Cross Site Scripting Attack Detection Approach Based on LSTM Encoder-Decoder and Word Embeddings
Keywords:
Deep learning, Encoder-Decoder, Cross Site Scripting attack, Web security, word embedding, XSSAbstract
Web applications are the main target of Cyber Attacks. Cross-Site Scripting (XSS) is one of the most serious web attacks. Through the use of XSS, cybercriminals are able to turn trusted websites into malicious ones, resulting in extreme harm and damage to both the victims and the reputation of the website owner. According to the Open Web Application Security Project (OWASP) survey, XSS has been ranked in the top 10 web application vulnerabilities since 2017. Though its real danger, only 10 research works studied XSS attacks between 2010 and 2021 as reported recently by a systematic literature review on web attacks detection using Deep Learning. On the other hand, in many Natural Language Processing (NLP) applications, the use of word embeddings and Deep Encoder-Decoder models has considerably improved the performance of downstream NLP tasks. Thereby, in this work, we proposed a Deep Learning approach based on LSTM Encoder-Decoder and free-context word embedding for XSS attacks detection. Then, we implemented the proposed model and compared it with state-of-the-art approaches. The experimental results show that our model achieves good results; 99.08% Accuracy, 99.09% precision, and 99.08% Recall.
Downloads
References
OWASP, "Top 10 Web Application Security Risks," 2017. [Online].
R. L. Alaoui and E. H. Nfaoui, "Deep Learning for Vulnerability and Attack Detection on Web Applications: A Systematic Literature Review," Future Internet, vol. 14, no. 4, p. 118, 2022.
R. L. Alaoui and E. H. Nfaoui, "Web attacks detection using stacked generalization ensemble for LSTMs and word embedding," 2022.
A. M. Vartouni, S. S. Kashi and M. Teshnehlab, "An anomaly detection method to detect web attacks using Stacked Auto-Encoder," 2018.
Z.-Q. Qin, X.-K. Ma and Y.-J. Wang, "Attentional Payload Anomaly Detector for Web Applications," Springer International Publishing, 2018, pp. 588-599.
D. Tripathy, R. Gohil and T. Halabi, "Detecting SQL Injection Attacks in Cloud SaaS using Machine Learning," 2020.
R. Kadhim and M. Gaata, "A hybrid of CNN and LSTM methods for securing web application against cross-site scripting attack," Indones. J. Electr. Eng. Comput. Sci, vol. 21, pp. 1022-1029, 2020.
T. Liu, Y. Qi, L. Shi and J. Yan, "Locate-Then-Detect: Real-time Web Attack Detection via Attention-based Deep Neural Networks.," 2019.
W. Rong, B. Zhang and X. Lv, "Malicious web request detection using character-level CNN," 2019.
F. M. M. Mokbal, W. Dan, A. Imran, L. Jiuchuan, F. Akhtar and W. Xiaoxi, "MLPXSS: an integrated XSS-based attack detection scheme in web applications using multilayer perceptron technique," IEEE Access, vol. 7, pp. 100567-100580, 2019.
C. Luo, Z. Tan, G. Min, J. Gan, W. Shi and Z. Tian, "A novel web attack detection system for internet of things via ensemble classification," IEEE Transactions on Industrial Informatics, vol. 17, no. 8, pp. 5810-5818, 2020.
W. Melicher, C. Fung, L. Bauer and L. Jia, "Towards a lightweight, hybrid approach for detecting dom xss vulnerabilities with machine learning," 2021.
H. Maurel, S. Vidal and T. Rezk, "Statically identifying XSS using deep learning," Science of Computer Programming, vol. 219, p. 102810, 2022.
T. Chen, Y. Chen, M. Lv, G. He, T. Zhu, T. Wang and Z. Weng, "A Payload Based Malicious HTTP Traffic Detection Method Using Transfer Semi-Supervised Learning," Applied Sciences, vol. 11, no. 16, p. 7188, 2021.
Y. Fang, Y. Li, L. Liu and C. Huang, "DeepXSS: Cross site scripting detection based on deep learning," 2018.
GitHub, "XSS dataset," 2018. [Online].
T. Mikolov, K. Chen, G. Corrado and J. Dean, "Efficient estimation of word representations in vector space," arXiv preprint arXiv:1301.3781, 2013.
J. Pennington, R. Socher and C. D. Manning, "Glove: Global vectors for word representation," Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp. 1532-1543, 2014.
P. Bojanowski, E. Grave, A. Joulin and T. Mikolov, "Enriching word vectors with subword information," Transactions of the association for computational linguistics, vol. 5, pp. 135-146, 2017.
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
