Visible to the public Malicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data

TitleMalicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data
Publication TypeConference Paper
Year of Publication2018
AuthorsHess, S., Satam, P., Ditzler, G., Hariri, S.
Conference Name2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA)
Date Publishedoct
ISBN Number978-1-5386-9120-5
KeywordsAutonomic Security, Browsers, class imbalance, composability, computer network security, computer security, cybersecurity challenges, data quality, Decision trees, feature extraction, feature selection technique, hypermedia markup languages, Hypertext systems, Intrusion detection, learning (artificial intelligence), machine learning, malicious HTML file classification, malicious HTML file prediction, networked systems, noisy data, pattern classification, protection systems, pubcrawl, pure detection model, resilience, Resiliency, SMOTE, synthetic minority oversampling technique
Abstract

Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a $\chi$2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source.

URLhttps://ieeexplore.ieee.org/document/8612855
DOI10.1109/AICCSA.2018.8612855
Citation Keyhess_malicious_2018