The Image Game: Exploit Kit Detection Based on Recursive Convolutional Neural Networks

Malware has been installed through drive-by downloads via exploit kit attacks. However, the prior signature- or dynamic-based detection approach to the continuously increasing number of suspicious samples is time-consuming. In such circumstances, convolutional neural networks (ConvNets) can help in rapid detection owing to their direct image-feature generation using exploit codes. However, the general ConvNet model entails the vanishing gradient problem, where the features used for a deep learning-based detection method will become less effective as the network is deepened to improve detection accuracy. In this paper, we propose a multiclass ConvNet model to classify exploit kits, where we adopt various image processing techniques and adjust the size and other parameters of images. The proposed ConvNet model recursively updates images and is designed for fully preserving image properties. This model updates the output of feature maps and pooling using an original image. This model was tested using 36,863 real-world datasets, achieving a 98.2% accuracy in exploit kit detection and family classification. Most importantly, the proposed model is 38 times faster than previous machine learning models, and training time is reduced by 77.8% when compared with prior well-known ConvNet models.