Qi Wang,Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Junghwan Rhee,Zhengzhang Chen,Wei Cheng,Carl A. Gunter,Haifeng Chen

DOI: https://doi.org/10.14722/ndss.2020.24167

2020-01-01

Abstract:To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average Fl score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

Senhao Wen,Zhiyuan Zhao,Hanbing Yan

DOI: https://doi.org/10.1145/3199478.3199500

2018-03-16

Abstract:We are increasingly relying on HTML(Hypertext Markup Language) web-pages, including online shopping, obtaining information and handling official business, whether on a mobile phone or on a computer. But the underground industry or deliberate attacker has also targeted us. They forges misleading URLs(UniformResourceLocators) and web-pages with various tricky skills which are difficult to identify even for the professionals, so as to steal money, manipulate our devices, monitor our lives. Currently, most of the malicious websites detecting technology is based on features of URLs or Web page elements, which make us feel upset, because it is difficult to extract all the features, and its hysteresis quality make it hard to meet the requirement of tracking the rapid changes of malicious web sites, especially the phishing websites. This paper design a thorough associated analysis model of web-pages using the technology of topic tracking, topic abnormal discovery, web-page visual similarity assessment, web-page structure analyzing, URL analyzing, Internet Resources analyzing and so on, to solve the problem of missing detecting malicious websites, especially with unknown features. The detecting model is able to discover the forged payment web-pages, fake web page which damage the reputation of the relevant organization, personal attack web-pages, tampered web page, web-page trojan, etc. In the meantime, it can track the topic of underground industry and sense the topic evolution. According to our experiments, it is effective and has high accuracy.

Or Naim,Doron Cohen,Irad Ben-Gal

DOI: https://doi.org/10.1007/s10207-023-00686-y

2023-03-26

International Journal of Information Security

Abstract:Malicious websites pose a challenging cybersecurity threat. Traditional tools for detecting malicious websites rely heavily on industry-specific domain knowledge, are maintained by large-scale research operations, and result in a never-ending attacker–defender dynamic. Malicious websites need to balance two opposing requirements to successfully function: escaping malware detection tools while attracting visitors. This fundamental conflict can be leveraged to create a robust and sustainable detection approach based on the extraction, analysis, and learning of design attributes for malicious website identification. In this paper, we propose a next-generation algorithm for extended design attribute learning that learns and analyzes web page structures, content, appearances, and reputation to detect malicious websites. Results from a large-scale experiment that was conducted on more than 35,000 websites suggest that the proposed algorithm effectively detects more than 83% of all malicious websites while maintaining a low false-positive rate of 2%. In addition, the proposed method can incorporate user feedback and flag new suspicious websites and thus can be effective against zero-day attacks.

computer science, information systems, theory & methods, software engineering

Zhenyuan Li,Qi Alfred Chen,Runqing Yang,Yan Chen,Wei Ruan

DOI: https://doi.org/10.1016/j.cose.2021.102282

2021-07-01

Abstract:<p>With the development of information technology, the border of the cyberspace gets much broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defense.</p><p>The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and present a typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules: <em>data collection module, data management module</em>, and <em>threat detection modules</em>. Each module contains several components and involves different research problems. We systematically taxonomize and compare the existing algorithms and designs involved in them. Based on these comparisons, we identify the strategy of technology selection for real-world deployment. We also provide insights and challenges about the existing work to guide future research in this area.</p>

computer science, information systems

Gerardo Canfora,Corrado Aaron Visaggio

DOI: https://doi.org/10.1007/s11416-016-0266-2

2016-01-29

Journal of Computer Virology and Hacking Techniques

Abstract:The increasing growth of malicious websites and systems for distributing malware through websites is making it urgent the adoption of effective techniques for timely detection of web security threats. Current mechanisms may exhibit some limitations, mainly concerning the amount of resources required, and a low true positives rate for zero-day attacks. With this paper, we propose and validate a set of features extracted from the content and the structure of webpages, which could be used as indicators of web security threats. The features are used for building a predictor, based on five machine learning algorithms, which is applied to classify unknown web applications. The experimentation demonstrated that the proposed set of features is able to correctly classify malicious web sites with a high level of precision, corresponding to 0.84 in the best case, and recall corresponding to 0.89 in the best case. The classifiers reveal to be successful also with zero day attacks.

Kinh Tran,Dusan Sovilj

2024-09-12

Abstract:Malicious website detection is an increasingly relevant yet intricate task that requires the consideration of a vast amount of fine details. Our objective is to create a machine learning model that is trained on as many of these finer details as time will allow us to classify a website as benign or malicious. If malicious, the model will classify the role it plays (phishing, spam, malware hosting, etc.). We proposed 77 features and created a dataset of 441,701 samples spanning 9 website classifications to train our model. We grouped the proposed features into feature subsets based on the time and resources required to compute these features and the performance changes with the inclusion of each subset to the model. We found that the performance of the best performing model increased as more feature subsets were introduced. In the end, our best performing model was able to classify websites into 1 of 9 classifications with a 95.89\% accuracy score. We then investigated how well the features we proposed ranked in importance and detail the top 10 most relevant features according to our models. 2 of our URL embedding features were found to be the most relevant by our best performing model, with content-based features representing half of the top 10 spots. The rest of the list was populated with singular features from different feature categories including: a host feature, a robots.txt feature, a lexical feature, and a passive domain name system feature.

Cryptography and Security

Zeyuan Hu,Ziang Yuan

DOI: https://doi.org/10.48550/arXiv.2305.09084

2023-05-16

Cryptography and Security

Abstract:The detection of malicious websites has become a critical issue in cybersecurity. Therefore, this paper offers a comprehensive review of data-driven methods for detecting malicious websites. Traditional approaches and their limitations are discussed, followed by an overview of data-driven approaches. The paper establishes the data-feature-model-extension pipeline and the latest research developments of data-driven approaches, including data preprocessing, feature extraction, model construction and technology extension. Specifically, this paper compares methods using deep learning models proposed in recent years. Furthermore, the paper follows the data-feature-model-extension pipeline to discuss the challenges together with some future directions of data-driven methods in malicious website detection.

siyue zhang,weiguang wang,zhao chen,heng gu,jianyi liu,cong wang

DOI: https://doi.org/10.1109/CCIS.2014.7175767

2014-01-01

Abstract:Security risks brought by Web page information has been a matter that can no longer be ignored. Malicious script is a major challenge the Web sites security is facing currently. According to the data from the Google Research Centre, more than 10% of Web pages is malicious. Especially in China, the proportion of malicious Web pages has reached 43.21%. This paper presents a detection system which is used to locate the malicious scripts in Web pages. It acquires and builds up malicious code features base, URL of hidden links base etc. based on safety data published on security research Web sites. The Web crawler is applied to collecting Web pages source code in this system and learning algorithm for classification is used to train the classifier. The classification results would be evaluated and improved in the end.

Adebayo Oshingbesan,Courage Ekoh,Chukwuemeka Okobi,Aime Munezero,Kagame Richard

DOI: https://doi.org/10.48550/arXiv.2209.09630

2022-09-13

Abstract:In detecting malicious websites, a common approach is the use of blacklists which are not exhaustive in themselves and are unable to generalize to new malicious sites. Detecting newly encountered malicious websites automatically will help reduce the vulnerability to this form of attack. In this study, we explored the use of ten machine learning models to classify malicious websites based on lexical features and understand how they generalize across datasets. Specifically, we trained, validated, and tested these models on different sets of datasets and then carried out a cross-datasets analysis. From our analysis, we found that K-Nearest Neighbor is the only model that performs consistently high across datasets. Other models such as Random Forest, Decision Trees, Logistic Regression, and Support Vector Machines also consistently outperform a baseline model of predicting every link as malicious across all metrics and datasets. Also, we found no evidence that any subset of lexical features generalizes across models or datasets. This research should be relevant to cybersecurity professionals and academic researchers as it could form the basis for real-life detection systems or further research work.

Cryptography and Security,Machine Learning

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Li Xu,Zhenxin Zhan,Shouhuai Xu,Keyin Ye

DOI: https://doi.org/10.48550/arXiv.1408.1993

2014-08-09

Abstract:Malicious websites are a major cyber attack vector, and effective detection of them is an important cyber defense task. The main defense paradigm in this regard is that the defender uses some kind of machine learning algorithms to train a detection model, which is then used to classify websites in question. Unlike other settings, the following issue is inherent to the problem of malicious websites detection: the attacker essentially has access to the same data that the defender uses to train its detection models. This 'symmetry' can be exploited by the attacker, at least in principle, to evade the defender's detection models. In this paper, we present a framework for characterizing the evasion and counter-evasion interactions between the attacker and the defender, where the attacker attempts to evade the defender's detection models by taking advantage of this symmetry. Within this framework, we show that an adaptive attacker can make malicious websites evade powerful detection models, but proactive training can be an effective counter-evasion defense mechanism. The framework is geared toward the popular detection model of decision tree, but can be adapted to accommodate other classifiers.

Cryptography and Security,Artificial Intelligence

Bilal Yousuf,M. Atif Qureshi,Brendan Spillane,Gary Munnelly,Oisin Carroll,Matthew Runswick,Kirsty Park,Eileen Culloty,Owen Conlan,Jane Suiter

DOI: https://doi.org/10.48550/arXiv.2111.08791

2021-11-17

Abstract:The threat posed by misinformation and disinformation is one of the defining challenges of the 21st century. Provenance is designed to help combat this threat by warning users when the content they are looking at may be misinformation or disinformation. It is also designed to improve media literacy among its users and ultimately reduce susceptibility to the threat among vulnerable groups within society. The Provenance browser plugin checks the content that users see on the Internet and social media and provides warnings in their browser or social media feed. Unlike similar plugins, which require human experts to provide evaluations and can only provide simple binary warnings, Provenance's state of the art technology does not require human input and it analyses seven aspects of the content users see and provides warnings where necessary.

Computers and Society

Chaitanya R. Vyawhare,Reshma Y. Totare,Prashant S. Sonawane,Purva B. Deshmukh

DOI: https://doi.org/10.22214/ijraset.2022.42050

2022-05-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Today the most important concern in the field of cyber security is finding the serious problems that make loss in secure information. It is mainly due to malicious URLs. Malicious URLs are generated daily. This URLs are having a short life span. Various techniques are used by researchers for detecting such threats in a timely manner. Blacklist method is famous among them. Researchers uses this blacklist method for easily identifying the harmful URLs. They are very simple and easy method. Due to their simplicity they are used as a traditional method for detecting such URLs. But this method suffers from many problems. The lack of ability in detecting newly generated malicious URLs is one of the main drawbacks of Blacklist method. Heuristic approach is also used for identifying some common attacks. It is an advanced technique of Blacklist method. But this method cannot be used for all type of attacks. So this method is used very shortly. For a good experience, the researchers introduce machine learning techniques. Machine Learning techniques go through several phases and detect the malicious URLs in an accurate manner. This method also gives the details about the false positive rate. This review paper studies the different phases such as feature extraction phase and feature representation phase of machine learning techniques for detecting malicious URLs. Different machine learning algorithms used for such detection is also discuss in this paper. And also gives a better understanding about the advantage of using machine learning over other techniques for detecting malicious URLs and problems it suffers. Keywords: Blacklist, Cyber Security, Malicious URL

Ruitong Liu,Yanbin Wang,Haitao Xu,Zhan Qin,Yiwei Liu,Zheng Cao

2023-11-21

Abstract:The widespread use of the Internet has revolutionized information retrieval methods. However, this transformation has also given rise to a significant cybersecurity challenge: the rapid proliferation of malicious URLs, which serve as entry points for a wide range of cyber threats. In this study, we present an efficient pre-training model-based framework for malicious URL detection. Leveraging the subword and character-aware pre-trained model, CharBERT, as our foundation, we further develop three key modules: hierarchical feature extraction, layer-aware attention, and spatial pyramid pooling. The hierarchical feature extraction module follows the pyramid feature learning principle, extracting multi-level URL embeddings from the different Transformer layers of CharBERT. Subsequently, the layer-aware attention module autonomously learns connections among features at various hierarchical levels and allocates varying weight coefficients to each level of features. Finally, the spatial pyramid pooling module performs multiscale downsampling on the weighted multi-level feature pyramid, achieving the capture of local features as well as the aggregation of global features. The proposed method has been extensively validated on multiple public datasets, demonstrating a significant improvement over prior works, with the maximum accuracy gap reaching 8.43% compared to the previous state-of-the-art method. Additionally, we have assessed the model's generalization and robustness in scenarios such as cross-dataset evaluation and adversarial attacks. Finally, we conducted real-world case studies on the active phishing URLs.

Cryptography and Security

Shaheetha Liaquathali,Vadivazhagan Kadirvelu

DOI: https://doi.org/10.37934/araset.47.1.105122

2024-06-21

Journal of Advanced Research in Applied Sciences and Engineering Technology

Abstract:Malicious websites have become a pervasive concern in the digital realm, targeting careless users as well as organizations. It may result in substantial financial losses, identity theft, data intrusions, and damage to reputation. In order to create efficient countermeasures, it is crucial to comprehend the effects of interacting with such websites. There are several ways to classify malicious webpages. Web content analysis is one such way for protecting internet users from malicious activities. It entails analysing websites to identify potential hazards, such as phishing attempts, malware distribution, and fraudulent activities. Traditional methods relied on rule-based systems, but recent advances in natural language processing and machine learning have opened up new avenues for increasing the precision and scalability of web content analysis to classify malicious webpages. Most of the exciting research work focuses more on URL alone for risk free processing. This paper introduces novel method for analysing web contents especially textual contents of the webpages for classification. Among various tags in web technology, proposed method focuses on div, paragraph and meta tags. The textual contents of these tags are extracted and vectorized using three different vectorizers in natural language processing and classify the webpages using machine learning models. Seven different machine learning models are used for performance evaluation. The result shows that a combined textual content of three distinct tags with count vectorizer + random forest achieves the higher accuracy of 93.46% with 1000 features.

Malak Aljabri,Fahd Alhaidari,Rami Mustafa A Mohammad,Samiha Mirza,Dina H Alhamed,Hanan S Altamimi,Sara Mhd Bachar Chrouf

DOI: https://doi.org/10.1155/2022/3241216

2022-08-25

Abstract:The World Wide Web services are essential in our daily lives and are available to communities through Uniform Resource Locator (URL). Attackers utilize such means of communication and create malicious URLs to conduct fraudulent activities and deceive others by creating deceptive and misleading websites and domains. Such threats open the doors for many critical attacks such as spams, spyware, phishing, and malware. Therefore, detecting malicious URL is crucially important to prevent the occurrence of many cybercriminal activities. In this study, we examined a set of machine learning (ML) and deep learning (DL) models to detect malicious websites using a dataset comprising 66,506 records of URLs. We engineered three different types of features including lexical-based, network-based and content-based features. To extract the most discriminative features in the dataset, we applied several features selection algorithms, namely, correlation analysis, Analysis of Variance (ANOVA), and chi-square. Finally, we conducted a comparative performance evaluation for several ML and DL models considering set of criteria commonly used to evaluate such models. Results depicted that Naïve Bayes (NB) was the best model for detecting malicious URLs using the applied data with an accuracy of 96%. This research has made contribution to the field by conducting significant features engineering and analysis to identify the best features for malicious URLs predictions, compare different models and achieve a high accuracy using a large new URL dataset.

Shuaiqi Shen,Chong Yu,Kuan Zhang,Song Ci

DOI: https://doi.org/10.1109/icc42927.2021.9500731

2021-01-01

Abstract:Malicious websites attempt to install malware on user’s devices without permission, which can disrupt device operation, steal personal information, and even acquire access to the device for future attacks. Accurate detection of malicious website behaviors is crucial for network security but still faces challenges. Firstly, various types and semantics of website features are required to identity the wide range of malicious characteristics, leading to massive training data and computational overhead. Secondly, to reduce model dimensionality, a proper selection of website features is essential but difficult due to the complex relations among features that can affect each other’s contribution to detection outcomes. In this paper, we propose a lightweight feature-based detection scheme against malicious websites considering the interaction measures among features and the overhead-accuracy tradeoff. Specifically, we systematically characterize the interactions among website features in a non-additive manner to indicate the aggregated impacts of feature subsets. Then we propose a quantification method to measure the feature interactions based on multivariate regression. With this method, important features are selected to substantially reduce the model dimension and computational complexity while maintaining desirable accuracy. Meanwhile, the proposed scheme provides an interpretable model that preserves the physical meanings of original features. It allows users to balance the overhead-accuracy tradeoff for detection model training through feature subset selection to fit the requirements and constraints of real applications.

Xueyuan Han,Thomas Pasquier,Margo Seltzer

DOI: https://doi.org/10.48550/arXiv.1806.00934

2018-06-04

Cryptography and Security

Abstract:Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection, because it offers a holistic, attack-vector-agnostic view of system execution. As such, provenance graph analysis fundamentally strengthens detection robustness. We discuss the opportunities and challenges associated with provenance-based intrusion detection and provide insights based on our experience building such systems.

Zhenyuan Li,Yangyang Wei,Xiangmin Shen,Lingzhi Wang,Yan Chen,Haitao Xu,Shouling Ji,Fan Zhang,Liang Hou,Wenmao Liu,Xuhong Zhang,Jianwei Ying

2024-07-10

Abstract:Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph <a class="link-external link-http" href="http://alignment.By" rel="external noopener nofollow">this http URL</a> leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.

Cryptography and Security

Danielle Gonzalez,Thomas Zimmermann,Patrice Godefroid,Max Schaefer

DOI: https://doi.org/10.48550/arXiv.2103.03846

2021-03-10

Abstract:Security is critical to the adoption of open source software (OSS), yet few automated solutions currently exist to help detect and prevent malicious contributions from infecting open source repositories. On GitHub, a primary host of OSS, repositories contain not only code but also a wealth of commit-related and contextual metadata - what if this metadata could be used to automatically identify malicious OSS contributions? In this work, we show how to use only commit logs and repository metadata to automatically detect anomalous and potentially malicious commits. We identify and evaluate several relevant factors which can be automatically computed from this data, such as the modification of sensitive files, outlier change properties, or a lack of trust in the commit's author. Our tool, Anomalicious, automatically computes these factors and considers them holistically using a rule-based decision model. In an evaluation on a data set of 15 malware-infected repositories, Anomalicious showed promising results and identified 53.33% of malicious commits, while flagging less than 1% of commits for most repositories. Additionally, the tool found other interesting anomalies that are not related to malicious commits in an analysis of repositories with no known malicious commits.

Software Engineering