Open Access

ARTICLE

Adversarial Attacks on Featureless Deep Learning Malicious URLs Detection

Bader Rasheed¹, Adil Khan¹, S. M. Ahsan Kazmi², Rasheed Hussain², Md. Jalil Piran^3,*, Doug Young Suh⁴

1 Institute of Data Science and Artificial Intelligence, Innopolis University, Innopolis, 420500, Russia
2 Institute of Information Security and Cyberphysical Systems, Innopolis University, Innopolis, 420500, Russia
3 Department of Computer Science and Engineering, Sejong University, Seoul, Korea
4 Department of Electronics Engineering, Kyung Hee University, Yongin, Korea

* Corresponding Author: Md. Jalil Piran. Email:

(This article belongs to this Special Issue: AI for Wearable Sensing--Smartphone / Smartwatch User Identification / Authentication)

Computers, Materials & Continua 2021, 68(1), 921-939. https://doi.org/10.32604/cmc.2021.015452

Received 22 November 2020; Accepted 19 January 2021; Issue published 22 March 2021

Abstract

Detecting malicious Uniform Resource Locators (URLs) is crucially important to prevent attackers from committing cybercrimes. Recent researches have investigated the role of machine learning (ML) models to detect malicious URLs. By using ML algorithms, first, the features of URLs are extracted, and then different ML models are trained. The limitation of this approach is that it requires manual feature engineering and it does not consider the sequential patterns in the URL. Therefore, deep learning (DL) models are used to solve these issues since they are able to perform featureless detection. Furthermore, DL models give better accuracy and generalization to newly designed URLs; however, the results of our study show that these models, such as any other DL models, can be susceptible to adversarial attacks. In this paper, we examine the robustness of these models and demonstrate the importance of considering this susceptibility before applying such detection systems in real-world solutions. We propose and demonstrate a black-box attack based on scoring functions with greedy search for the minimum number of perturbations leading to a misclassification. The attack is examined against different types of convolutional neural networks (CNN)-based URL classifiers and it causes a tangible decrease in the accuracy with more than 56% reduction in the accuracy of the best classifier (among the selected classifiers for this work). Moreover, adversarial training shows promising results in reducing the influence of the attack on the robustness of the model to less than 7% on average.

---

Keywords

---