Malicious websites pose significant security and economic risks by distributing malware and stealing sensitive data. Existing detection methods, including static code, dynamic code, and provenance analysis, face challenges such as evasion strategies and limited feature extraction capabilities. This paper introduces a novel approach combining system provenance dependency graphs with GraphSAGE to address these limitations. The proposed method optimizes graph construction by splitting nodes with strong centrality based on process execution characteristic and integrating “virtual time nodes/edges” to confront disconnected graphs. A GraphSAGE-MLP model is developed to automatically extract nonlinear features from system provenance dependency graph, enabling robust detection without browser modifications. Experiments across Firefox Windows, Chrome Windows, Chrome Linux and Firefox Linux environments demonstrate the method’s superiority, achieving performance improvements of up to 3.4% compared to existing approaches.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Detecting Malicious Websites Based on The System Provenance Dependency Graph and GraphSAGE

  • Ziyan Zhu,
  • Lihua Zhou

摘要

Malicious websites pose significant security and economic risks by distributing malware and stealing sensitive data. Existing detection methods, including static code, dynamic code, and provenance analysis, face challenges such as evasion strategies and limited feature extraction capabilities. This paper introduces a novel approach combining system provenance dependency graphs with GraphSAGE to address these limitations. The proposed method optimizes graph construction by splitting nodes with strong centrality based on process execution characteristic and integrating “virtual time nodes/edges” to confront disconnected graphs. A GraphSAGE-MLP model is developed to automatically extract nonlinear features from system provenance dependency graph, enabling robust detection without browser modifications. Experiments across Firefox Windows, Chrome Windows, Chrome Linux and Firefox Linux environments demonstrate the method’s superiority, achieving performance improvements of up to 3.4% compared to existing approaches.