WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.019

2011-01-01

Computer Science

Abstract:Malicious Web pages impose increasing threats on Web security in recent years.Currently,there are mainly two client-side protection approaches including anti-virus software packages and blacklists of malicious sites.Anti-virus techniques commonly use signature-based approaches which might not be able to efficiently identify malicious HTML codes with encryption and obfuscation.Furthermore,blacklisting techniques are difficult to keep up-to-date.This paper presented a novel classification method for real-time detecting malicious Web pages which is independent with the contents of Web pages.Our approach characterizes malicious Web pages using HTTP session information.With representative statistical features and decision tree algorithm in machine learning,we built an effective classification model for online real-time detecting malicious Web pages.Experiment results demonstrate that we are able to successfully detect 89.7% of the malicious Web pages with a low false positive rate of 0.3%.

Wen Zhang,Yuxin Ding,Yan Tang,Bin Zhao

DOI: https://doi.org/10.1109/icmlc.2011.6016954

2011-01-01

Abstract:The Internet has become an indispensable tool in peoples' daily life. It also bring us serious computer security problem. One big security threat comes from malicious webpages. In this paper we study how to detect malicious pages. Since malicious webpages are generated inconstantly, we use on line learning methods to detect malicious webpages. To keep the client side as safe as possible, we do not download the webpages, and analysis webpages' content. We only use URL information to determine if the URL links to a malicious pages. The feature selection methods for URL are discussed, and the performances of different on line learning methods are compared. To improve the performance of on line learning classifiers, an improved on line learning method is proposed, experiments show that this method is effective.

Bin Liang,Jianjun Huang,Fang Liu,DaWei Wang,Daxiang Dong,Zhaohui Liang

DOI: https://doi.org/10.1109/EBISS.2009.5138008

2009-01-01

Abstract:In recent years, Web sites have already become the attackers' main target. When attackers embed malicious code in the Web pages, they generally change the display mode of the corresponding HTML tags to make the display effect of malicious code invisible or almost invisible to the browser users. In this paper, the concept of abnormal visibility is proposed to describe the display feature setting of malicious code embedded. According to the concept, a malicious code detection method based on abnormal visibility recognition is designed and a prototype system is implemented. Compared to traditional methods and systems, the method has higher efficiency and less maintenance cost. Besides, a special-purpose JavaScript interpreter is implemented to get the execution output of browser-end scripts that are often used to generate malicious code dynamically by attackers. Experiments show that this system can detect most of the malicious Web pages efficiently and at the same time locate the malicious code in the source code accurately.

Zhengqi Wang,Xiaobing Feng,Yukun Niu,Chi Zhang,Jue Su

DOI: https://doi.org/10.1109/nana.2017.58

2017-01-01

Abstract:Nowadays, with the rapid development of the Internet and the growing network business, the amount of the websites is experiencing an explosive growth and the malicious websites threaten is becoming the biggest threaten in the Internet age. As a result, there have been broad interests in developing systems to detect the malicious web pages before the end users visits those websites. In order to make the detection more and more accurate, the analysis process becomes more and more costly, sometimes even requiring several seconds for a single page. Therefore, performing this analysis on a large set of web pages containing hundreds of millions of samples can be impossible. Our paper proposes a two-step detection system based on machine learning algorithm called TSMWD. The first step of TSMWD provides a fast and reliable large-scale detection on the countless unknown web pages. It can quickly discard the vast majority of benign web pages by using the static analysis techniques based on the modified Naïve-Bayesian classifier and forward the unknown samples to the second-step which can make a quite precise final detection. Due to the 99% web pages in the Internet are benign ones, the system's detection speed can be improved greatly.

jinxin zhong,gengyu wei,dongmei zhang,yixian yang

DOI: https://doi.org/10.1109/ICBNMT.2010.5705187

2010-01-01

Abstract:Nowadays, with the development of web applications, more and more cases of cyber attacks is found through the web, malicious web pages also spread on the Internet. These pages can disguise themselves easily through obfuscation or variation to escape. Furthermore, they also combine with rootkit, which makes the detection even harder. This paper presents a novel system named SAB 2 , which is a Static Analysis of Browser Behavior (SAB 2 ) detection method for detecting malicious web pages. We can define the normal behavior through static analysis of the browser behavior and compare with the browser behavior visiting a malicious web page, then determine whether a web page is malicious or not. Experimental results demonstrate that our method can identify the abnormal behavior of the Internet Explorer browser and it is able to accurately detect the existence of malicious web pages.

Wang Tao,Yu Shunzheng,Xie Bailin

DOI: https://doi.org/10.1109/ifita.2010.173

2010-01-01

Abstract:Malicious web pages are a widely-recognized threat to the security of the web. Malicious web pages launch so-called drive-by download attacks that are able to gain complete control of a user’s computer for illegitimate purpose. Even a single visit to a malicious web page enables an automatically download and installation of malicious malware executables. In this paper, we propose a novel approach for classifying web pages automatically as either malicious or benign based on a supervised machine learning. Our approach learns to detect malicious web pages exclusively based on HTTP session information (e.g., HTTP session headers, domains of requests and responses). With the corpus of 50,000 benign web pages and 500 malicious web pages, we are capable of successfully detecting 92.2% of the malicious web pages with a low false positive rate 0.1%.

HUANG Jianjun,LIANG Bin

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.022

2009-01-01

Abstract:Web sites have become the main targets of many attackers.Signature-based detection needs to maintain a large signature database and Honeypot based methods are not efficient.Since attackers always make the malicious codes in Web pages difficult to detect by the browser users, their methods can be classified into various fingerprints.Various malicious codes were analyzed to identify 6 types of fingerprints.The system utilizes a spider integrated with script interpretation to fetch target Web pages and extract specific tags for detection by HTML parsing for matching with the fingerprints to detect malicious codes.This method needs fewer fingerprints than traditional detection methods and is more efficient.Results for 60 websites show that the system has a false negative rate of 2.63% and a false positive rate of 1.99%.

Tao Yue,Jianhua Sun,Hao Chen

DOI: https://doi.org/10.1109/icdma.2013.145

2013-01-01

Abstract:With the World Wide Web expanding continuously, more and more malicious web pages including phishing, malware and spamming spread rapidly, we are facing a great threat. The work of detecting malicious web pages and identifying their threat types has some shortcomings. In existing studies of malicious webpage detection, most are just for detecting a single attack type. In this paper, we extract a variety of webpage features and use machine learning algorithms to build an efficient classifier. By the classifier, we can detect malicious web pages and identify all the popular threat types. The features extracted in our method are derived from the HTML contents, the associated Java Script code, and the corresponding URL. We collected 1000 benign web pages and 1500 malicious web pages as experimental data sets. The experimental results show that our method achieves a superior performance: the accuracy was over 95% in detecting malicious web pages and over 88% in identifying threat types.

Ming YANG,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1000-7024.2014.08.003

2014-01-01

Abstract:Malicious Web pages are increasing in recent years and many obfuscation techniques have been developed to avoid de-tection ,to solve those problems ,a new de-obfuscation method based on the browser hook technique was constructed which got the de-obfuscation code without running malicious code in real in the system .Then a malicious Web pages detection system com-bining the mid-interaction and the static-dynamic was constructed .The system was designed by dynamic verifying and auxiliary static signature detecting .Experimental results indicate this system can detect almost all kinds of high-obfuscated malicious Web pages and it is very effective ,general and accurate .

JongHun Jung,Hwan-Kuk Kim,Soojin Yoon

DOI: https://doi.org/10.48550/arXiv.1502.03872

2015-02-13

Abstract:Recent web-based cyber attacks are evolving into a new form of attacks such as private information theft and DDoS attack exploiting JavaScript within a web page. These attacks can be made just by accessing a web site without distribution of malicious codes and infection. Script-based cyber attacks are hard to detect with traditional security equipments such as Firewall and IPS because they inject malicious scripts in a response message for a normal web request. Furthermore, they are hard to trace because attacks such as DDoS can be made just by visiting a web page. Due to these reasons, it is expected that they could result in direct damages and great ripple effects. To cope with these issues, in this article, a proposal is made for techniques that are used to detect malicious scripts through real-time web content analysis and to automatically generate detection signatures for malicious JavaScript.

Cryptography and Security

Senhao Wen,Zhiyuan Zhao,Hanbing Yan

DOI: https://doi.org/10.1145/3199478.3199500

2018-03-16

Abstract:We are increasingly relying on HTML(Hypertext Markup Language) web-pages, including online shopping, obtaining information and handling official business, whether on a mobile phone or on a computer. But the underground industry or deliberate attacker has also targeted us. They forges misleading URLs(UniformResourceLocators) and web-pages with various tricky skills which are difficult to identify even for the professionals, so as to steal money, manipulate our devices, monitor our lives. Currently, most of the malicious websites detecting technology is based on features of URLs or Web page elements, which make us feel upset, because it is difficult to extract all the features, and its hysteresis quality make it hard to meet the requirement of tracking the rapid changes of malicious web sites, especially the phishing websites. This paper design a thorough associated analysis model of web-pages using the technology of topic tracking, topic abnormal discovery, web-page visual similarity assessment, web-page structure analyzing, URL analyzing, Internet Resources analyzing and so on, to solve the problem of missing detecting malicious websites, especially with unknown features. The detecting model is able to discover the forged payment web-pages, fake web page which damage the reputation of the relevant organization, personal attack web-pages, tampered web page, web-page trojan, etc. In the meantime, it can track the topic of underground industry and sense the topic evolution. According to our experiments, it is effective and has high accuracy.

Hongliang Ma,Wei Wang,Zhen Han

DOI: https://doi.org/10.13245/j.hust.141107

2014-01-01

Abstract:In order to detect malicious Web pages efficiently ,a lightweight analysis method was pro-posed based on basic JavaScript code words .First ,crawler got all source codes from Web pages ,and then extracted JavaScript codes from source codes .Second ,self-defined basic code words replaced all JavaScript codes .Last ,three machine learning algorithms ,namely ,K-nearest neighbor (K-NN ) , principal component analysis (PCA ) as well as one-class support vector machine (SVM ) were em-ployed to detect malicious Web pages based on anomaly detection .The extensive experimental results show that our method can detect Web pages efficiently .In particular ,PCA achieves a detection rate as 90% with false positive rate of 1% ,detecting 250 s-1 .

Jianhua Liu,Mengda Xu,Xin Wang,Shigen Shen,Minglu Li

DOI: https://doi.org/10.1109/access.2018.2882742

IF: 3.9

2018-01-01

IEEE Access

Abstract:The effective detection of malicious webpages plays a paramount role in ensuring the Web security on the Internet. However, the detection results of current methods are poor and their efficiency is low, and thus, it is important and challenging to design an efficient detection scheme that can improve the accuracy of classification of malicious webpages. To overcome this challenge, a Markov detection tree scheme is proposed in this paper to automatically identify and classify malicious webpages, where the link relations of unified resource locators, the information gain ratio, and Markov decision process as well as decision tree are used to analyze malicious webpages simultaneously. To increase the detection accuracy for malicious webpages, two methods of filling missing values are presented to process the null attribute values of webpages. We compare the performance of our algorithms when the different methods are applied in terms of the information gain ratio, classification accuracy, and detection efficiency. Our experimental results show that the proposed methods can improve the accuracy and efficiency in the classification of malicious webpage detections.

Wei-Feng ZHANG,Rui-Cheng LIU,Lei XU

DOI: https://doi.org/10.13328/j.cnki.jos.005495

2018-01-01

Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94％) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1％ and false negative rate of 1.3％).

Gerardo Canfora,Corrado Aaron Visaggio

DOI: https://doi.org/10.1007/s11416-016-0266-2

2016-01-29

Journal of Computer Virology and Hacking Techniques

Abstract:The increasing growth of malicious websites and systems for distributing malware through websites is making it urgent the adoption of effective techniques for timely detection of web security threats. Current mechanisms may exhibit some limitations, mainly concerning the amount of resources required, and a low true positives rate for zero-day attacks. With this paper, we propose and validate a set of features extracted from the content and the structure of webpages, which could be used as indicators of web security threats. The features are used for building a predictor, based on five machine learning algorithms, which is applied to classify unknown web applications. The experimentation demonstrated that the proposed set of features is able to correctly classify malicious web sites with a high level of precision, corresponding to 0.84 in the best case, and recall corresponding to 0.89 in the best case. The classifiers reveal to be successful also with zero day attacks.

Bingnan HOU,Yan? YU,Jiashun WU

2015-01-01

Journal of Computer Applications

Abstract:Malicious Web pages that host drive-by-download exploits have become the popular means for compromising hosts and creating botnets on the Internet. In drive-by-download exploits, attackers embed malicious JavaScript code into a Web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. This paper proposed a detection and analysis method of malicious JavasScript code based on pre-filter called JSFEA which suits for large-scale Web page detection. JSFEA used static analysis techniques to quickly examine a Web page for determining whether it”s suspicious or not. If it is determined suspicious then put it into dynamic detection. The study shows that JSFEA is able to reduce the load on a more costly dynamic analysis by more than 85%, with a low false positive rate.

Jingbing Chen,Jie Yuan,Yuewei Li,Yiqi Zhang,Yufan Yang,Ruiqi Feng

DOI: https://doi.org/10.1145/3446132.3446183

2020-01-01

Abstract:In recent years, due to the high availability and convenience of the Internet, more and more information provides corresponding services through the Internet. As people are increasingly relying on the Internet, network security issues have become increasingly prominent, and a large number of malicious web pages have also emerged. How to achieve proactive and efficient detection of malicious web pages has become a research focus in the field of network security worldwide. This paper uses the Support Vector Machine algorithm to realize autonomous learning and build the classifier; chooses the TF-IDF method to process the data, and obtains the feature matrix of the collected URL data, which is stored in the sparse matrix after normalization and standardization. To avoid the existence of relatively strong features from affecting the classification results of the classifier, the K-Means method and TruncatedSVD method are used to reduce the dimension of the data features. The linear kernel function is used for large samples, and the Gaussian kernel function is used for small samples, so that the performance of the classifier is optimal. In the training process, the grid search method is used to obtain the optimal parameters forming a complete and mature detection system. And a ten-fold cross-validation method is used to test the correct rate, recall rate, accuracy rate and F1 value of the classifier. Finally the experimental result shows the malicious web page detection model has a good reference for big data processing.

Yao Wang,Wan‐dong Cai,Peng‐cheng Wei,Wan-dong Cai,Peng-cheng Wei

DOI: https://doi.org/10.1002/sec.1441

IF: 1.968

2016-02-11

Security and Communication Networks

Abstract:Abstract Malicious JavaScript code in webpages on the Internet is an emergent security issue because of its universality and potentially severe impact. Because of its obfuscation and complexities, detecting it has a considerable cost. Over the last few years, several machine learning‐based detection approaches have been proposed; most of them use shallow discriminating models with features that are constructed with artificial rules. However, with the advent of the big data era for information transmission, these existing methods already cannot satisfy actual needs. In this paper, we present a new deep learning framework for detection of malicious JavaScript code, from which we obtained the highest detection accuracy compared with the control group. The architecture is composed of a sparse random projection, deep learning model, and logistic regression. Stacked denoising auto‐encoders were used to extract high‐level features from JavaScript code; logistic regression as a classifier was used to distinguish between malicious and benign JavaScript code. Experimental results indicated that our architecture, with over 27 000 labeled samples, can achieve an accuracy of up to 95%, with a false positive rate less than 4.2% in the best case. Copyright © 2016 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications

Baojiang Cui,Shanshan He,Xi Yao,Peilin Shi

DOI: https://doi.org/10.1504/ijhpcn.2018.10015545

2018-01-01

International Journal of High Performance Computing and Networking

Abstract:Many web applications suffer from various web attacks due to the lack of awareness concerning security. Therefore, it is necessary to improve the reliability of web applications by accurately detecting malicious URLs. In previous studies, keyword matching has always been used to detect malicious URLs, but this method is not adaptive. In this paper, statistical analyses based on gradient learning and feature extraction using a sigmoidal threshold level are combined to propose a new detection approach based on machine learning techniques. Moreover, the naïve Bayes, decision tree and SVM classifiers are used to validate the accuracy and efficiency of this method. Finally, the experimental results demonstrate that this method has a good detection performance, with an accuracy rate above 98.7%. In practical use, this system has been deployed online and is being used in large-scale detection, analysing approximately 2 TB of data every day.

Xiangjun Li,Sifan Li,Shengnan Liu,Lingfeng Liu,Daojing He

DOI: https://doi.org/10.18280/ts.370115

IF: 2.299

2020-01-01

Traitement du signal

Abstract:In the era of the Internet, malicious attacks have put user information at risk. Many malicious webpages use images as the carrier of malicious codes. If extracted accurately, the features of these images will help to improve the detection of malicious webpages. This paper aims to develop an accurate malicious webpage detection method based on the features of the said images. Since static images contain a small amount of information, semantic segmentation was performed to predict the semantics of the target attitude. Then, the final semantics of target the image were derived by the backpropagation neural network (BPNN). After that, the image semantics were fused with the other features of the malicious webpage, and sent to the classifier for recognition. Finally, the proposed algorithm was tested on an actual dataset, in comparison with other malicious webpage detection methods. The results show that our algorithm can accurately detect malicious webpages, thanks to the introduction of image semantic features.