Hybrid Multilayer Architecture Integrating Suricata, Wazuh, and Cyber Threat Intelligence for Drive-by-Download Malvertising Detection

Authors

  • Aurell Zulfa Angger Adrian Universitas Dian Nuswantoro
  • Rama Aria Megantara Universitas Dian Nuswantoro
  • Farrikh Al Zami Universitas Dian Nuswantoro

DOI:

10.33395/sinkron.v10i1.15616

Keywords:

Malvertising, Hybrid Intrusion Detection, Suricata, Wazuh, Cyber Threat Intelligence, Active Response

Abstract

Malvertising has emerged as a serious cybersecurity threat, leveraging legitimate advertising networks to deliver malware through drive-by-download techniques without requiring user interaction. Existing standalone network- or host-based detection solutions provide limited protection because they lack integrated visibility and contextual validation across detection layers. However, no existing research has specifically evaluated the integration of Suricata, Wazuh, and VirusTotal for endpoint-focused malvertising detection, creating a critical gap in multi-layer defense strategies. This study proposes a hybrid multilayer architecture combining Suricata as a Network Intrusion Detection System, Wazuh as a Host-based Intrusion Detection and Prevention System, and VirusTotal as an external Cyber Threat Intelligence source to provide correlated threat detection and automated mitigation. The system was evaluated in a controlled virtual laboratory consisting of attacker, victim, and SIEM environments replicating real malvertising scenarios. The results show that the proposed architecture successfully detected malicious payloads and completed an end-to-end detection-to-mitigation cycle in approximately 5-7 seconds while maintaining zero false positives under non-malicious conditions. This research contributes a practical and reproducible architecture for endpoint-based malvertising detection, demonstrating effective multi-layer correlation and rapid autonomous response. The limitation of this study lies in its reliance on signature-based detection and external API communication, which may reduce effectiveness against zero-day threats or offline deployments.

GS Cited Analysis

Downloads

Download data is not yet available.

References

Abdulganiyu, O. H., Ait Tchakoucht, T., & Saheed, Y. K. (2023). A systematic literature review for network intrusion detection system (IDS). International Journal of Information Security, 22(5), 1125–1162. https://doi.org/10.1007/s10207-023-00682-2

Andreica, G.-R., Ivanciu, I.-A., Zinca, D., & Dobrota, V. (2024). Integration of the Suricata intrusion detection system and the Wazuh security information and event management for real-time denial-of-service and data tampering detection and alerting. ACTA TECHNICA NAPOCENSIS Electronics and Telecommunications, 64(2), 45–53. Available at: https://users.utcuj.ro/~atn/papers/ATN_2_2024_1.pdf

Anupama, A., & Prasad, R. R. (2023). Hybrid Intrusion Detection System. In Proceedings of the 2023 International Conference on Quantum Technologies, Communications, Computing, Hardware and Embedded Systems Security (IQ-CCHESS), (pp. 1–6). https://doi.org/10.1109/iQ-CCHESS56596.2023.10391328

Bank, M. R. I. B. C., Islam, M. R., & Rafique, R. (2024). Wazuh SIEM for Cyber Security and Threat Mitigation in Apparel Industries. International Journal of Engineering Materials and Manufacture, 9(4), 136–144. https://doi.org/10.26776/ijemm.09.04.2020.02

Bensaoud, A., Kalita, J., & Bensaoud, M. (2024). A survey of malware detection using deep learning. Machine Learning with Applications, 16, Article 100546. https://doi.org/10.1016/j.mlwa.2024.100546

Damanik, H. A., & Anggraeni, M. (2024). Sistem Deteksi Intrusi Hybrid dan Mitigasi Kerentanan Infrastruktur Jaringan Menggunakan Teknik Active Response (XDR) Wazuh dan Suricata. Jurnal Pekommas, 9(2), 309–322. https://doi.org/10.56873/jpkm.v9i2.5829

Guterres, L. E. J., & Ashari, A. (2020). The Analysis of Web Server Security For Multiple Attacks in The Tic Timor IP Network. IJCCS (Indonesian Journal of Computing and Cybernetics Systems), 14(1), 103–112. https://doi.org/10.22146/ijccs.53265

Hidayat, M. R. T., Widiyasono, N., & Gunawan, R. (2025). Optimasi deteksi malware pada SIEM Wazuh melalui integrasi cyber threat intelligence dengan MISP dan DFIR-IRIS. Jurnal Informatika Dan Teknik Elektro Terapan, 13(1). 1–10. https://doi.org/10.23960/jitet.v13i1.5686

Mamatha, P., Balaji, S., & Anuraghav, S. S. (2025). Development of Hybrid Intrusion Detection System Leveraging Ensemble Stacked Feature Selectors and Learning Classifiers to Mitigate the DoS Attacks. International Journal of Computational Intelligence Systems, 18(1). 1–14. https://doi.org/10.1007/s44196-025-00750-6

Rehman, S. ur, Alhulayyil, H., Alzahrani, T., AlSagri, H., Khalid, M. U., & Gruhn, V. (2025). Intrusion detection system framework for cyber-physical systems. Egyptian Informatics Journal, 30, 100600. https://doi.org/10.1016/j.eij.2024.100600

Rizki Nurul, F., Rudi, H., & Dede Syahrul, A. (2025). INTEGRASI WAZUH SIEM DENGAN MODSECURITY DAN VIRUS TOTAL MENGGUNAKAN NIST FRAMEWORK UNTUK MENDETEKSI SERANGAN WEBSITE. JATI (Jurnal Mahasiswa Teknik Informatika), 9(4), 6578–6586. https://doi.org/10.36040/jati.v9i4.13804

Sholeh, M., & Monalisa, A. (2024). MEMBANGUN AGENT ENDPOINT DETECTION AND RESPONSE (EDR) MENGGUNAKAN WAZUH DAN VIRUSTOTAL SEBAGAI SISTEM DETEKSI SERANGAN RANSOMWARE LOCKBIT 3.0. Infotech: Journal of Technology Information, 10(2), 279–288. https://doi.org/10.37365/jti.v10i2.320

Singh, N., & Agarwal, R. (2025). Hybrid net: enhanced DTL based intrusion detection system for electric vehicular network using hybrid architecture. Peer-to-Peer Networking and Applications, 19(1), 1. https://doi.org/10.1007/s12083-025-02154-x

Waleed, A., Jamali, A. F., & Masood, A. (2022). Which open-source IDS? Snort, Suricata or Zeek. Computer Networks, 213, 109116. https://doi.org/https://doi.org/10.1016/j.comnet.2022.109116

Zaini, M., Atthariq, A., & Anwar, A. (2025). Implementasi Intrusion Detection System Menggunakan Suricata Pada Jaringan Komputer. Jurnal Teknologi Rekayasa Informasi Dan Komputer, 8(2), 30-39. https://doi.org/10.30811/jtrik.v8i2.7440

Downloads


Crossmark Updates

How to Cite

Adrian, A. Z. A. ., Megantara, R. A. ., & Al Zami, F. . (2026). Hybrid Multilayer Architecture Integrating Suricata, Wazuh, and Cyber Threat Intelligence for Drive-by-Download Malvertising Detection. Sinkron : Jurnal Dan Penelitian Teknik Informatika, 10(1), 161-168. https://doi.org/10.33395/sinkron.v10i1.15616

Issue

Vol. 10 No. 1 (2026): Article Research January 2026

Section

Articles

License

Copyright (c) 2025 Aurell Zulfa Angger Adrian, Rama Aria Megantara, Farrikh Al Zami

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Crossref
Scopus
Google Scholar
Europe PMC

Most read articles by the same author(s)