Yunji Liang,Qiushi Wang,Kang Xiong,Xiaolong Zheng,Zhiwen Yu,Daniel Zeng

DOI: https://doi.org/10.1109/tdsc.2021.3121388

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As cybercrimes grow in scale with devastating economic costs, it is important to protect potential victims against diverse attacks. In spite of the diversity of cybercrimes, it is the uniform resource locators (URLs) that connect vulnerable users with potential attacks. Although numerous solutions (e.g., rule-based solutions and machine learning-based methods) are proposed for malicious URL detection, they cannot provide robust performance due to the diversity of cybercrimes and cannot cope with the explosive growth of malicious URLs with the evolution of obfuscation strategies. In this paper, we propose a deep learning-based system, dubbed as CyberLen, to detect malicious URLs robustly and effectively. Specifically, we use factorization machine (FM) to learn the latent interaction among lexical features. For the deep structural features, position embedding is introduced for token vectorization to reduce the ambiguity of URL tokens. Meanwhile, temporal convolution network (TCN) is utilized to learn the long-distance dependency among URL tokens. To fuse heterogeneous features, self-paced wide <span class="mjpage"></span>&amp; deep learning strategy is proposed to train a robust model effectively. The proposed solution is evaluated on a large-scale URL dataset. Our experimental results show that position embedding is constructive to reducing the ambiguity of URL tokens, and the self-paced wide <span class="mjpage"></span>&amp; deep learning strategy shows superior performance in terms of F1 score and convergence speed.<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"></defs></svg>

computer science, information systems, software engineering, hardware & architecture

Zhiqiang Wang,Xiaorui Ren,Shuhao Li,Bingyan Wang,Jianyi Zhang,Tao Yang

DOI: https://doi.org/10.1155/2021/5518528

2021-01-01

Abstract:With the development of Internet technology, network security is under diverse threats. In particular, attackers can spread malicious uniform resource locators (URL) to carry out attacks such as phishing and spam. The research on malicious URL detection is significant for defending against these attacks. However, there are still some problems in the current research. For instance, malicious features cannot be extracted efficiently. Some existing detection methods are easy to evade by attackers. We design a malicious URL detection model based on a dynamic convolutional neural network (DCNN) to solve these problems. A new folding layer is added to the original multilayer convolution network. It replaces the pooling layer with the k-max-pooling layer. In the dynamic convolution algorithm, the width of feature mapping in the middle layer depends on the vector input dimension. Moreover, the pooling layer parameters are dynamically adjusted according to the length of the URL input and the depth of the current convolution layer, which is beneficial to extracting more in-depth features in a wider range. In this paper, we propose a new embedding method in which word embedding based on character embedding is leveraged to learn the vector representation of a URL. Meanwhile, we conduct two groups of comparative experiments. First, we conduct three contrast experiments, which adopt the same network structure and different embedding methods. The results prove that word embedding based on character embedding can achieve higher accuracy. We then conduct the other three experiences, which use the same embedding method proposed in this paper and use different network structures to determine which network is most suitable for our model. We verify that the model designed in this paper has the highest accuracy (98%) in detecting malicious URL through these experiences.

Wei,Qiao Ke,Jakub Nowak,Marcin Korytkowski,Rafal Scherer,Marcin Wozniak

DOI: https://doi.org/10.1016/j.comnet.2020.107275

IF: 5.493

2020-01-01

Computer Networks

Abstract:Along with the development of the Internet, methods of fraud and ways to obtain important data such as logins and passwords or personal sensitive data have evolved. One way of obtaining such information is to impersonate a page the user knows. Such a site usually does not provide any services other than collecting sensitive information from the user. In this paper, we present a way to detect such malicious URL addresses with almost 100% accuracy using convolutional neural networks. Contrary to the previous works, where URL or traffic statistics or web content are analysed, we analyse only the URL text. Thus, the method is faster and detects zero-day attacks. The network we present is appropriately optimised so that it can be used even on mobile devices without significantly affecting its performance.

Huaizhi Yan,Xin Zhang,Jiangwei Xie,Changzhen Hu

DOI: https://doi.org/10.1007/978-981-13-5913-2_23

2019-01-01

Abstract:As the source of spamming, phishing, malware and many more such attacks, malicious URL is a chronic and complicated problem on the Internet. Machine learning approaches have taken effect and obtained high accuracy in detecting malicious URL. But the tedious process of extracting features from URL and the high dimension of feature vector makes the implementing time consuming. This paper presents a deep learning method using Stacked denoising autoencoders model to learn and detect intrinsic malicious features. We employ an SdA network to analyze URLs and extract features automatically. Then a logistic regression is implemented to detect malicious and benign URLs, which can generate detection models without a manually feature engineering. We have implemented our network model using Keras, a high-level neural networks API with a Tensor-flow backend, an open source deep learning library. 5 datasets were used and 4 other method were compared with our model. In the result, our architecture achieves an accuracy of 98.25% and a micro-averaged F1 score of 0.98, tested on a mixed dataset containing around 2 million samples.

Baojiang Cui,Shanshan He,Xi Yao,Peilin Shi

DOI: https://doi.org/10.1504/ijhpcn.2018.10015545

2018-01-01

International Journal of High Performance Computing and Networking

Abstract:Many web applications suffer from various web attacks due to the lack of awareness concerning security. Therefore, it is necessary to improve the reliability of web applications by accurately detecting malicious URLs. In previous studies, keyword matching has always been used to detect malicious URLs, but this method is not adaptive. In this paper, statistical analyses based on gradient learning and feature extraction using a sigmoidal threshold level are combined to propose a new detection approach based on machine learning techniques. Moreover, the naïve Bayes, decision tree and SVM classifiers are used to validate the accuracy and efficiency of this method. Finally, the experimental results demonstrate that this method has a good detection performance, with an accuracy rate above 98.7%. In practical use, this system has been deployed online and is being used in large-scale detection, analysing approximately 2 TB of data every day.

Wenchuan Yang,Wen Zuo,Baojiang Cui

DOI: https://doi.org/10.1109/access.2019.2895751

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the continuous development of Web attacks, many web applications have been suffering from various forms of security threats and network attacks. The security detection of URLs has always been the focus of Web security. Many web application resources can be accessed by simply entering an URL or clicking a link in the browser. An attacker can construct various web attacks such as SQL, XSS, and information disclosure by embedding executable code or injecting malicious code into the URL. Therefore, it is necessary to improve the reliability and security of web applications by accurately detecting malicious URLs. This paper designs a convolutional gated-recurrent-unit (GRU) neural network for the detection of malicious URLs detection based on characters as text classification features. Considering that malicious keywords are unique to URLs, a feature representation method of URLs based on malicious keywords is proposed, and a GRU is used in place of the original pooling layer to perform feature acquisition on the time dimension, resulting in high-accuracy multicategory results. The experimental results show that our proposed neural network detection model is very suitable for high-precision classification tasks. Compared with other classification models, the model accuracy rate is above 99.6%. The use of deep learning to classify URLs to identify Web visitors' intentions has important theoretical and scientific values for Web security research, providing new ideas for intelligent security detection.

Qasem Abu Al-Haija,Mustafa Al-Fayoumi

DOI: https://doi.org/10.1007/s00521-023-08592-z

2023-04-20

Abstract:Uniform Resource Locator (URL) is a unique identifier composed of protocol and domain name used to locate and retrieve a resource on the Internet. Like any Internet service, URLs (also called websites) are vulnerable to compromise by attackers to develop Malicious URLs that can exploit/devastate the user's information and resources. Malicious URLs are usually designed with the intention of promoting cyber-attacks such as spam, phishing, malware, and defacement. These websites usually require action on the user's side and can reach users across emails, text messages, pop-ups, or devious advertisements. They have a potential impact that can reach, in some cases, to compromise the machine or network of the user, especially those arriving by email. Therefore, developing systems to detect malicious URLs is of great interest nowadays. This paper proposes a high-performance machine learning-based detection system to identify Malicious URLs. The proposed system provides two layers of detection. Firstly, we identify the URLs as either benign or malware using a binary classifier. Secondly, we classify the URL classes based on their feature into five classes: benign, spam, phishing, malware, and defacement. Specifically, we report on four ensemble learning approaches, viz. the ensemble of bagging trees (En_Bag) approach, the ensemble of k-nearest neighbor (En_kNN) approach, and the ensemble of boosted decision trees (En_Bos) approach, and the ensemble of subspace discriminator (En_Dsc) approach. The developed approaches have been evaluated on an inclusive and contemporary dataset for uniform resource locators (ISCX-URL2016). ISCX-URL2016 provides a lightweight dataset for detecting and categorizing malicious URLs according to their attack type and lexical analysis. Conventional machine learning evaluation measurements are used to evaluate the detection accuracy, precision, recall, F Score, and detection time. Our experiential assessment indicates that the ensemble of bagging trees (En_Bag) approach provides better performance rates than other ensemble methods. Alternatively, the ensemble of the k-nearest neighbor (En_kNN) approach provides the highest inference speed. We also contrast our En_Bag model with state-of-the-art solutions and show its superiority in binary classification and multi-classification with accuracy rates of 99.3% and 97.92%, respectively.

Zuguo Chen,Yanglong Liu,Chaoyang Chen,Ming Lu,Xuzhuo Zhang

DOI: https://doi.org/10.1155/2021/9994127

IF: 1.968

2021-05-26

Security and Communication Networks

Abstract:The traditional malicious uniform resource locator (URL) detection method excessively relies on the matching rules formulated by the network security personnel, which is hard to fully express the text information of the URL. Thus, an improved multilayer recurrent convolutional neural network model based on the YOLO algorithm is proposed to detect malicious URL in this paper. First, single characters are mapped to dense vectors using word embedding, and the dense vectors are participated in the training process of the whole model according to the structural characteristics of the URL in the method. Then, the CSPDarknet neural network model based on the improved YOLO algorithm is proposed to extract features of the URL. Finally, the extracted features are used to evaluate malicious URL by the bidirectional LSTM recurrent neural network algorithm. In order to verify the validity of the algorithm, a total of 200,000 URLs are collected, including 100,000 normal URLs labeled “good” and 100,000 malicious URLs labeled “bad”. The experimental results show that the method detects malicious URLs more quickly and effectively and has high accuracy, high recall rate, and high accuracy compared with Text-RCNN, BRNN, and other models.

computer science, information systems,telecommunications

Zhongyu Chen,Cong Ma,Shukai Duan

DOI: https://doi.org/10.1117/12.2674807

2023-01-01

Abstract:URLs (Uniform Resource Locators) are widely used on the Internet, but they are often used maliciously to carry out cyberattacks, causing significant losses to many enterprises and individuals. Therefore, it is crucial to spot those URLs to ensure network security. In this study, we propose a method for detecting malicious URLs that uses bidirectional LSTM and deformable convolutional network. First, the character vector corresponding to the URL is obtained by applying the embedding method, the bidirectional LSTM network is then fed the character vector to extract the global information in the URL, and the parallel deformable convolutional network receives the extracted data as input to learn multiple types of local area features. Finally, the fused local features are output to the FC network for URL classification. In this study, we conducted comparison experiments of different methods on different datasets. From the experimental results, on the three sampled datasets, the method's accuracy was 96.96%, 99.85%, and 96.43%, respectively, comparing with other research methods, the accuracy of the method proposed in this study for malicious URL detection was significantly improved.

JianTing Yuan,YiPeng Liu,Long Yu

DOI: https://doi.org/10.1155/2021/4917016

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The number of malicious websites is increasing yearly, and many companies and individuals worldwide have suffered losses. Therefore, the detection of malicious websites is a task that needs continuous development. In this study, a joint neural network algorithm model combining the attention mechanism, bidirectional independent recurrent neural network (Bi-IndRNN), and capsule network (CapsNet) is proposed. The word vector tool word2vec trains the character- and word-level uniform resource locator (URL) static embedding vector features. At the same time, the algorithm will also extract texture fingerprint features that can compare the content differences of different malicious web URL binary files. Then, the extracted features are fused and input into the joint neural network algorithm model. First, the multihead attention mechanism is used to extract contextual semantic features by adjusting weights and Bi-IndRNN. Second, CapsNet with dynamic routing is used to extract deep semantic information. Finally, the sigmoid classifier is used for classification. This study uses different methods from different angles to extract more comprehensive features. From the experimental results, the method proposed in this study improves the classification accuracy of malicious web page detection compared with other researchers.

Vineet Kumar Chauhan,Awadhesh Kumar

DOI: https://doi.org/10.1016/j.eswa.2024.125507

IF: 8.5

2024-10-27

Expert Systems with Applications

Abstract:Malware is one of the most popular cyber-attacks, and it is becoming more common on the network every day. In contrast to benign transmission, which typically exhibits symmetrical patterns, malware communication often shows asymmetrical behaviours, making detection a complex challenge. Fortunately, malware can be distinguished and identified for actual activities utilizing a variety of artificial intelligence methods. However, insufficient work has been allocated to the problem of handling high-dimensional and huge data. This paper proposes a novel deep learning-based approach to identify malicious Uniform Resource Locators (URLs) specifically designed to handle the challenges posed by large-scale and complex data. Initially, input data is sourced from a comprehensive Kaggle dataset, which includes diverse and large-scale URL samples. The URLs are then transformed into vector representations using a Vector Embedding Module, which employs a character-level word embedding technique to capture intricate patterns within the URLs. To further refine the data, the Chaotic Kookaburra Efficient-Bo Network (CKEBO-Net) is applied to extract the most significant features from these vectors, effectively reducing the dimensionality and computational burden. Subsequently, the Cascaded Capsule Twin Attentional Dilated Convolutional Network (C 2 TA_DiCN) model is introduced to classify and identify malicious URLs with high precision. This model leverages the unique strengths of capsule networks and attentional mechanisms, enhancing its capability to capture subtle dependencies within the data. Furthermore, the Lyrebird Meta-heuristic Optimization (LMO) algorithm is used to fine-tune the model parameters appropriately, ensuring that the training process is efficient and robust. The proposed approach is implemented using Python and rigorously evaluated on the Kaggle dataset. Simulation results demonstrate that the proposed method significantly outperforms existing models, achieving a malicious URL detection accuracy of 99.7%.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Yongfang Peng,Shengwei Tian,Long Yu,Yalong Lv,Ruijin Wang

DOI: https://doi.org/10.1142/s1469026819500214

2019-01-01

International Journal of Computational Intelligence and Applications

Abstract:To improve the accuracy and automation of malware Uniform Resource Locator (URL) recognition, a joint approach of Convolutional neural network (CNN) and Long-short term memory (LSTM) based on the Attention mechanism (JCLA) is proposed to identify and detect malicious URL. Firstly, the URL features including texture information, lexical information and host information are extracted and filtered, and pre-processed with encode. Then, the feature matrix more relevant to the output are chose according to the weight of the attention mechanism and input to the constructed parallel processing model called CNN_LSTM, combinating CNN and LSTM to get local features. Next, the extracted local features are merged to calculate the global features of the URLs to be detected. Finally, the URLs are classified by the SoftMax classifier using global features, the accuracy of the model in malicious URL recgonition is 98.26%. The experimental results show that the JCLA model proposed in this paper is better than the traditional deep learning model or CNN_LSTM combined model for detecting malicious URLs.

Ruitong Liu,Yanbin Wang,Haitao Xu,Zhan Qin,Yiwei Liu,Zheng Cao

2023-11-21

Abstract:The widespread use of the Internet has revolutionized information retrieval methods. However, this transformation has also given rise to a significant cybersecurity challenge: the rapid proliferation of malicious URLs, which serve as entry points for a wide range of cyber threats. In this study, we present an efficient pre-training model-based framework for malicious URL detection. Leveraging the subword and character-aware pre-trained model, CharBERT, as our foundation, we further develop three key modules: hierarchical feature extraction, layer-aware attention, and spatial pyramid pooling. The hierarchical feature extraction module follows the pyramid feature learning principle, extracting multi-level URL embeddings from the different Transformer layers of CharBERT. Subsequently, the layer-aware attention module autonomously learns connections among features at various hierarchical levels and allocates varying weight coefficients to each level of features. Finally, the spatial pyramid pooling module performs multiscale downsampling on the weighted multi-level feature pyramid, achieving the capture of local features as well as the aggregation of global features. The proposed method has been extensively validated on multiple public datasets, demonstrating a significant improvement over prior works, with the maximum accuracy gap reaching 8.43% compared to the previous state-of-the-art method. Additionally, we have assessed the model's generalization and robustness in scenarios such as cross-dataset evaluation and adversarial attacks. Finally, we conducted real-world case studies on the active phishing URLs.

Cryptography and Security

Yumeng Wu,Jianjun Zeng,Zhenjiang Zhang,Wei Li,Zhiyuan Zhang,Yang Zhang

DOI: https://doi.org/10.1007/978-3-031-31275-5_12

2023-01-01

Abstract:With the rapid development of Internet of things, cloud computing, edge computing and other technologies, malicious code attacks users and even enterprises more and more frequently with the help of software and system security vulnerabilities, which poses a serious threat to network security. The traditional static or dynamic malicious code detection technology is difficult to solve the problem of high-speed iteration and camouflage of malicious code. The detection method based on machine learning algorithm and data mining idea depends on manual feature extraction, and can not automatically and effectively extract the deeper features of malicious code. In view of the traditional malicious code detection methods and the related technologies of deep learning, this paper integrates deep learning into the dynamic malicious code detection system, and proposes a malicious code detection system based on convolutional neural network.

CAI Qingmeng,WANG Jian,LI Pengbo

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2023.03.05

2023-01-01

Journal of Cyber Security

Abstract:In the wake of the advent of big data era, whereas the malicious URL, as the medium for Web attacking, progressively threatens the security of users’ information. Traditional detection methods in terms of malicious URL, such as blacklist detection and signature matching, are exposing their intrinsic defects, to this end, this paper proposes a malicious URL detection model based on a cost-sensitive learning strategy. In this thesis, HTTP request parameters together with URL information are employed as the original data samples to extract features; and the corresponding data processing is carried out to resolve the problem of difficult feature extraction incurred by simple URL data. In addition, by comparing three encoding processing methods through tests, this research has chosen the best processing approach in term of character encoding. By doing so, it has ensured the effectiveness of the subsequent detection model. Regarding the model of neural network, the Convolutional Neural Network model suitable for URL detection is specialized designed for the characteristics of URL character input. In this model, in order to extract the deep features of the data, two convolutional layers are broadly used. Secondly, this research utilizes a Bidirectional Long Short-Time Memory to extract the temporal features of the data from the pooling layer, while in the last unit of this network outputs the temporal features to achieve the pooling effect, this research method not only effectively extracts the contextual information regarding the data, also avoids an abundant model calculations and thus, ensures the efficiency of model detection. At the same time, in order to solve the problem of unbalanced data samples, it assigns different penalty factors to data samples during the iterative process, improves the rules for assigning initialization weights to data samples and normalizes them, increases the weight of malicious samples in the overall error function. Experimental results show that this model is better than other mainstream detection models in accuracy, recall and detection efficiency, and has better resistance to imbalanced data sets.

Jianting Yuan,Guanxin Chen,Shengwei Tian,Xinjun Pei

DOI: https://doi.org/10.1109/access.2021.3049625

IF: 3.9

2021-01-01

IEEE Access

Abstract:A parallel neural joint model algorithm is proposed for the analysis and detection of malicious Uniform Resource Locator (URL). By detecting and analyzing malicious URL’s characteristics, the semantic and visual information will be extracted. First, a visualization algorithm is used to realize the visualization of the URL mapping to a gray image with texture characteristics. Second, the lexical feature and character feature of URL are extracted and further processed through word vector technology. These extracted features are transformed into lexical embedding vectors and character embedding vectors. To combine the texture features with text features, a parallel joint neural network combining capsule network (CapsNet) and independent recurrent neural network (IndRNN) is utilized to capture multi-modal vectors of visual and semantic information synchronously. The last layer utilizes the attention mechanism to further filter the deep features extracted from the overall network while concentrating on effective features improving the classification accuracy and analyzing and detect malicious URLs. Based on the experimental results, it is demonstrated that this algorithm has higher accuracy compared to the traditional algorithms.

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Yongfang Peng,Shengwei Tian,Long Yu,Yalong Lv,Ruijin Wang

DOI: https://doi.org/10.3837/tiis.2019.11.017

2019-01-01

KSII Transactions on Internet and Information Systems

Abstract:A malicious Uniform Resource Locator (URL) recognition and detection method based on the combination of Attention mechanism with Convolutional Neural Network and Long Short-Term Memory Network (Attention-Based CNN-LSTM), is proposed. Firstly, the WHOIS check method is used to extract and filter features, including the URL texture information, the URL string statistical information of attributes and the WHOIS information, and the features are subsequently encoded and pre-processed followed by inputting them to the constructed Convolutional Neural Network (CNN) convolution layer to extract local features. Secondly, in accordance with the weights from the Attention mechanism, the generated local features are input into the Long-Short Term Memory (LSTM) model, and subsequently pooled to calculate the global features of the URLs. Finally, the URLs are detected and classified by the SoftMax function using global features. The results demonstrate that compared with the existing methods, the Attention-based CNN-LSTM mechanism has higher accuracy for malicious URL detection.

Xiaodan Yan,Yang Xu,Baojiang Cui,Shuhan Zhang,Taibiao Guo,Chaoliang Li

DOI: https://doi.org/10.1109/tii.2020.2977886

IF: 12.3

2020-01-01

IEEE Transactions on Industrial Informatics

Abstract:The emergence of artificial intelligence technology has promoted the development of the Internet of Things. However, this promising cyber technology can encounter serious security problems while accessing the internet. A malicious website can disguise itself as a normal website, and obtain users’ private information. Thus, it is very important to detect malicious websites using tools such as machine learning (ML) algorithms, as these algorithms can help us to identify abnormal information hidden in the mass traffic more easily. Accordingly, many feature engineering tasks must be performed from memory, as a strong machine learning model is greatly improved with good features. In this article, we propose an unsupervised learning algorithm that learns URL embedding. We also explore some key parameters regarding a domain embedding model to obtain a good effect on domain features.