Browse > Article
http://dx.doi.org/10.3837/tiis.2022.12.013

GCNXSS: An Attack Detection Approach for Cross-Site Scripting Based on Graph Convolutional Networks  

Pan, Hongyu (School of Cyber Science and Engineering, Sichuan University)
Fang, Yong (School of Cyber Science and Engineering, Sichuan University)
Huang, Cheng (School of Cyber Science and Engineering, Sichuan University)
Guo, Wenbo (School of Cyber Science and Engineering, Sichuan University)
Wan, Xuelin (China Merchants Bank)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.16, no.12, 2022 , pp. 4008-4023 More about this Journal
Abstract
Since machine learning was introduced into cross-site scripting (XSS) attack detection, many researchers have conducted related studies and achieved significant results, such as saving time and labor costs by not maintaining a rule database, which is required by traditional XSS attack detection methods. However, this topic came across some problems, such as poor generalization ability, significant false negative rate (FNR) and false positive rate (FPR). Moreover, the automatic clustering property of graph convolutional networks (GCN) has attracted the attention of researchers. In the field of natural language process (NLP), the results of graph embedding based on GCN are automatically clustered in space without any training, which means that text data can be classified just by the embedding process based on GCN. Previously, other methods required training with the help of labeled data after embedding to complete data classification. With the help of the GCN auto-clustering feature and labeled data, this research proposes an approach to detect XSS attacks (called GCNXSS) to mine the dependencies between the units that constitute an XSS payload. First, GCNXSS transforms a URL into a word homogeneous graph based on word co-occurrence relationships. Then, GCNXSS inputs the graph into the GCN model for graph embedding and gets the classification results. Experimental results show that GCNXSS achieved successful results with accuracy, precision, recall, F1-score, FNR, FPR, and predicted time scores of 99.97%, 99.75%, 99.97%, 99.86%, 0.03%, 0.03%, and 0.0461ms. Compared with existing methods, GCNXSS has a lower FNR and FPR with stronger generalization ability.
Keywords
Web security; Cross-site Scripting; Graph Convolutional Networks(GCN);
Citations & Related Records
연도 인용수 순위
  • Reference
1 T. Mikolov, K. Chen, G. Corrado, and J. Dean, "Efficient estimation of word representations in vector space," arXiv preprint arXiv:1301.3781, 2013.
2 M. Van Gundy and H. Chen, "Noncespaces: Using randomization to defeat cross-site scripting attacks," Computers & Security, vol. 31, no. 4, pp. 612-628, 2012.   DOI
3 Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and S. Y. Philip, "A comprehensive survey on graph neural networks," IEEE transactions on neural networks and learning systems, vol. 32, no. 1, pp. 4-24, 2021.   DOI
4 M. Defferrard, X. Bresson, and P. Vandergheynst, "Convolutional neural networks on graphs with fast localized spectral filtering," Advances in neural information processing systems, vol. 29, pp. 3844-3852, 2016.
5 OWASP, "OWASP top 10 - 2017 The Ten Most Critical Web Application Security Risks," Website, 2017. [Online]. Available: https://www.owasp.org/images/7/72/OWASP\_Top\_10-2017\_(en).pdf
6 D. E. Simos, B. Garn, J. Zivanovic, and M. Leithner, "Practical Combinatorial Testing for XSS Detection using Locally Optimized Attack Models," in Proc. of ICSTW, pp. 122-130, 2019.
7 OWASP, "OWASP top 10 - 2021 The Ten Most Critical Web Application Security Risks," Website, 2021. [Online]. Available: https://owasp.org/Top10/
8 Y. Zhou and P. Wang, "An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligence," Computers & Security, vol. 82, pp. 261-269, 2019.   DOI
9 N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)," in Proc. of IEEE Computer Society, USA, pp. 258-263, 2006.
10 G. Deepa and P. S. Thilagam, "Securing web applications from injection and logic vulnerabilities: Approaches and challenges," Information and Software Technology, vol. 74, pp. 160-180, 2016.   DOI
11 R. Pelizzi and R. Sekar, "Protection, Usability and Improvements in Reflected XSS Filters," in Proc. of ASIACCS, New York, NY, USA, p. 5, 2012.
12 S. Gupta and B. B. Gupta, "XSS-immune: A Google chrome extension-based XSS defensive framework for contemporary platforms of web applications," Security and Communication Networks, vol. 9, pp. 3966-3986, 2016.   DOI
13 I. Tariq, M. A. Sindhu, R. A. Abbasi, A. S. Khattak, O. Maqbool, and G. F. Siddiqui, "Resolving cross-site scripting attacks through genetic algorithm and reinforcement learning," Expert Systems with Applications, vol. 168, p. 114386, 2021.   DOI
14 T. Jim, N. Swamy, and M. Hicks, "Defeating Script Injection Attacks with Browser-Enforced Embedded Policies," in Proc. of ICWWW, New York, NY, USA, pp. 601-610, 2007.
15 J. Atwood and D. Towsley, "Diffusion-convolutional neural networks," Advances in neural information processing systems, vol. 29, 2016.
16 G. Wassermann and Z. Su, "Static Detection of Cross-Site Scripting Vulnerabilities," in Proc. of ICSE, New York, NY, USA, pp. 171-180, 2008.
17 T. N. Kipf and M. Welling, "Semi-supervised classification with graph convolutional networks," arXiv preprint arXiv:1609.02907, 2016.
18 W. Hamilton, Z. Ying, and J. Leskovec, "Inductive representation learning on large graphs," Advances in neural information processing systems, vol. 30, 2017.
19 J. Pennington, R. Socher, and C. D. Manning, "Glove: Global vectors for word representation," in Proc. of EMNLP, pp. 1532-1543, 2014.
20 W. Melicher, C. Fung, L. Bauer, and L. Jia, "Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning," in Proc. of the Web Conference 2021, pp. 2684-2695, 2021.
21 M. Mohammadi, B. Chu, and H. R. Lipford, "Detecting cross-site scripting vulnerabilities through automated unit testing," in Proc. of QRS, pp. 364-373, 2017.
22 Precise Security, "Cross-Site Scripting (XSS) Makes Nearly 40% of All Cyber Attacks in 2019," Website, 2020. [Online]. Available: https://www.precisesecurity.com/articles/cross-site-scripting-xss-makes-nearly-40-of-all-cyber-attacks-in-2019/
23 J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, "Analysis of Field Data on Web Security Vulnerabilities," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 2, pp. 89-100, 2014.   DOI
24 U. Sarmah, D. K. Bhattacharyya, and J. K. Kalita, "A survey of detection methods for XSS attacks," Journal of Network and Computer Applications, vol. 118, pp. 113-143, 2018.   DOI
25 D. Bates, A. Barth, and C. Jackson, "Regular Expressions Considered Harmful in Client-Side XSS Filters," in Proc. of ICWWW, New York, NY, USA, pp. 91-100, 2010.
26 M. Johns, B. Engelmann, and J. Posegga, "XSSDS: Server-Side Detection of Cross-Site Scripting Attacks," in Proc. of ACSAC, pp. 335-344, 2008.
27 F. M. M. Mokbal, W. Dan, W. Xiaoxi, Z. Wenbin, and F. Lihua, "XGBXSS: An Extreme Gradient Boosting Detection Framework for Cross-Site Scripting Attacks Based on Hybrid Feature Selection Approach and Parameters Optimization," Journal of Information Security and Applications, vol. 58, p. 102813, 2021.   DOI
28 J. Gilmer, S. S. Schoenholz, P. F. Riley, O. Vinyals, and G. E. Dahl, "Neural message passing for quantum chemistry," in Proc. of ICML, pp. 1263-1272, 2017.
29 Y. Fang, Y. Li, L. Liu, and C. Huang, "DeepXSS: Cross site scripting detection based on deep learning," in Proc. of ICCAI, pp. 47-51, 2018.
30 J. Bruna, W. Zaremba, A. Szlam, and Y. LeCun, "Spectral networks and locally connected networks on graphs," arXiv preprint arXiv:1312.6203, 2013.
31 M. Niepert, M. Ahmed, and K. Kutzkov, "Learning convolutional neural networks for graphs," in Proc. of ICML, pp. 2014-2023, 2016.
32 L. Yao, C. Mao, and Y. Luo, "Graph convolutional networks for text classification," in Proc. of AAAI, vol. 33, pp. 7370-7377, 2019.
33 Q. Li, Z. Han, and X.-M. Wu, "Deeper insights into graph convolutional networks for semi-supervised learning," in Proc. of AAAI, 2018.
34 G. Xu, X. Xie, and S. Huang, "JSCSP: A Novel Policy-Based XSS Defense Mechanism for Browsers," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 862-878, 2022.