Detecting Malicious URLs Based on Machine Learning Algorithms and Word Embeddings

摘要

Relying on the appropriate features is essential in classification models for malware detection, for various important reasons, such as dealing with class imbalance, the ability to detect zero-day malware samples, or preventing attackers to successfully reverse engineer the classification process and changing nonessential feature values to avoid detection. In this paper, we propose a method that uses a combination of word embeddings together with “classical”, domain-engineered features, to obtain reliable classification models for malicious URLs detection. Additionally, we explore different traditional techniques to address class imbalance – such as synthetic oversampling or cost-sensitive learning – and several classification techniques. We find that the best overall results are obtained by using a cost-sensitive neural network – with a precision that exceeds 99% and an accuracy above 90%, while maintaining a recall rate above 89%. We have performed an analysis of the importance of the features proposed, and found that while word embeddings produce better results than bi-gram based features, domain-specific features are necessary for obtaining a high precision in detecting malicious URLs.