Abstract: The attackers use exploit kit (EK) to exploit the vulnerabilities in the software system, browser and its plugins to achieve the intention of spreading malicious load automatically and silently. Traditional EK attack activity detection methods extract the url in the network traffic for static analysis, and ignore the interaction process among network traffic packets generated by the EK attack activity, which results in low detection accuracy. This paper presents an EK attack activity detection method based on the deep graph convolutional neural network (DGCNN). The method takes the HTTP requestresponse pair as node and the redirection relation between nodes as edge, and constructs a redirection graph according to the customized generation rules of node and edge. The method extracts the node structure features of the graph using DGCNN, and classifies the graph using the traditional deep learning method. Experimental results show that the method can effectively detect EK attack activities, and the average detection accuracy rate is 97.54%.Key words exploit kit (EK); HTTP requestresponse pair; redirection graph; deep graph convolutional neural network (DGCNN); deep learning; graph classification

Key words: exploit kit (EK), HTTP requestresponse pair, redirection graph, deep graph convolutional neural network (DGCNN), deep learning, graph classification

摘要： 攻击者使用漏洞利用工具包(exploit kit, EK)对软件系统、浏览器及其插件中存在的漏洞进行利用，达到隐蔽传播恶意负载的意图.传统EK攻击活动检测方法通过提取网络流量中的url进行静态分析，忽略了EK攻击活动产生的网络流量数据包之间的交互过程，导致检测准确度较低.提出一种基于深度图卷积神经网络(deep graph convolutional neural network, DGCNN)的EK攻击活动检测方法.将HTTP请求响应对作为节点，节点之间的重定向关系作为边，根据自定义的节点和边的生成规则构建重定向图，使用DGCNN进行图的节点结构特征提取，并使用传统的深度学习方法进行图分类. 实验结果表明，该方法能够有效检测EK攻击活动，平均检测准确率达到97.54%.关键词漏洞利用工具包；HTTP请求响应对；重定向图；深度图卷积神经网络；深度学习；图分类

关键词: 漏洞利用工具包, HTTP请求响应对, 重定向图, 深度图卷积神经网络, 深度学习, 图分类