of cryptojacking. IEEE Secur Priv 18(2):16\u201322.","journal-title":"IEEE Secur Priv"},{"key":"93_CR6","unstructured":"Duncan, B (2020) Malware Traffic Analysis. https:\/\/www.malware-traffic-analysis.net\/. Accessed 7 May 2021."},{"key":"93_CR7","doi-asserted-by":"publisher","first-page":"59118","DOI":"10.1109\/ACCESS.2018.2874098","volume":"6","author":"Y Fang","year":"2018","unstructured":"Fang, Y, Huang C, Liu L, Xue M (2018) Research on malicious javascript detection technology based on LSTM. IEEE Access 6:59118\u201359125.","journal-title":"IEEE Access"},{"key":"93_CR8","doi-asserted-by":"crossref","unstructured":"Harnmetta, S, Ngamsuriyaroj S (2018) Classification of exploit-kit behaviors via machine learning approach In: 2018 20th International Conference on Advanced Communication Technology (ICACT), 468\u2013473.. IEEE.","DOI":"10.23919\/ICACT.2018.8323797"},{"issue":"16","key":"93_CR9","doi-asserted-by":"publisher","first-page":"3414","DOI":"10.3390\/app9163414","volume":"9","author":"R-H Hwang","year":"2019","unstructured":"Hwang, R-H, Peng M-C, Nguyen V-L, Chang Y-L (2019) An LSTM-based deep learning approach for classifying malicious traffic at the packet level. Appl Sci 9(16):3414.","journal-title":"Appl Sci"},{"key":"93_CR10","doi-asserted-by":"crossref","unstructured":"Kotov, V, Massacci F (2013) Anatomy of exploit kits In: International Symposium on Engineering Secure Software and Systems, 181\u2013196.. Springer, Berlin, Heidelberg.","DOI":"10.1007\/978-3-642-36563-8_13"},{"key":"93_CR11","doi-asserted-by":"crossref","unstructured":"Li, Z, Alrwais S, Wang X, Alowaisheq E (2014) Hunting the red fox online: Understanding and detection of mass redirect-script injections In: 2014 IEEE Symposium on Security and Privacy, 3\u201318.. IEEE.","DOI":"10.1109\/SP.2014.8"},{"key":"93_CR12","doi-asserted-by":"crossref","unstructured":"Liang, J, Zhao W, Ye W (2017) Anomaly-based web attack detection: a deep learning approach In: Proceedings of the 2017 VI International Conference on Network, Communication and Computing, 80\u201385.","DOI":"10.1145\/3171592.3171594"},{"key":"93_CR13","unstructured":"Ma, Z (2018) The decline of exploit kits as an exploitation strategy. https:\/\/www.doc.ic.ac.uk\/~livshits\/papers\/theses\/zicong_ma.pdf."},{"key":"93_CR14","unstructured":"MalwareBytes (2020) State of Malware Report 2020. https:\/\/resources.malwarebytes.com\/files\/2020\/02\/2020_State-of-Malware-Report.pdf. Accessed 7 May 2021."},{"key":"93_CR15","doi-asserted-by":"crossref","unstructured":"Matsunaka, T, Kubota A, Kasama T (2014) An approach to detect drive-by download by observing the web page transition behaviors In: 9th Asia Joint Conference on Information Security, 19\u201325.. IEEE.","DOI":"10.1109\/AsiaJCIS.2014.21"},{"key":"93_CR16","unstructured":"McAfee (2019) McAfee Labs Threat Report: August 2019. https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-quarterly-threats-aug-2019.pdf. Accessed 7 May 2021."},{"key":"93_CR17","doi-asserted-by":"crossref","unstructured":"Mekky, H, Torres R, Zhang Z-L, Saha S, Nucci A (2014) Detecting malicious http redirections using trees of user browsing activity In: IEEE INFOCOM 2014-IEEE Conference on Computer Communications, 1159\u20131167.. IEEE.","DOI":"10.1109\/INFOCOM.2014.6848047"},{"issue":"9","key":"93_CR18","doi-asserted-by":"publisher","first-page":"1665","DOI":"10.1587\/transinf.2018OFP0010","volume":"102","author":"T Nagai","year":"2019","unstructured":"Nagai, T, Kamizono M, Shiraishi Y, Xia K, Mohri M, Takano Y, Morii M (2019) A malicious web site identification technique using web structure clustering. IEICE Trans Inf Syst 102(9):1665\u20131672.","journal-title":"IEICE Trans Inf Syst"},{"key":"93_CR19","unstructured":"Nelms, T, Perdisci R, Antonakakis M, Ahamad M (2015) Webwitness: Investigating, categorizing, and mitigating malware download paths In: 24th {USENIX} Security Symposium 15, 1025\u20131040."},{"key":"93_CR20","doi-asserted-by":"crossref","unstructured":"Nikolaev, I, Grill M, Valeros V (2016) Exploit kit website detection using http proxy logs In: Proceedings of the Fifth International Conference on Network, Communication and Computing, 120\u2013125.. ACM.","DOI":"10.1145\/3033288.3033354"},{"key":"93_CR21","unstructured":"Selenium (2019) Selenium Browser Automation. https:\/\/www.seleniumhq.org\/. Accessed 7 May 2021."},{"issue":"3","key":"93_CR22","doi-asserted-by":"publisher","first-page":"430","DOI":"10.1587\/transinf.2018FCP0007","volume":"102","author":"T Shibahara","year":"2019","unstructured":"Shibahara, T, Takata Y, Akiyama M, Yagi T, Hato K, Murata M (2019) Evasive malicious website detection by leveraging redirection subgraph similarities. IEICE Trans Inf Syst 102(3):430\u2013443.","journal-title":"IEICE Trans Inf Syst"},{"key":"93_CR23","doi-asserted-by":"crossref","unstructured":"Singh, A, Goyal N (2019) A comparison of machine learning attributes for detecting malicious websites In: 2019 11th International Conference on Communication Systems & Networks (COMSNETS), 352\u2013358.. IEEE.","DOI":"10.1109\/COMSNETS.2019.8711133"},{"key":"93_CR24","unstructured":"Staudemeyer, RC, Morris ER (2019) Understanding lstm\u2013a tutorial into long short-term memory recurrent neural networks. arXiv preprint arXiv:1909.09586."},{"key":"93_CR25","doi-asserted-by":"crossref","unstructured":"Stringhini, G, Kruegel C, Vigna G (2013) Shady paths: Leveraging surfing crowds to detect malicious web pages In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, 133\u2013144.. ACM.","DOI":"10.1145\/2508859.2516682"},{"issue":"5","key":"93_CR26","doi-asserted-by":"publisher","first-page":"3713","DOI":"10.3906\/elk-1810-199","volume":"27","author":"E S\u00fcren","year":"2019","unstructured":"S\u00fcren, E, Angin P, Baykal N (2019) I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains. Turk J Electr Eng Comput Sci 27(5):3713\u20133728.","journal-title":"Turk J Electr Eng Comput Sci"},{"key":"93_CR27","doi-asserted-by":"crossref","unstructured":"Takata, Y, Akiyama M, Yagi T, Hariu T, Goto S (2015) Minespider: Extracting urls from environment-dependent drive-by download attacks In: 2015 IEEE 39th Annual Computer Software and Applications Conference, 444\u2013449.. IEEE.","DOI":"10.1109\/COMPSAC.2015.76"},{"issue":"11","key":"93_CR28","doi-asserted-by":"publisher","first-page":"2600","DOI":"10.1587\/transinf.2017ICP0005","volume":"101","author":"Y Takata","year":"2018","unstructured":"Takata, Y, Akiyama M, Yagi T, Hariu T, Ohkubo K, Goto S (2018) Identifying evasive code in malicious websites by analyzing redirection differences. IEICE Trans Inf Syst 101(11):2600\u20132611.","journal-title":"IEICE Trans Inf Syst"},{"key":"93_CR29","doi-asserted-by":"crossref","unstructured":"Taylor, T, Hu X, Wang T, Jang J, Stoecklin MP, Monrose F, Sailer R (2016) Detecting malicious exploit kits using tree-based similarity searches In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, 255\u2013266.. ACM.","DOI":"10.1145\/2857705.2857718"},{"issue":"3","key":"93_CR30","doi-asserted-by":"publisher","first-page":"1277","DOI":"10.3233\/JIFS-169424","volume":"34","author":"R Vinayakumar","year":"2018","unstructured":"Vinayakumar, R, Soman K, Poornachandran P, Sachin Kumar S (2018) Detecting android malware using long short-term memory (LSTM). J Intell Fuzzy Syst 34(3):1277\u20131288.","journal-title":"J Intell Fuzzy Syst"},{"key":"93_CR31","unstructured":"VirusTotal (2019) VirusTotal. https:\/\/www.virustotal.com. Accessed 7 May 2021."},{"key":"93_CR32","unstructured":"Wireshark (2019) Wireshark - TShark. https:\/\/www.wireshark.org\/docs\/man-pages\/tshark.html. Accessed 7 May 2021."},{"key":"93_CR33","unstructured":"Zeek (2020) The Zeek Network Security Monitor. https:\/\/www.zeek.org\/. Accessed 7 May 2021."}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00093-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-021-00093-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00093-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,7,11]],"date-time":"2021-07-11T23:09:35Z","timestamp":1626044975000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-021-00093-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,12]]},"references-count":33,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["93"],"URL":"https:\/\/doi.org\/10.1186\/s42400-021-00093-7","relation":{},"ISSN":["2523-3246"],"issn-type":[{"type":"electronic","value":"2523-3246"}],"subject":[],"published":{"date-parts":[[2021,7,12]]},"assertion":[{"value":"12 February 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 April 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"12 July 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"N\/A","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"N\/A","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}},{"value":"N\/A","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"25"}}