Malicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data

Samuel Hess, Pratik Satam, Gregory Ditzler, Salim Hariri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a χ 2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source.

Original languageEnglish (US)
Title of host publication2018 IEEE/ACS 15th International Conference on Computer Systems and Applications, AICCSA 2018
PublisherIEEE Computer Society
ISBN (Electronic)9781538691205
DOIs
StatePublished - Jan 14 2019
Event15th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2018 - Aqaba, Jordan
Duration: Oct 28 2018Nov 1 2018

Publication series

NameProceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA
Volume2018-November
ISSN (Print)2161-5322
ISSN (Electronic)2161-5330

Conference

Conference15th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2018
CountryJordan
CityAqaba
Period10/28/1811/1/18

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Hardware and Architecture
  • Signal Processing
  • Control and Systems Engineering
  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Malicious HTML File Prediction: A Detection and Classification Perspective with Noisy Data'. Together they form a unique fingerprint.

Cite this