Chunlin Liu,Lidong Wang,Bo Lang,Yuan Zhou

DOI: https://doi.org/10.1145/3180374.3181352

2018-01-01

Abstract:Malicious URL is an important security issue to the Internet, which has a significant economic impact. By now, it is still a challenging problem. In this paper, we propose that combining statistical analysis of website URLs with machine learning techniques will give a more accurate classification of malicious URLs. We focus on the Character features of malicious URLs by statistical methods to obtain char distribution features and structural features. Then, In order to find effective classifier for malicious URL detection, we use six different classifiers to perform cross training. The experimental results on our data set demonstrate that the combination of the URL features extracted in this paper and the Random Forest classification algorithm can achieve 99.7% precision with a false positive rate of less than 0.4%. We also show that these features render better performance than the previously used features which combine lexical features and structural features and render similar results to the N-Gram or TF-IDF based features. Besides, we adjust the number of iterations of random forest and random choice characteristic number of random forest in experiment.

Doyen Sahoo,Chenghao Liu,Steven C.H. Hoi

DOI: https://doi.org/10.48550/arXiv.1701.07179

2019-08-21

Abstract:Malicious URL, a.k.a. malicious website, is a common and serious threat to cybersecurity. Malicious URLs host unsolicited content (spam, phishing, drive-by exploits, etc.) and lure unsuspecting users to become victims of scams (monetary loss, theft of private information, and malware installation), and cause losses of billions of dollars every year. It is imperative to detect and act on such threats in a timely manner. Traditionally, this detection is done mostly through the usage of blacklists. However, blacklists cannot be exhaustive, and lack the ability to detect newly generated malicious URLs. To improve the generality of malicious URL detectors, machine learning techniques have been explored with increasing attention in recent years. This article aims to provide a comprehensive survey and a structural understanding of Malicious URL Detection techniques using machine learning. We present the formal formulation of Malicious URL Detection as a machine learning task, and categorize and review the contributions of literature studies that addresses different dimensions of this problem (feature representation, algorithm design, etc.). Further, this article provides a timely and comprehensive survey for a range of different audiences, not only for machine learning researchers and engineers in academia, but also for professionals and practitioners in cybersecurity industry, to help them understand the state of the art and facilitate their own research and practical applications. We also discuss practical issues in system design, open research challenges, and point out some important directions for future research.

Machine Learning,Cryptography and Security

Tie Li,Gang Kou,Yi Peng

DOI: https://doi.org/10.1016/j.is.2020.101494

IF: 3.18

2020-01-01

Information Systems

Abstract:In malicious URLs detection, traditional classifiers are challenged because the data volume is huge, patterns are changing over time, and the correlations among features are complicated. Feature engineering plays an important role in addressing these problems. To better represent the underlying problem and improve the performances of classifiers in identifying malicious URLs, this paper proposed a combination of linear and non-linear space transformation methods. For linear transformation, a two-stage distance metric learning approach was developed: first, singular value decomposition was performed to get an orthogonal space, and then a linear programming was used to solve an optimal distance metric. For nonlinear transformation, we introduced Nyström method for kernel approximation and used the revised distance metric for its radial basis function such that the merits of both linear and non-linear transformations can be utilized. 33,1622 URLs with 62 features were collected to validate the proposed feature engineering methods. The results showed that the proposed methods significantly improved the efficiency and performance of certain classifiers, such as k-Nearest Neighbor, Support Vector Machine, and neural networks. The malicious URLs’ identification rate of k-Nearest Neighbor was increased from 68% to 86%, the rate of linear Support Vector Machine was increased from 58% to 81%, and the rate of Multi-Layer Perceptron was increased from 63% to 82%. We also developed a website to demonstrate a malicious URLs detection system which uses the methods proposed in this paper. The system can be accessed at: http://url.jspfans.com.

Manlin Wang,Fei Zhang,Patrick P. K. Chan

DOI: https://doi.org/10.1109/ICMLC.2013.6890356

2013-01-01

Abstract:Malicious websites provide a platform supporting diverse Internet crimes. They do not only steal the sensitive information but also let the hacker to control the computer of users. Malicious website detection with the machine learning technique achieves satisfying result. However, the characteristics of the malicious website may be modified to evade the detection. In this paper, the exploratory attack which misleads the decision of the classifier on the malicious samples by change the feature values with the minimum cost is discussed for malicious website detection. The costs of modifying features of malicious website domain are discussed. The attack model is used to attack the detection system using Support Vector Machine and Fisher Discriminant Classifier. The experimental results show that SVM is more robust than fisher discriminant classifier. Moreover, the vulnerable features are also discussed for the malicious website detection.

Wen Zhang,Yuxin Ding,Yan Tang,Bin Zhao

DOI: https://doi.org/10.1109/icmlc.2011.6016954

2011-01-01

Abstract:The Internet has become an indispensable tool in peoples' daily life. It also bring us serious computer security problem. One big security threat comes from malicious webpages. In this paper we study how to detect malicious pages. Since malicious webpages are generated inconstantly, we use on line learning methods to detect malicious webpages. To keep the client side as safe as possible, we do not download the webpages, and analysis webpages' content. We only use URL information to determine if the URL links to a malicious pages. The feature selection methods for URL are discussed, and the performances of different on line learning methods are compared. To improve the performance of on line learning classifiers, an improved on line learning method is proposed, experiments show that this method is effective.

Jingbing Chen,Jie Yuan,Yuewei Li,Yiqi Zhang,Yufan Yang,Ruiqi Feng

DOI: https://doi.org/10.1145/3446132.3446183

2020-01-01

Abstract:In recent years, due to the high availability and convenience of the Internet, more and more information provides corresponding services through the Internet. As people are increasingly relying on the Internet, network security issues have become increasingly prominent, and a large number of malicious web pages have also emerged. How to achieve proactive and efficient detection of malicious web pages has become a research focus in the field of network security worldwide. This paper uses the Support Vector Machine algorithm to realize autonomous learning and build the classifier; chooses the TF-IDF method to process the data, and obtains the feature matrix of the collected URL data, which is stored in the sparse matrix after normalization and standardization. To avoid the existence of relatively strong features from affecting the classification results of the classifier, the K-Means method and TruncatedSVD method are used to reduce the dimension of the data features. The linear kernel function is used for large samples, and the Gaussian kernel function is used for small samples, so that the performance of the classifier is optimal. In the training process, the grid search method is used to obtain the optimal parameters forming a complete and mature detection system. And a ten-fold cross-validation method is used to test the correct rate, recall rate, accuracy rate and F1 value of the classifier. Finally the experimental result shows the malicious web page detection model has a good reference for big data processing.

Adebayo Oshingbesan,Courage Ekoh,Chukwuemeka Okobi,Aime Munezero,Kagame Richard

DOI: https://doi.org/10.48550/arXiv.2209.09630

2022-09-13

Abstract:In detecting malicious websites, a common approach is the use of blacklists which are not exhaustive in themselves and are unable to generalize to new malicious sites. Detecting newly encountered malicious websites automatically will help reduce the vulnerability to this form of attack. In this study, we explored the use of ten machine learning models to classify malicious websites based on lexical features and understand how they generalize across datasets. Specifically, we trained, validated, and tested these models on different sets of datasets and then carried out a cross-datasets analysis. From our analysis, we found that K-Nearest Neighbor is the only model that performs consistently high across datasets. Other models such as Random Forest, Decision Trees, Logistic Regression, and Support Vector Machines also consistently outperform a baseline model of predicting every link as malicious across all metrics and datasets. Also, we found no evidence that any subset of lexical features generalizes across models or datasets. This research should be relevant to cybersecurity professionals and academic researchers as it could form the basis for real-life detection systems or further research work.

Cryptography and Security,Machine Learning

CAI Qingmeng,WANG Jian,LI Pengbo

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2023.03.05

2023-01-01

Journal of Cyber Security

Abstract:In the wake of the advent of big data era, whereas the malicious URL, as the medium for Web attacking, progressively threatens the security of users’ information. Traditional detection methods in terms of malicious URL, such as blacklist detection and signature matching, are exposing their intrinsic defects, to this end, this paper proposes a malicious URL detection model based on a cost-sensitive learning strategy. In this thesis, HTTP request parameters together with URL information are employed as the original data samples to extract features; and the corresponding data processing is carried out to resolve the problem of difficult feature extraction incurred by simple URL data. In addition, by comparing three encoding processing methods through tests, this research has chosen the best processing approach in term of character encoding. By doing so, it has ensured the effectiveness of the subsequent detection model. Regarding the model of neural network, the Convolutional Neural Network model suitable for URL detection is specialized designed for the characteristics of URL character input. In this model, in order to extract the deep features of the data, two convolutional layers are broadly used. Secondly, this research utilizes a Bidirectional Long Short-Time Memory to extract the temporal features of the data from the pooling layer, while in the last unit of this network outputs the temporal features to achieve the pooling effect, this research method not only effectively extracts the contextual information regarding the data, also avoids an abundant model calculations and thus, ensures the efficiency of model detection. At the same time, in order to solve the problem of unbalanced data samples, it assigns different penalty factors to data samples during the iterative process, improves the rules for assigning initialization weights to data samples and normalizes them, increases the weight of malicious samples in the overall error function. Experimental results show that this model is better than other mainstream detection models in accuracy, recall and detection efficiency, and has better resistance to imbalanced data sets.

Malak Aljabri,Fahd Alhaidari,Rami Mustafa A Mohammad,Samiha Mirza,Dina H Alhamed,Hanan S Altamimi,Sara Mhd Bachar Chrouf

DOI: https://doi.org/10.1155/2022/3241216

2022-08-25

Abstract:The World Wide Web services are essential in our daily lives and are available to communities through Uniform Resource Locator (URL). Attackers utilize such means of communication and create malicious URLs to conduct fraudulent activities and deceive others by creating deceptive and misleading websites and domains. Such threats open the doors for many critical attacks such as spams, spyware, phishing, and malware. Therefore, detecting malicious URL is crucially important to prevent the occurrence of many cybercriminal activities. In this study, we examined a set of machine learning (ML) and deep learning (DL) models to detect malicious websites using a dataset comprising 66,506 records of URLs. We engineered three different types of features including lexical-based, network-based and content-based features. To extract the most discriminative features in the dataset, we applied several features selection algorithms, namely, correlation analysis, Analysis of Variance (ANOVA), and chi-square. Finally, we conducted a comparative performance evaluation for several ML and DL models considering set of criteria commonly used to evaluate such models. Results depicted that Naïve Bayes (NB) was the best model for detecting malicious URLs using the applied data with an accuracy of 96%. This research has made contribution to the field by conducting significant features engineering and analysis to identify the best features for malicious URLs predictions, compare different models and achieve a high accuracy using a large new URL dataset.

Qasem Abu Al-Haija,Mustafa Al-Fayoumi

DOI: https://doi.org/10.1007/s00521-023-08592-z

2023-04-20

Abstract:Uniform Resource Locator (URL) is a unique identifier composed of protocol and domain name used to locate and retrieve a resource on the Internet. Like any Internet service, URLs (also called websites) are vulnerable to compromise by attackers to develop Malicious URLs that can exploit/devastate the user's information and resources. Malicious URLs are usually designed with the intention of promoting cyber-attacks such as spam, phishing, malware, and defacement. These websites usually require action on the user's side and can reach users across emails, text messages, pop-ups, or devious advertisements. They have a potential impact that can reach, in some cases, to compromise the machine or network of the user, especially those arriving by email. Therefore, developing systems to detect malicious URLs is of great interest nowadays. This paper proposes a high-performance machine learning-based detection system to identify Malicious URLs. The proposed system provides two layers of detection. Firstly, we identify the URLs as either benign or malware using a binary classifier. Secondly, we classify the URL classes based on their feature into five classes: benign, spam, phishing, malware, and defacement. Specifically, we report on four ensemble learning approaches, viz. the ensemble of bagging trees (En_Bag) approach, the ensemble of k-nearest neighbor (En_kNN) approach, and the ensemble of boosted decision trees (En_Bos) approach, and the ensemble of subspace discriminator (En_Dsc) approach. The developed approaches have been evaluated on an inclusive and contemporary dataset for uniform resource locators (ISCX-URL2016). ISCX-URL2016 provides a lightweight dataset for detecting and categorizing malicious URLs according to their attack type and lexical analysis. Conventional machine learning evaluation measurements are used to evaluate the detection accuracy, precision, recall, F Score, and detection time. Our experiential assessment indicates that the ensemble of bagging trees (En_Bag) approach provides better performance rates than other ensemble methods. Alternatively, the ensemble of the k-nearest neighbor (En_kNN) approach provides the highest inference speed. We also contrast our En_Bag model with state-of-the-art solutions and show its superiority in binary classification and multi-classification with accuracy rates of 99.3% and 97.92%, respectively.

Zuguo Chen,Yanglong Liu,Chaoyang Chen,Ming Lu,Xuzhuo Zhang

DOI: https://doi.org/10.1155/2021/9994127

IF: 1.968

2021-05-26

Security and Communication Networks

Abstract:The traditional malicious uniform resource locator (URL) detection method excessively relies on the matching rules formulated by the network security personnel, which is hard to fully express the text information of the URL. Thus, an improved multilayer recurrent convolutional neural network model based on the YOLO algorithm is proposed to detect malicious URL in this paper. First, single characters are mapped to dense vectors using word embedding, and the dense vectors are participated in the training process of the whole model according to the structural characteristics of the URL in the method. Then, the CSPDarknet neural network model based on the improved YOLO algorithm is proposed to extract features of the URL. Finally, the extracted features are used to evaluate malicious URL by the bidirectional LSTM recurrent neural network algorithm. In order to verify the validity of the algorithm, a total of 200,000 URLs are collected, including 100,000 normal URLs labeled “good” and 100,000 malicious URLs labeled “bad”. The experimental results show that the method detects malicious URLs more quickly and effectively and has high accuracy, high recall rate, and high accuracy compared with Text-RCNN, BRNN, and other models.

computer science, information systems,telecommunications

Xiaodan Yan,Yang Xu,Baojiang Cui,Shuhan Zhang,Taibiao Guo,Chaoliang Li

DOI: https://doi.org/10.1109/tii.2020.2977886

IF: 12.3

2020-01-01

IEEE Transactions on Industrial Informatics

Abstract:The emergence of artificial intelligence technology has promoted the development of the Internet of Things. However, this promising cyber technology can encounter serious security problems while accessing the internet. A malicious website can disguise itself as a normal website, and obtain users’ private information. Thus, it is very important to detect malicious websites using tools such as machine learning (ML) algorithms, as these algorithms can help us to identify abnormal information hidden in the mass traffic more easily. Accordingly, many feature engineering tasks must be performed from memory, as a strong machine learning model is greatly improved with good features. In this article, we propose an unsupervised learning algorithm that learns URL embedding. We also explore some key parameters regarding a domain embedding model to obtain a good effect on domain features.

Wenchuan Yang,Wen Zuo,Baojiang Cui

DOI: https://doi.org/10.1109/access.2019.2895751

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the continuous development of Web attacks, many web applications have been suffering from various forms of security threats and network attacks. The security detection of URLs has always been the focus of Web security. Many web application resources can be accessed by simply entering an URL or clicking a link in the browser. An attacker can construct various web attacks such as SQL, XSS, and information disclosure by embedding executable code or injecting malicious code into the URL. Therefore, it is necessary to improve the reliability and security of web applications by accurately detecting malicious URLs. This paper designs a convolutional gated-recurrent-unit (GRU) neural network for the detection of malicious URLs detection based on characters as text classification features. Considering that malicious keywords are unique to URLs, a feature representation method of URLs based on malicious keywords is proposed, and a GRU is used in place of the original pooling layer to perform feature acquisition on the time dimension, resulting in high-accuracy multicategory results. The experimental results show that our proposed neural network detection model is very suitable for high-precision classification tasks. Compared with other classification models, the model accuracy rate is above 99.6%. The use of deep learning to classify URLs to identify Web visitors' intentions has important theoretical and scientific values for Web security research, providing new ideas for intelligent security detection.

Yunji Liang,Qiushi Wang,Kang Xiong,Xiaolong Zheng,Zhiwen Yu,Daniel Zeng

DOI: https://doi.org/10.1109/tdsc.2021.3121388

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As cybercrimes grow in scale with devastating economic costs, it is important to protect potential victims against diverse attacks. In spite of the diversity of cybercrimes, it is the uniform resource locators (URLs) that connect vulnerable users with potential attacks. Although numerous solutions (e.g., rule-based solutions and machine learning-based methods) are proposed for malicious URL detection, they cannot provide robust performance due to the diversity of cybercrimes and cannot cope with the explosive growth of malicious URLs with the evolution of obfuscation strategies. In this paper, we propose a deep learning-based system, dubbed as CyberLen, to detect malicious URLs robustly and effectively. Specifically, we use factorization machine (FM) to learn the latent interaction among lexical features. For the deep structural features, position embedding is introduced for token vectorization to reduce the ambiguity of URL tokens. Meanwhile, temporal convolution network (TCN) is utilized to learn the long-distance dependency among URL tokens. To fuse heterogeneous features, self-paced wide <span class="mjpage"></span>&amp; deep learning strategy is proposed to train a robust model effectively. The proposed solution is evaluated on a large-scale URL dataset. Our experimental results show that position embedding is constructive to reducing the ambiguity of URL tokens, and the self-paced wide <span class="mjpage"></span>&amp; deep learning strategy shows superior performance in terms of F1 score and convergence speed.<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"></defs></svg>

computer science, information systems, software engineering, hardware & architecture

Kinh Tran,Dusan Sovilj

2024-09-12

Abstract:Malicious website detection is an increasingly relevant yet intricate task that requires the consideration of a vast amount of fine details. Our objective is to create a machine learning model that is trained on as many of these finer details as time will allow us to classify a website as benign or malicious. If malicious, the model will classify the role it plays (phishing, spam, malware hosting, etc.). We proposed 77 features and created a dataset of 441,701 samples spanning 9 website classifications to train our model. We grouped the proposed features into feature subsets based on the time and resources required to compute these features and the performance changes with the inclusion of each subset to the model. We found that the performance of the best performing model increased as more feature subsets were introduced. In the end, our best performing model was able to classify websites into 1 of 9 classifications with a 95.89\% accuracy score. We then investigated how well the features we proposed ranked in importance and detail the top 10 most relevant features according to our models. 2 of our URL embedding features were found to be the most relevant by our best performing model, with content-based features representing half of the top 10 spots. The rest of the list was populated with singular features from different feature categories including: a host feature, a robots.txt feature, a lexical feature, and a passive domain name system feature.

Cryptography and Security

Jingbing Chen,Jie Yuan,Yuewei Li,Yiqi Zhang,Yufan Yang,Ruiqi Feng

DOI: https://doi.org/10.1145/3446132.3446183

2020-01-01

Abstract:In recent years, due to the high availability and convenience of the Internet, more and more information provides corresponding services through the Internet. As people are increasingly relying on the Internet, network security issues have become increasingly prominent, and a large number of malicious web pages have also emerged. How to achieve proactive and efficient detection of malicious web pages has become a research focus in the field of network security worldwide. This paper uses the Support Vector Machine algorithm to realize autonomous learning and build the classifier; chooses the TF-IDF method to process the data, and obtains the feature matrix of the collected URL data, which is stored in the sparse matrix after normalization and standardization. To avoid the existence of relatively strong features from affecting the classification results of the classifier, the K-Means method and TruncatedSVD method are used to reduce the dimension of the data features. The linear kernel function is used for large samples, and the Gaussian kernel function is used for small samples, so that the performance of the classifier is optimal. In the training process, the grid search method is used to obtain the optimal parameters forming a complete and mature detection system. And a ten-fold cross-validation method is used to test the correct rate, recall rate, accuracy rate and F1 value of the classifier. Finally the experimental result shows the malicious web page detection model has a good reference for big data processing.

Chaochao Luo,Shen Su,Yanbin Sun,Qingji Tan,Meng Han,Zhihong Tian

DOI: https://doi.org/10.32604/cmc.2020.06507

2020-01-01

Abstract:Since the web service is essential in daily lives, cyber security becomes more and more important in this digital world. Malicious Uniform Resource Locator (URL) is a common and serious threat to cybersecurity. It hosts unsolicited content and lure unsuspecting users to become victim of scams, such as theft of private information, monetary loss, and malware installation. Thus, it is imperative to detect such threats. However, traditional approaches for malicious URLs detection that based on the blacklists are easy to be bypassed and lack the ability to detect newly generated malicious URLs. In this paper, we propose a novel malicious URL detection method based on deep learning model to protect against web attacks. Specifically, we firstly use auto-encoder to represent URLs. Then, the represented URLs will be input into a proposed composite neural network for detection. In order to evaluate the proposed system, we made extensive experiments on HTTP CSIC2010 dataset and a dataset we collected, and the experimental results show the effectiveness of the proposed approach.

Guolin Tan,Peng Zhang,Qingyun Liu,Xinran Liu,Chunge Zhu,Fenghu Dou

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00107

2018-01-01

Abstract:Hackers can implant malwares (e.g. Trojans, Worms, etc.) in the web pages to steal user information and acquire money illegally. In fact, it is noted that close to one-third of all websites are potentially malicious in nature. Therefore, It makes sense to quickly detect malicious URLs on the Internet. Different from most of previous methods, in this paper, we propose a method for online malicious URL detection based on adaptive learning. By collecting the network traffic from backbone networks, we train machine learning models to detect malicious URLs. But there is a serious problem in dynamically changing environments where the statistical properties of target variable change over time, which is known as concept drift. To address this problem, we apply a nonparametric test to correctly detect concept drifts in adaptive learning. Extensive experiments with different types of concept drifts are performed to demonstrate the feasibility of our proposed method on both artificial and real datasets. Our empirical study shows that this approach has good performance in detecting malicious URLs and concept drifts.

JianTing Yuan,YiPeng Liu,Long Yu

DOI: https://doi.org/10.1155/2021/4917016

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The number of malicious websites is increasing yearly, and many companies and individuals worldwide have suffered losses. Therefore, the detection of malicious websites is a task that needs continuous development. In this study, a joint neural network algorithm model combining the attention mechanism, bidirectional independent recurrent neural network (Bi-IndRNN), and capsule network (CapsNet) is proposed. The word vector tool word2vec trains the character- and word-level uniform resource locator (URL) static embedding vector features. At the same time, the algorithm will also extract texture fingerprint features that can compare the content differences of different malicious web URL binary files. Then, the extracted features are fused and input into the joint neural network algorithm model. First, the multihead attention mechanism is used to extract contextual semantic features by adjusting weights and Bi-IndRNN. Second, CapsNet with dynamic routing is used to extract deep semantic information. Finally, the sigmoid classifier is used for classification. This study uses different methods from different angles to extract more comprehensive features. From the experimental results, the method proposed in this study improves the classification accuracy of malicious web page detection compared with other researchers.

WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.019

2011-01-01

Computer Science

Abstract:Malicious Web pages impose increasing threats on Web security in recent years.Currently,there are mainly two client-side protection approaches including anti-virus software packages and blacklists of malicious sites.Anti-virus techniques commonly use signature-based approaches which might not be able to efficiently identify malicious HTML codes with encryption and obfuscation.Furthermore,blacklisting techniques are difficult to keep up-to-date.This paper presented a novel classification method for real-time detecting malicious Web pages which is independent with the contents of Web pages.Our approach characterizes malicious Web pages using HTTP session information.With representative statistical features and decision tree algorithm in machine learning,we built an effective classification model for online real-time detecting malicious Web pages.Experiment results demonstrate that we are able to successfully detect 89.7% of the malicious Web pages with a low false positive rate of 0.3%.