Malicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data
Title | Malicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Hess, S., Satam, P., Ditzler, G., Hariri, S. |
Conference Name | 2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA) |
Date Published | oct |
ISBN Number | 978-1-5386-9120-5 |
Keywords | Autonomic Security, Browsers, class imbalance, composability, computer network security, computer security, cybersecurity challenges, data quality, Decision trees, feature extraction, feature selection technique, hypermedia markup languages, Hypertext systems, Intrusion detection, learning (artificial intelligence), machine learning, malicious HTML file classification, malicious HTML file prediction, networked systems, noisy data, pattern classification, protection systems, pubcrawl, pure detection model, resilience, Resiliency, SMOTE, synthetic minority oversampling technique |
Abstract | Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a $\chi$2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source. |
URL | https://ieeexplore.ieee.org/document/8612855 |
DOI | 10.1109/AICCSA.2018.8612855 |
Citation Key | hess_malicious_2018 |
- learning (artificial intelligence)
- synthetic minority oversampling technique
- SMOTE
- Resiliency
- resilience
- pure detection model
- pubcrawl
- protection systems
- pattern classification
- noisy data
- networked systems
- malicious HTML file prediction
- malicious HTML file classification
- machine learning
- Autonomic Security
- Intrusion Detection
- Hypertext systems
- hypermedia markup languages
- feature selection technique
- feature extraction
- Decision trees
- data quality
- cybersecurity challenges
- computer security
- computer network security
- composability
- class imbalance
- Browsers