The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
기업 네트워크의 감염된 호스트 수는 드라이브 바이 다운로드 공격으로 인해 증가했습니다. 이러한 공격에서는 손상된 유명 웹사이트의 사용자가 브라우저와 해당 플러그인의 취약점을 악용하는 웹사이트로 리디렉션됩니다. 피해를 방지하기 위해 블랙리스트 기반 필터링이 아닌 프록시 로그 기반으로 감염된 호스트를 탐지하는 연구가 시작되었습니다. 악성 도메인의 짧은 수명과 익스플로잇 코드의 은폐로 인해 블랙리스트 작성이 어려워졌기 때문입니다. 프록시 로그에서 악성 웹 사이트에 대한 접근을 탐지하기 위해 우리는 세 가지 핵심 아이디어를 기반으로 악성 URL 시퀀스를 탐지하는 시스템을 제안합니다: 악성 리디렉션 아티팩트를 포함하는 URL 시퀀스에 초점을 맞추고 브라우저 이외의 소프트웨어와 관련된 새로운 기능을 설계합니다. 데이터 증강을 통해 새로운 훈련 데이터를 생성합니다. URL 시퀀스를 분류하기 위한 효과적인 접근 방식을 찾기 위해 개인 기반 접근 방식, CNN(컨볼루션 신경망) 및 새로운 이벤트 잡음 제거 CNN(EDCNN)의 세 가지 접근 방식을 비교했습니다. 당사의 EDCNN은 악성 URL 시퀀스에 포함된 손상된 웹사이트에서 리디렉션되는 무해한 URL의 부정적인 영향을 줄입니다. 평가 결과는 제안된 기능과 데이터 증강을 갖춘 EDCNN만이 실제 분류 성능(진양성률 99.1%, 위양성률 3.4%)을 달성했음을 보여줍니다.
Toshiki SHIBAHARA
NTT Secure Platform Laboratories,Osaka University
Kohei YAMANISHI
Osaka University
Yuta TAKATA
NTT Secure Platform Laboratories
Daiki CHIBA
NTT Secure Platform Laboratories
Taiga HOKAGUCHI
Osaka University
Mitsuaki AKIYAMA
NTT Secure Platform Laboratories
Takeshi YAGI
NTT Secure Platform Laboratories
Yuichi OHSITA
Osaka University
Masayuki MURATA
Osaka University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Toshiki SHIBAHARA, Kohei YAMANISHI, Yuta TAKATA, Daiki CHIBA, Taiga HOKAGUCHI, Mitsuaki AKIYAMA, Takeshi YAGI, Yuichi OHSITA, Masayuki MURATA, "Event De-Noising Convolutional Neural Network for Detecting Malicious URL Sequences from Proxy Logs" in IEICE TRANSACTIONS on Fundamentals,
vol. E101-A, no. 12, pp. 2149-2161, December 2018, doi: 10.1587/transfun.E101.A.2149.
Abstract: The number of infected hosts on enterprise networks has been increased by drive-by download attacks. In these attacks, users of compromised popular websites are redirected toward websites that exploit vulnerabilities of a browser and its plugins. To prevent damage, detection of infected hosts on the basis of proxy logs rather than blacklist-based filtering has started to be researched. This is because blacklists have become difficult to create due to the short lifetime of malicious domains and concealment of exploit code. To detect accesses to malicious websites from proxy logs, we propose a system for detecting malicious URL sequences on the basis of three key ideas: focusing on sequences of URLs that include artifacts of malicious redirections, designing new features related to software other than browsers, and generating new training data with data augmentation. To find an effective approach for classifying URL sequences, we compared three approaches: an individual-based approach, a convolutional neural network (CNN), and our new event de-noising CNN (EDCNN). Our EDCNN reduces the negative effects of benign URLs redirected from compromised websites included in malicious URL sequences. Evaluation results show that only our EDCNN with proposed features and data augmentation achieved a practical classification performance: a true positive rate of 99.1%, and a false positive rate of 3.4%.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E101.A.2149/_p
부
@ARTICLE{e101-a_12_2149,
author={Toshiki SHIBAHARA, Kohei YAMANISHI, Yuta TAKATA, Daiki CHIBA, Taiga HOKAGUCHI, Mitsuaki AKIYAMA, Takeshi YAGI, Yuichi OHSITA, Masayuki MURATA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Event De-Noising Convolutional Neural Network for Detecting Malicious URL Sequences from Proxy Logs},
year={2018},
volume={E101-A},
number={12},
pages={2149-2161},
abstract={The number of infected hosts on enterprise networks has been increased by drive-by download attacks. In these attacks, users of compromised popular websites are redirected toward websites that exploit vulnerabilities of a browser and its plugins. To prevent damage, detection of infected hosts on the basis of proxy logs rather than blacklist-based filtering has started to be researched. This is because blacklists have become difficult to create due to the short lifetime of malicious domains and concealment of exploit code. To detect accesses to malicious websites from proxy logs, we propose a system for detecting malicious URL sequences on the basis of three key ideas: focusing on sequences of URLs that include artifacts of malicious redirections, designing new features related to software other than browsers, and generating new training data with data augmentation. To find an effective approach for classifying URL sequences, we compared three approaches: an individual-based approach, a convolutional neural network (CNN), and our new event de-noising CNN (EDCNN). Our EDCNN reduces the negative effects of benign URLs redirected from compromised websites included in malicious URL sequences. Evaluation results show that only our EDCNN with proposed features and data augmentation achieved a practical classification performance: a true positive rate of 99.1%, and a false positive rate of 3.4%.},
keywords={},
doi={10.1587/transfun.E101.A.2149},
ISSN={1745-1337},
month={December},}
부
TY - JOUR
TI - Event De-Noising Convolutional Neural Network for Detecting Malicious URL Sequences from Proxy Logs
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 2149
EP - 2161
AU - Toshiki SHIBAHARA
AU - Kohei YAMANISHI
AU - Yuta TAKATA
AU - Daiki CHIBA
AU - Taiga HOKAGUCHI
AU - Mitsuaki AKIYAMA
AU - Takeshi YAGI
AU - Yuichi OHSITA
AU - Masayuki MURATA
PY - 2018
DO - 10.1587/transfun.E101.A.2149
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E101-A
IS - 12
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - December 2018
AB - The number of infected hosts on enterprise networks has been increased by drive-by download attacks. In these attacks, users of compromised popular websites are redirected toward websites that exploit vulnerabilities of a browser and its plugins. To prevent damage, detection of infected hosts on the basis of proxy logs rather than blacklist-based filtering has started to be researched. This is because blacklists have become difficult to create due to the short lifetime of malicious domains and concealment of exploit code. To detect accesses to malicious websites from proxy logs, we propose a system for detecting malicious URL sequences on the basis of three key ideas: focusing on sequences of URLs that include artifacts of malicious redirections, designing new features related to software other than browsers, and generating new training data with data augmentation. To find an effective approach for classifying URL sequences, we compared three approaches: an individual-based approach, a convolutional neural network (CNN), and our new event de-noising CNN (EDCNN). Our EDCNN reduces the negative effects of benign URLs redirected from compromised websites included in malicious URL sequences. Evaluation results show that only our EDCNN with proposed features and data augmentation achieved a practical classification performance: a true positive rate of 99.1%, and a false positive rate of 3.4%.
ER -