WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.019

2011-01-01

Computer Science

Abstract:Malicious Web pages impose increasing threats on Web security in recent years.Currently,there are mainly two client-side protection approaches including anti-virus software packages and blacklists of malicious sites.Anti-virus techniques commonly use signature-based approaches which might not be able to efficiently identify malicious HTML codes with encryption and obfuscation.Furthermore,blacklisting techniques are difficult to keep up-to-date.This paper presented a novel classification method for real-time detecting malicious Web pages which is independent with the contents of Web pages.Our approach characterizes malicious Web pages using HTTP session information.With representative statistical features and decision tree algorithm in machine learning,we built an effective classification model for online real-time detecting malicious Web pages.Experiment results demonstrate that we are able to successfully detect 89.7% of the malicious Web pages with a low false positive rate of 0.3%.

Wang Tao,Yu Shunzheng,Xie Bailin

DOI: https://doi.org/10.1109/ifita.2010.173

2010-01-01

Abstract:Malicious web pages are a widely-recognized threat to the security of the web. Malicious web pages launch so-called drive-by download attacks that are able to gain complete control of a user’s computer for illegitimate purpose. Even a single visit to a malicious web page enables an automatically download and installation of malicious malware executables. In this paper, we propose a novel approach for classifying web pages automatically as either malicious or benign based on a supervised machine learning. Our approach learns to detect malicious web pages exclusively based on HTTP session information (e.g., HTTP session headers, domains of requests and responses). With the corpus of 50,000 benign web pages and 500 malicious web pages, we are capable of successfully detecting 92.2% of the malicious web pages with a low false positive rate 0.1%.

Yizhi Liu,Chaoqun Zhu,Yadi Wu,Heng Xu,Jun Song

DOI: https://doi.org/10.1002/cpe.6191

2021-01-19

Concurrency and Computation: Practice and Experience

Abstract:<p>In recent years, with the rapid development of mobile social networks and services, the research of mobile malicious webpage detection has become a hot topic. Most of the existing malicious webpage detection systems are deployed on desktop systems and servers. Due to the limitation of network transmission delay and computing resources, these existing solutions fail to provide the real‐time and lightweight properties for mobile webpage detection. In this paper, we propose an advanced mobile malicious webpage detection framework based on deep learning and edge cloud. Inspired by the idea of edge computing, a multidevice load optimization approach is first introduced to improve detection efficiency. Second, an automatic extraction approach based on deep learning model features is presented to enhance detection accuracy. Furthermore, detection systems can be flexibly deployed on edge nodes and servers, thus providing the properties of resource optimization deployment and real‐time detection. Finally, comparative analysis and performance evaluation are presented to show the detection efficiency and accuracy of the proposed framework.</p>

Joshua Saxe,Richard Harang,Cody Wild,Hillary Sanders

DOI: https://doi.org/10.48550/arXiv.1804.05020

2018-04-14

Abstract:Malicious web content is a serious problem on the Internet today. In this paper we propose a deep learning approach to detecting malevolent web pages. While past work on web content detection has relied on syntactic parsing or on emulation of HTML and Javascript to extract features, our approach operates directly on a language-agnostic stream of tokens extracted directly from static HTML files with a simple regular expression. This makes it fast enough to operate in high-frequency data contexts like firewalls and web proxies, and allows it to avoid the attack surface exposure of complex parsing and emulation code. Unlike well-known approaches such as bag-of-words models, which ignore spatial information, our neural network examines content at hierarchical spatial scales, allowing our model to capture locality and yielding superior accuracy compared to bag-of-words baselines. Our proposed architecture achieves a 97.5% detection rate at a 0.1% false positive rate, and classifies small-batched web pages at a rate of over 100 per second on commodity hardware. The speed and accuracy of our approach makes it appropriate for deployment to endpoints, firewalls, and web proxies.

Cryptography and Security,Machine Learning

Yao Wang,Wan‐dong Cai,Peng‐cheng Wei,Wan-dong Cai,Peng-cheng Wei

DOI: https://doi.org/10.1002/sec.1441

IF: 1.968

2016-02-11

Security and Communication Networks

Abstract:Abstract Malicious JavaScript code in webpages on the Internet is an emergent security issue because of its universality and potentially severe impact. Because of its obfuscation and complexities, detecting it has a considerable cost. Over the last few years, several machine learning‐based detection approaches have been proposed; most of them use shallow discriminating models with features that are constructed with artificial rules. However, with the advent of the big data era for information transmission, these existing methods already cannot satisfy actual needs. In this paper, we present a new deep learning framework for detection of malicious JavaScript code, from which we obtained the highest detection accuracy compared with the control group. The architecture is composed of a sparse random projection, deep learning model, and logistic regression. Stacked denoising auto‐encoders were used to extract high‐level features from JavaScript code; logistic regression as a classifier was used to distinguish between malicious and benign JavaScript code. Experimental results indicated that our architecture, with over 27 000 labeled samples, can achieve an accuracy of up to 95%, with a false positive rate less than 4.2% in the best case. Copyright © 2016 John Wiley &amp; Sons, Ltd.

computer science, information systems,telecommunications

Baojiang Cui,Shanshan He,Xi Yao,Peilin Shi

DOI: https://doi.org/10.1504/ijhpcn.2018.10015545

2018-01-01

International Journal of High Performance Computing and Networking

Abstract:Many web applications suffer from various web attacks due to the lack of awareness concerning security. Therefore, it is necessary to improve the reliability of web applications by accurately detecting malicious URLs. In previous studies, keyword matching has always been used to detect malicious URLs, but this method is not adaptive. In this paper, statistical analyses based on gradient learning and feature extraction using a sigmoidal threshold level are combined to propose a new detection approach based on machine learning techniques. Moreover, the naïve Bayes, decision tree and SVM classifiers are used to validate the accuracy and efficiency of this method. Finally, the experimental results demonstrate that this method has a good detection performance, with an accuracy rate above 98.7%. In practical use, this system has been deployed online and is being used in large-scale detection, analysing approximately 2 TB of data every day.

Jianhua Liu,Mengda Xu,Xin Wang,Shigen Shen,Minglu Li

DOI: https://doi.org/10.1109/access.2018.2882742

IF: 3.9

2018-01-01

IEEE Access

Abstract:The effective detection of malicious webpages plays a paramount role in ensuring the Web security on the Internet. However, the detection results of current methods are poor and their efficiency is low, and thus, it is important and challenging to design an efficient detection scheme that can improve the accuracy of classification of malicious webpages. To overcome this challenge, a Markov detection tree scheme is proposed in this paper to automatically identify and classify malicious webpages, where the link relations of unified resource locators, the information gain ratio, and Markov decision process as well as decision tree are used to analyze malicious webpages simultaneously. To increase the detection accuracy for malicious webpages, two methods of filling missing values are presented to process the null attribute values of webpages. We compare the performance of our algorithms when the different methods are applied in terms of the information gain ratio, classification accuracy, and detection efficiency. Our experimental results show that the proposed methods can improve the accuracy and efficiency in the classification of malicious webpage detections.

Zhengqi Wang,Xiaobing Feng,Yukun Niu,Chi Zhang,Jue Su

DOI: https://doi.org/10.1109/nana.2017.58

2017-01-01

Abstract:Nowadays, with the rapid development of the Internet and the growing network business, the amount of the websites is experiencing an explosive growth and the malicious websites threaten is becoming the biggest threaten in the Internet age. As a result, there have been broad interests in developing systems to detect the malicious web pages before the end users visits those websites. In order to make the detection more and more accurate, the analysis process becomes more and more costly, sometimes even requiring several seconds for a single page. Therefore, performing this analysis on a large set of web pages containing hundreds of millions of samples can be impossible. Our paper proposes a two-step detection system based on machine learning algorithm called TSMWD. The first step of TSMWD provides a fast and reliable large-scale detection on the countless unknown web pages. It can quickly discard the vast majority of benign web pages by using the static analysis techniques based on the modified Naïve-Bayesian classifier and forward the unknown samples to the second-step which can make a quite precise final detection. Due to the 99% web pages in the Internet are benign ones, the system's detection speed can be improved greatly.

Wen Zhang,Yuxin Ding,Yan Tang,Bin Zhao

DOI: https://doi.org/10.1109/icmlc.2011.6016954

2011-01-01

Abstract:The Internet has become an indispensable tool in peoples' daily life. It also bring us serious computer security problem. One big security threat comes from malicious webpages. In this paper we study how to detect malicious pages. Since malicious webpages are generated inconstantly, we use on line learning methods to detect malicious webpages. To keep the client side as safe as possible, we do not download the webpages, and analysis webpages' content. We only use URL information to determine if the URL links to a malicious pages. The feature selection methods for URL are discussed, and the performances of different on line learning methods are compared. To improve the performance of on line learning classifiers, an improved on line learning method is proposed, experiments show that this method is effective.

Hongliang Ma,Wei Wang,Zhen Han

DOI: https://doi.org/10.13245/j.hust.141107

2014-01-01

Abstract:In order to detect malicious Web pages efficiently ,a lightweight analysis method was pro-posed based on basic JavaScript code words .First ,crawler got all source codes from Web pages ,and then extracted JavaScript codes from source codes .Second ,self-defined basic code words replaced all JavaScript codes .Last ,three machine learning algorithms ,namely ,K-nearest neighbor (K-NN ) , principal component analysis (PCA ) as well as one-class support vector machine (SVM ) were em-ployed to detect malicious Web pages based on anomaly detection .The extensive experimental results show that our method can detect Web pages efficiently .In particular ,PCA achieves a detection rate as 90% with false positive rate of 1% ,detecting 250 s-1 .

Xincheng He,Chunliu Cha,Lei Xu

DOI: https://doi.org/10.1109/APSEC.2018.00051

2018-12-01

Abstract:JavaScript plays an important role in web applications and services, which is used by millions of web pages in optimizing interface design, embedding dynamic texts, reading and writing HTML elements, validating form data, responding to browser events, controlling cookies and much more. However, since JavaScript is cross-platform and can be executed dynamically, it has been a major vehicle for web-based attacks. Existing solutions work by performing static analysis or monitoring program execution dynamically. However, since the heavy use of obfuscation techniques, many methods no longer apply to malicious JavaScript code detection, and it has been a huge challenge to de-obfuscate obfuscated malicious JavaScript code accurately. In this paper, we propose a hybrid analysis method combining static and dynamic analysis for detecting malicious JavaScript code that works by first conducting syntax analysis and dynamic instrumentation to extract internal features that are related to malicious code and then performing classificationbased detection to distinguish attacks. In addition, based on code instrumentation, we propose a new method which can deobfuscate part of obfuscated malicious JavaScript code accurately. Ultimately, we implement a browser plug-in called MJDetector and perform evaluation on 450 real web pages. Evaluation results show that our method can detect malicious JavaScript code and de-obfuscate obfucation effectively and efficiently. Specifically, MJDetector can detect JavaScipt attacks in current web pages with high accuracy 94.76% and de-obfuscate obfuscate code of specific types with accuracy 100% whereas the base line method can only detect with accuracy 81.16% and has no capacity of de-obfuscation.

Computer Science

Yao Wang,Wandong Cai,Pin Lyu,Wei Shao

DOI: https://doi.org/10.1155/2018/7087239

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Ill-intentioned browser extensions pose an emergent security risk and have become one of the most common attack vectors on the Internet due to their wide popularity and high privilege. Once installed, malicious extensions are executed and attempt to compromise a victim’s browser. To detect malicious browser extensions, security researchers have put forward several techniques. These techniques primarily concentrate on the usage of API calls by malicious extensions, imposing restricted policies for extensions, and monitoring extension’s activities. In this paper, we propose a machine-learning-based approach to detect malicious extensions. We apply static and dynamic techniques to analyse an extension for extracting features. The analysis process extracts features from the source codes including JavaScript codes, HTML pages, and CSS files and the execution activities of an extension. To guarantee the robustness of the features, a feature selection method is then applied to retain the most relevant features while discarding low-correlated features. The detection models based on machine-learning techniques are subsequently constructed by leveraging these features. As can be seen from evaluation results, our detection model, containing over 4,600 labelled extension samples, is able to detect malicious extensions with an accuracy of 96.52% in validation set and 95.18% in test set, with a false positive rate of 2.38% in validation set and 3.66% in test set.

Yong Fang,Cheng Huang,Yu Su,Yaoyao Qiu

DOI: https://doi.org/10.1016/j.cose.2020.101764

IF: 5.105

2020-01-01

Computers & Security

Abstract:Web development technology has undergone tremendous evolution, the creation of JavaScript has greatly enriched the interactive capabilities of the client. However, attackers use the dynamics feature of JavaScript language to embed malicious code into web pages for the purpose of drive-by-download, redirection, etc. The traditional method based on static feature detection is difficult to detect the malicious code after obfuscation, and the method based on dynamic analysis has low efficiency. To overcome these challenges, this paper proposes a static detection model based on semantic analysis. The model firstly generates an abstract syntax tree from JavaScript source codes, then automatically converts them to syntactic unit sequences. FastText algorithm is introduced to training word vectors. The syntactic unit sequences are represented as word vectors which will be input into Bi-LSTM network with attention mechanism. The detection model with Bi-LSTM network with attention mechanism is the key to detect malicious JavaScript. We experimented with the dataset using a five-fold cross-validation method. Experiments showed that the model can effectively detect obfuscated malicious JavaScript code and improve the detection speed, with a precision of 0.977 and recall of 0.974.

Bin Liang,Jianjun Huang,Fang Liu,DaWei Wang,Daxiang Dong,Zhaohui Liang

DOI: https://doi.org/10.1109/EBISS.2009.5138008

2009-01-01

Abstract:In recent years, Web sites have already become the attackers' main target. When attackers embed malicious code in the Web pages, they generally change the display mode of the corresponding HTML tags to make the display effect of malicious code invisible or almost invisible to the browser users. In this paper, the concept of abnormal visibility is proposed to describe the display feature setting of malicious code embedded. According to the concept, a malicious code detection method based on abnormal visibility recognition is designed and a prototype system is implemented. Compared to traditional methods and systems, the method has higher efficiency and less maintenance cost. Besides, a special-purpose JavaScript interpreter is implemented to get the execution output of browser-end scripts that are often used to generate malicious code dynamically by attackers. Experiments show that this system can detect most of the malicious Web pages efficiently and at the same time locate the malicious code in the source code accurately.

Tao Yue,Jianhua Sun,Hao Chen

DOI: https://doi.org/10.1109/icdma.2013.145

2013-01-01

Abstract:With the World Wide Web expanding continuously, more and more malicious web pages including phishing, malware and spamming spread rapidly, we are facing a great threat. The work of detecting malicious web pages and identifying their threat types has some shortcomings. In existing studies of malicious webpage detection, most are just for detecting a single attack type. In this paper, we extract a variety of webpage features and use machine learning algorithms to build an efficient classifier. By the classifier, we can detect malicious web pages and identify all the popular threat types. The features extracted in our method are derived from the HTML contents, the associated Java Script code, and the corresponding URL. We collected 1000 benign web pages and 1500 malicious web pages as experimental data sets. The experimental results show that our method achieves a superior performance: the accuracy was over 95% in detecting malicious web pages and over 88% in identifying threat types.

Haijun Zhang,Gang Liu,Tommy W S Chow,Wenyin Liu

DOI: https://doi.org/10.1109/TNN.2011.2161999

Abstract:A novel framework using a Bayesian approach for content-based phishing web page detection is presented. Our model takes into account textual and visual contents to measure the similarity between the protected web page and suspicious web pages. A text classifier, an image classifier, and an algorithm fusing the results from classifiers are introduced. An outstanding feature of this paper is the exploration of a Bayesian model to estimate the matching threshold. This is required in the classifier for determining the class of the web page and identifying whether the web page is phishing or not. In the text classifier, the naive Bayes rule is used to calculate the probability that a web page is phishing. In the image classifier, the earth mover's distance is employed to measure the visual similarity, and our Bayesian model is designed to determine the threshold. In the data fusion algorithm, the Bayes theory is used to synthesize the classification results from textual and visual content. The effectiveness of our proposed approach was examined in a large-scale dataset collected from real phishing cases. Experimental results demonstrated that the text classifier and the image classifier we designed deliver promising results, the fusion algorithm outperforms either of the individual classifiers, and our model can be adapted to different phishing cases.

Jingbing Chen,Jie Yuan,Yuewei Li,Yiqi Zhang,Yufan Yang,Ruiqi Feng

DOI: https://doi.org/10.1145/3446132.3446183

2020-01-01

Abstract:In recent years, due to the high availability and convenience of the Internet, more and more information provides corresponding services through the Internet. As people are increasingly relying on the Internet, network security issues have become increasingly prominent, and a large number of malicious web pages have also emerged. How to achieve proactive and efficient detection of malicious web pages has become a research focus in the field of network security worldwide. This paper uses the Support Vector Machine algorithm to realize autonomous learning and build the classifier; chooses the TF-IDF method to process the data, and obtains the feature matrix of the collected URL data, which is stored in the sparse matrix after normalization and standardization. To avoid the existence of relatively strong features from affecting the classification results of the classifier, the K-Means method and TruncatedSVD method are used to reduce the dimension of the data features. The linear kernel function is used for large samples, and the Gaussian kernel function is used for small samples, so that the performance of the classifier is optimal. In the training process, the grid search method is used to obtain the optimal parameters forming a complete and mature detection system. And a ten-fold cross-validation method is used to test the correct rate, recall rate, accuracy rate and F1 value of the classifier. Finally the experimental result shows the malicious web page detection model has a good reference for big data processing.

Huang Cheng,Fang Yong,Liu Liang,Lu-Rong Wang

DOI: https://doi.org/10.1109/icwamtip.2012.6413432

2012-01-01

Abstract:For the purpose of improving native detective method based on signature matching of traditional anti-virus software and inadequate performance of dynamic testing, the researchers demonstrate a new static detection model of malicious PDF documents based on naive Bayes classifier technology. The model considers with exploit techniques of heap spray, JavaScript syntax and shellcode feature. Compare to traditional detection techniques, the training samples and actual test data showed that the detection efficiency and accuracy of the model have improved greatly.

Xiangjun Li,Sifan Li,Shengnan Liu,Lingfeng Liu,Daojing He

DOI: https://doi.org/10.18280/ts.370115

IF: 2.299

2020-01-01

Traitement du signal

Abstract:In the era of the Internet, malicious attacks have put user information at risk. Many malicious webpages use images as the carrier of malicious codes. If extracted accurately, the features of these images will help to improve the detection of malicious webpages. This paper aims to develop an accurate malicious webpage detection method based on the features of the said images. Since static images contain a small amount of information, semantic segmentation was performed to predict the semantics of the target attitude. Then, the final semantics of target the image were derived by the backpropagation neural network (BPNN). After that, the image semantics were fused with the other features of the malicious webpage, and sent to the classifier for recognition. Finally, the proposed algorithm was tested on an actual dataset, in comparison with other malicious webpage detection methods. The results show that our algorithm can accurately detect malicious webpages, thanks to the introduction of image semantic features.

Li Xu,Zhenxin Zhan,Shouhuai Xu,Keyin Ye

DOI: https://doi.org/10.48550/arXiv.1408.1993

2014-08-09

Abstract:Malicious websites are a major cyber attack vector, and effective detection of them is an important cyber defense task. The main defense paradigm in this regard is that the defender uses some kind of machine learning algorithms to train a detection model, which is then used to classify websites in question. Unlike other settings, the following issue is inherent to the problem of malicious websites detection: the attacker essentially has access to the same data that the defender uses to train its detection models. This 'symmetry' can be exploited by the attacker, at least in principle, to evade the defender's detection models. In this paper, we present a framework for characterizing the evasion and counter-evasion interactions between the attacker and the defender, where the attacker attempts to evade the defender's detection models by taking advantage of this symmetry. Within this framework, we show that an adaptive attacker can make malicious websites evade powerful detection models, but proactive training can be an effective counter-evasion defense mechanism. The framework is geared toward the popular detection model of decision tree, but can be adapted to accommodate other classifiers.

Cryptography and Security,Artificial Intelligence