Detection and classification of exploit kits

摘要

A non-transitory computer readable storage medium having stored thereon instructions executable by a processor to perform operations including: responsive to determining that a correlation between a representation of the first portion of network traffic and a representation of a known exploit kit results in a score above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the score is below the first prescribed score value and above a second prescribed score value, (i) analyzing the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit is shown.