Table 3 Node-based features
From: LSTM RNN: detecting exploit kits using redirection chain sequences
Feature | Description |
|---|---|
Redirect | |
Number | Index of node within chain |
Depth | Depth of node within chain |
Time | Time between redirections |
Referrer | No. of ‘Referrer’ redirects |
Location | No. of ‘Location’ redirects |
HTML | No. of ‘HTML’ redirects |
JS | No. of ‘JS’ redirects |
iFrame | No. of ‘iFrame’ redirects |
Subdomain | No. of ‘Subdomain’ redirects |
Concatenation | No. of ‘Concat’ redirects |
Base64 | No. of ‘Base64’ redirects |
Unknown | No. of ‘Unknown’ redirects |
URL | |
Standard Port | Use of default HTTP(S) port |
Is IP | Domain is an IP address |
Domain Length | Length of the domain name |
Domain Entropy | Entropy of the domain name |
URI Length | Avg URI length |
URI Entropy | Avg URI entropy |
URI Slash | Avg/Total slashes (‘/’) |
URI Amp | Avg/Total ampersands (‘&’) |
URI Dash | Avg/Total dashes (‘-’) |
URI Plus | Avg/Total pluses (‘+’) |
TLD | Top-level domain |
Content | |
Requests | No. of HTTP requests |
Response | Avg/Total size of responses |
Shockwave | Avg/Total Shockwave bytes |
Executable | Avg/Total EXE bytes |
Java | Avg/Total Java bytes |
Silverlight | Avg/Total Silverlight bytes |
JavaScript | Avg/Total JavaScript bytes |
XML | Avg/Total XML bytes |
ZIP | Avg/Total ZIP bytes |
Image | Avg/Total Image bytes |
HTML | Avg/Total HTML bytes |