Rajesh Kumar,Xiaosong Zhang,Hussain Ahmad Tariq,Riaz Ullah Khan

DOI: https://doi.org/10.1109/iccwamtip.2017.8301457

2017-01-01

Abstract:Malicious URLs are harmful to every aspect of computer users. Detecting of the malicious URL is very important. Currently, detection of malicious webpages techniques includes black-list and white-list methodology and machine learning classification algorithms are used. However, the black-list and white-list technology is useless if a particular URL is not in list. In this paper, we propose a multi-layer model for detecting malicious URL. The filter can directly determine the URL by training the threshold of each layer filter when it reaches the threshold. Otherwise, the filter leaves the URL to next layer. We also used an example to verify that the model can improve the accuracy of URL detection.

Adrian-Ştefan Popescu,Dragoş-Teodor Gavriluţ,Daniel-Ionuţ Irimia

DOI: https://doi.org/10.1007/s11416-015-0239-x

2015-02-19

Journal of Computer Virology and Hacking Techniques

Abstract:Over the last couple of years there has been a substantial increase of malicious attacks that are using the Internet as an infection vector. One solution to counter this problem is to implement a filter at the network connection level. Due to the large amount of data that has to be filtered in real-time, any practical approach has to consider both memory usage and performance limitations in order to deliver a fast response time. This paper presents a cloud-based mechanism that can be used to filter large amounts of network traffic with respect to both memory and response time limitations. The algorithms have been tested on data flows of more than 750 million of URLs/day. We will address different practical problems, such as storage, computation time and large data flow clustering. In the end we will also present different statistical results that we obtained over a period of 2 months.

Chaochao Luo,Shen Su,Yanbin Sun,Qingji Tan,Meng Han,Zhihong Tian

DOI: https://doi.org/10.32604/cmc.2020.06507

2020-01-01

Abstract:Since the web service is essential in daily lives, cyber security becomes more and more important in this digital world. Malicious Uniform Resource Locator (URL) is a common and serious threat to cybersecurity. It hosts unsolicited content and lure unsuspecting users to become victim of scams, such as theft of private information, monetary loss, and malware installation. Thus, it is imperative to detect such threats. However, traditional approaches for malicious URLs detection that based on the blacklists are easy to be bypassed and lack the ability to detect newly generated malicious URLs. In this paper, we propose a novel malicious URL detection method based on deep learning model to protect against web attacks. Specifically, we firstly use auto-encoder to represent URLs. Then, the represented URLs will be input into a proposed composite neural network for detection. In order to evaluate the proposed system, we made extensive experiments on HTTP CSIC2010 dataset and a dataset we collected, and the experimental results show the effectiveness of the proposed approach.

Yunji Liang,Qiushi Wang,Kang Xiong,Xiaolong Zheng,Zhiwen Yu,Daniel Zeng

DOI: https://doi.org/10.1109/tdsc.2021.3121388

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As cybercrimes grow in scale with devastating economic costs, it is important to protect potential victims against diverse attacks. In spite of the diversity of cybercrimes, it is the uniform resource locators (URLs) that connect vulnerable users with potential attacks. Although numerous solutions (e.g., rule-based solutions and machine learning-based methods) are proposed for malicious URL detection, they cannot provide robust performance due to the diversity of cybercrimes and cannot cope with the explosive growth of malicious URLs with the evolution of obfuscation strategies. In this paper, we propose a deep learning-based system, dubbed as CyberLen, to detect malicious URLs robustly and effectively. Specifically, we use factorization machine (FM) to learn the latent interaction among lexical features. For the deep structural features, position embedding is introduced for token vectorization to reduce the ambiguity of URL tokens. Meanwhile, temporal convolution network (TCN) is utilized to learn the long-distance dependency among URL tokens. To fuse heterogeneous features, self-paced wide <span class="mjpage"></span>&amp; deep learning strategy is proposed to train a robust model effectively. The proposed solution is evaluated on a large-scale URL dataset. Our experimental results show that position embedding is constructive to reducing the ambiguity of URL tokens, and the self-paced wide <span class="mjpage"></span>&amp; deep learning strategy shows superior performance in terms of F1 score and convergence speed.<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"></defs></svg>

computer science, information systems, software engineering, hardware & architecture

Cheng HUANG

DOI: https://doi.org/10.3969/j.issn.1007-1423.2016.03.003

2016-01-01

Abstract:Recently, traditional URL filtering firewall rule base only for URL filtering, for the new added website involving violence powerless, or the administrator unresponsive. For this view of the current situation, proposes a URL filtering system within a local area network, which is based on climbing web pages for text and analyzing text to determine the lawfulness of the specified URL, considering the matching effi-ciency of the words and the use of memory space in this system, uses the MD5 digest value calculated on the URL, builds on top of this black and white lists, combining Bloom Filter algorithm with improved HashMap data structure to achieve high speed for URL filtering.

Joshua Saxe,Richard Harang,Cody Wild,Hillary Sanders

DOI: https://doi.org/10.48550/arXiv.1804.05020

2018-04-14

Abstract:Malicious web content is a serious problem on the Internet today. In this paper we propose a deep learning approach to detecting malevolent web pages. While past work on web content detection has relied on syntactic parsing or on emulation of HTML and Javascript to extract features, our approach operates directly on a language-agnostic stream of tokens extracted directly from static HTML files with a simple regular expression. This makes it fast enough to operate in high-frequency data contexts like firewalls and web proxies, and allows it to avoid the attack surface exposure of complex parsing and emulation code. Unlike well-known approaches such as bag-of-words models, which ignore spatial information, our neural network examines content at hierarchical spatial scales, allowing our model to capture locality and yielding superior accuracy compared to bag-of-words baselines. Our proposed architecture achieves a 97.5% detection rate at a 0.1% false positive rate, and classifies small-batched web pages at a rate of over 100 per second on commodity hardware. The speed and accuracy of our approach makes it appropriate for deployment to endpoints, firewalls, and web proxies.

Cryptography and Security,Machine Learning

Ruitong Liu,Yanbin Wang,Haitao Xu,Zhan Qin,Yiwei Liu,Zheng Cao

2023-11-21

Abstract:The widespread use of the Internet has revolutionized information retrieval methods. However, this transformation has also given rise to a significant cybersecurity challenge: the rapid proliferation of malicious URLs, which serve as entry points for a wide range of cyber threats. In this study, we present an efficient pre-training model-based framework for malicious URL detection. Leveraging the subword and character-aware pre-trained model, CharBERT, as our foundation, we further develop three key modules: hierarchical feature extraction, layer-aware attention, and spatial pyramid pooling. The hierarchical feature extraction module follows the pyramid feature learning principle, extracting multi-level URL embeddings from the different Transformer layers of CharBERT. Subsequently, the layer-aware attention module autonomously learns connections among features at various hierarchical levels and allocates varying weight coefficients to each level of features. Finally, the spatial pyramid pooling module performs multiscale downsampling on the weighted multi-level feature pyramid, achieving the capture of local features as well as the aggregation of global features. The proposed method has been extensively validated on multiple public datasets, demonstrating a significant improvement over prior works, with the maximum accuracy gap reaching 8.43% compared to the previous state-of-the-art method. Additionally, we have assessed the model's generalization and robustness in scenarios such as cross-dataset evaluation and adversarial attacks. Finally, we conducted real-world case studies on the active phishing URLs.

Cryptography and Security

Yu Chen,Yajian Zhou,Qingqing Dong,Qi Li

DOI: https://doi.org/10.1109/TOCS50858.2020.9339761

2020-01-01

Abstract:In recent years, phishing events occur frequently, and the detection of phishing URL has become a common concern in the field of network security. In previous studies, researchers distinguish phishing URLs from normal URLs by the string characteristics. However, this method is difficult to achieve efficient detection accuracy in the case of attacker's forgery of URL features. In this paper, we propose a phishing URL detection method based on URL content. Firstly, the simple features are used for preliminary screening, and then, the URLs that cannot be distinguished by simple features are input into the simulation environment to obtain the page content. Finally, the method based on CNN is used to detect malicious URLs based on the page content. Experiments show that our method can achieve satisfying detection accuracy.

Chunlin Liu,Lidong Wang,Bo Lang,Yuan Zhou

DOI: https://doi.org/10.1145/3180374.3181352

2018-01-01

Abstract:Malicious URL is an important security issue to the Internet, which has a significant economic impact. By now, it is still a challenging problem. In this paper, we propose that combining statistical analysis of website URLs with machine learning techniques will give a more accurate classification of malicious URLs. We focus on the Character features of malicious URLs by statistical methods to obtain char distribution features and structural features. Then, In order to find effective classifier for malicious URL detection, we use six different classifiers to perform cross training. The experimental results on our data set demonstrate that the combination of the URL features extracted in this paper and the Random Forest classification algorithm can achieve 99.7% precision with a false positive rate of less than 0.4%. We also show that these features render better performance than the previously used features which combine lexical features and structural features and render similar results to the N-Gram or TF-IDF based features. Besides, we adjust the number of iterations of random forest and random choice characteristic number of random forest in experiment.

Guolin Tan,Peng Zhang,Qingyun Liu,Xinran Liu,Chunge Zhu,Fenghu Dou

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00107

2018-01-01

Abstract:Hackers can implant malwares (e.g. Trojans, Worms, etc.) in the web pages to steal user information and acquire money illegally. In fact, it is noted that close to one-third of all websites are potentially malicious in nature. Therefore, It makes sense to quickly detect malicious URLs on the Internet. Different from most of previous methods, in this paper, we propose a method for online malicious URL detection based on adaptive learning. By collecting the network traffic from backbone networks, we train machine learning models to detect malicious URLs. But there is a serious problem in dynamically changing environments where the statistical properties of target variable change over time, which is known as concept drift. To address this problem, we apply a nonparametric test to correctly detect concept drifts in adaptive learning. Extensive experiments with different types of concept drifts are performed to demonstrate the feasibility of our proposed method on both artificial and real datasets. Our empirical study shows that this approach has good performance in detecting malicious URLs and concept drifts.

Zuguo Chen,Yanglong Liu,Chaoyang Chen,Ming Lu,Xuzhuo Zhang

DOI: https://doi.org/10.1155/2021/9994127

IF: 1.968

2021-05-26

Security and Communication Networks

Abstract:The traditional malicious uniform resource locator (URL) detection method excessively relies on the matching rules formulated by the network security personnel, which is hard to fully express the text information of the URL. Thus, an improved multilayer recurrent convolutional neural network model based on the YOLO algorithm is proposed to detect malicious URL in this paper. First, single characters are mapped to dense vectors using word embedding, and the dense vectors are participated in the training process of the whole model according to the structural characteristics of the URL in the method. Then, the CSPDarknet neural network model based on the improved YOLO algorithm is proposed to extract features of the URL. Finally, the extracted features are used to evaluate malicious URL by the bidirectional LSTM recurrent neural network algorithm. In order to verify the validity of the algorithm, a total of 200,000 URLs are collected, including 100,000 normal URLs labeled “good” and 100,000 malicious URLs labeled “bad”. The experimental results show that the method detects malicious URLs more quickly and effectively and has high accuracy, high recall rate, and high accuracy compared with Text-RCNN, BRNN, and other models.

computer science, information systems,telecommunications

Wen Zhang,Yuxin Ding,Yan Tang,Bin Zhao

DOI: https://doi.org/10.1109/icmlc.2011.6016954

2011-01-01

Abstract:The Internet has become an indispensable tool in peoples' daily life. It also bring us serious computer security problem. One big security threat comes from malicious webpages. In this paper we study how to detect malicious pages. Since malicious webpages are generated inconstantly, we use on line learning methods to detect malicious webpages. To keep the client side as safe as possible, we do not download the webpages, and analysis webpages' content. We only use URL information to determine if the URL links to a malicious pages. The feature selection methods for URL are discussed, and the performances of different on line learning methods are compared. To improve the performance of on line learning classifiers, an improved on line learning method is proposed, experiments show that this method is effective.

Zhengqi Wang,Xiaobing Feng,Yukun Niu,Chi Zhang,Jue Su

DOI: https://doi.org/10.1109/nana.2017.58

2017-01-01

Abstract:Nowadays, with the rapid development of the Internet and the growing network business, the amount of the websites is experiencing an explosive growth and the malicious websites threaten is becoming the biggest threaten in the Internet age. As a result, there have been broad interests in developing systems to detect the malicious web pages before the end users visits those websites. In order to make the detection more and more accurate, the analysis process becomes more and more costly, sometimes even requiring several seconds for a single page. Therefore, performing this analysis on a large set of web pages containing hundreds of millions of samples can be impossible. Our paper proposes a two-step detection system based on machine learning algorithm called TSMWD. The first step of TSMWD provides a fast and reliable large-scale detection on the countless unknown web pages. It can quickly discard the vast majority of benign web pages by using the static analysis techniques based on the modified Naïve-Bayesian classifier and forward the unknown samples to the second-step which can make a quite precise final detection. Due to the 99% web pages in the Internet are benign ones, the system's detection speed can be improved greatly.

Yunxin Liu,Yuliang Chen,Hongtao Zhang,Qingguo Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/dasc/picom/cbdcom/cy59711.2023.10361291

2023-01-01

Abstract:With the rapid development of society, network technology continues to advance. At the same time, people are also facing threats from malicious traffic. To address this issue, this paper proposes a malicious traffic detection method based on word vectorization algorithm and neural networks. This method combines tasks such as packet parsing, header data grayscale image generation, and message feature extraction to extract effective feature information. By combining convolutional neural networks (CNN), it detects malicious traffic hidden within normal traffic. Experimental results demonstrate that compared to traditional machine learning methods, the proposed approach exhibits higher efficiency and accuracy in identifying malicious traffic attacks, thereby better-protecting network users from malicious attacks.

Zhenlong Yuan,Baohua Yang,Xiaoqi Ren,Yibo Xue

DOI: https://doi.org/10.1109/iccnc.2013.6504109

2013-01-01

Abstract:During the past decade, URL filtering systems have been widely applied to prevent people from browsing undesirable or malicious websites. However, the key method of URL filtering, such as URL blacklist filter, is more challenging due to the limited performance of existing multi-pattern matching algorithms. In this paper, we propose a multi-pattern matching algorithm named TFD for large-scale and high-speed URL filtering. TFD employs Two-phase hash, Finite state machine and Double-array storage to eliminate the performance bottleneck of blacklist filter. Experimental results show that TFD achieves better performance than existing work in terms of matching speed, preprocessing time and memory usage. Specially, on large-scale URL pattern sets (over 10 million URLs), with single thread, TFD's matching speed reaches over 100Mbps on a general x86 platform.

Fabio Soldo,Athina Markopoulou,Katerina Argyraki

DOI: https://doi.org/10.48550/arXiv.0811.3828

2008-11-24

Abstract:How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this paper, we develop, for the first time, a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operator's policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from <a class="link-external link-http" href="http://Dshield.org" rel="external noopener nofollow">this http URL</a> and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.

Networking and Internet Architecture

Luhui Yang,Guangjie Liu,Jinwei Wang,Huiwen Bai,Jiangtao Zhai,Yuewei Dai

DOI: https://doi.org/10.1016/j.jisa.2021.102933

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:Detecting malicious domain names generated by domain generation algorithms is critical for defending the network against sophisticated attacks. In the past decade, deep-learning-based detection schemes have proven to be the most effective. However, each of these schemes requires sufficient computation time, which makes it difficult for real-time online detection. In this paper, we propose a real-time malicious domain name detection system which is called fast3DS. The proposed system contains a lightweight full-convolutional detection model, as well as a detection pipeline that contains multiple efficient schemes for high-speed data acquisition, filtering, and inference. The proposed detection model uses a parallel depthwise convolutional architecture to replace the standard convolution layer, and a lightweight global average pooling connection architecture is proposed to replace the fully connected layer, which can effectively reduce the parameters and computation time. To compensate for the decrease in accuracy due to model lightweighting, a lightweight attention mechanism is proposed to improve the accuracy of model detection. The proposed detection pipeline employs some industry-leading network traffic processing architecture and deep learning inference acceleration architecture, which can fully utilize the CPU for processing and computing. The experimental results denote that the proposed detection scheme can achieve accuracy close to the state-of-the-art with significantly fewer parameters, and the system can substantially improve the processing capability compared to the conventional detection system.

computer science, information systems

Tie Li,Gang Kou,Yi Peng

DOI: https://doi.org/10.1016/j.is.2020.101494

IF: 3.18

2020-01-01

Information Systems

Abstract:In malicious URLs detection, traditional classifiers are challenged because the data volume is huge, patterns are changing over time, and the correlations among features are complicated. Feature engineering plays an important role in addressing these problems. To better represent the underlying problem and improve the performances of classifiers in identifying malicious URLs, this paper proposed a combination of linear and non-linear space transformation methods. For linear transformation, a two-stage distance metric learning approach was developed: first, singular value decomposition was performed to get an orthogonal space, and then a linear programming was used to solve an optimal distance metric. For nonlinear transformation, we introduced Nyström method for kernel approximation and used the revised distance metric for its radial basis function such that the merits of both linear and non-linear transformations can be utilized. 33,1622 URLs with 62 features were collected to validate the proposed feature engineering methods. The results showed that the proposed methods significantly improved the efficiency and performance of certain classifiers, such as k-Nearest Neighbor, Support Vector Machine, and neural networks. The malicious URLs’ identification rate of k-Nearest Neighbor was increased from 68% to 86%, the rate of linear Support Vector Machine was increased from 58% to 81%, and the rate of Multi-Layer Perceptron was increased from 63% to 82%. We also developed a website to demonstrate a malicious URLs detection system which uses the methods proposed in this paper. The system can be accessed at: http://url.jspfans.com.

Gonzalo Marín,Pedro Casas,Germán Capdehourat

DOI: https://doi.org/10.48550/arXiv.2003.04079

2020-03-11

Abstract:Robust network security systems are essential to prevent and mitigate the harming effects of the ever-growing occurrence of network attacks. In recent years, machine learning-based systems have gain popularity for network security applications, usually considering the application of shallow models, which rely on the careful engineering of expert, handcrafted input features. The main limitation of this approach is that handcrafted features can fail to perform well under different scenarios and types of attacks. Deep Learning (DL) models can solve this limitation using their ability to learn feature representations from raw, non-processed data. In this paper we explore the power of DL models on the specific problem of detection and classification of malware network traffic. As a major advantage with respect to the state of the art, we consider raw measurements coming directly from the stream of monitored bytes as input to the proposed models, and evaluate different raw-traffic feature representations, including packet and flow-level ones. We introduce DeepMAL, a DL model which is able to capture the underlying statistics of malicious traffic, without any sort of expert handcrafted features. Using publicly available traffic traces containing different families of malware traffic, we show that DeepMAL can detect and classify malware flows with high accuracy, outperforming traditional, shallow-like models.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Guolin Tan,Peng Zhang,Qingyun Liu,Xinran Liu,Chunge Zhu

DOI: https://doi.org/10.1007/978-3-319-93698-7_16

2018-01-01

Abstract:People use the Internet to shop, access information and enjoy entertainment by browsing web sites. At the same time, cyber-criminals operate malicious domains to spread illegal content, which poses a great risk to the security of cyberspace. Therefore, it is of great importance to detect malicious domains in the field of cyberspace security. Typically, there are broad research focusing on detecting malicious domains either by blacklist or learning the features. However, the former is infeasible due to its unpredictability of unknown malicious domains, and the later requires complex feature engineering. Different from most of previous methods, in this paper, we propose a novel lightweight solution named DomainObserver to detect malicious domains. Our technique of DomainObserver is based on dynamic time warping that is used to better align the time series. To the best of our knowledge, it is a new trial to apply passive traffic measurements and time series data mining to malicious domain detection. Extensive experiments on real datasets are performed to demonstrate the effectiveness of our proposed method.