GCNXSS: An Attack Detection Approach for Cross-Site Scripting Based on Graph Convolutional Networks |
Pan, Hongyu
(School of Cyber Science and Engineering, Sichuan University)
Fang, Yong (School of Cyber Science and Engineering, Sichuan University) Huang, Cheng (School of Cyber Science and Engineering, Sichuan University) Guo, Wenbo (School of Cyber Science and Engineering, Sichuan University) Wan, Xuelin (China Merchants Bank) |
1 | T. Mikolov, K. Chen, G. Corrado, and J. Dean, "Efficient estimation of word representations in vector space," arXiv preprint arXiv:1301.3781, 2013. |
2 | M. Van Gundy and H. Chen, "Noncespaces: Using randomization to defeat cross-site scripting attacks," Computers & Security, vol. 31, no. 4, pp. 612-628, 2012. DOI |
3 | Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and S. Y. Philip, "A comprehensive survey on graph neural networks," IEEE transactions on neural networks and learning systems, vol. 32, no. 1, pp. 4-24, 2021. DOI |
4 | M. Defferrard, X. Bresson, and P. Vandergheynst, "Convolutional neural networks on graphs with fast localized spectral filtering," Advances in neural information processing systems, vol. 29, pp. 3844-3852, 2016. |
5 | OWASP, "OWASP top 10 - 2017 The Ten Most Critical Web Application Security Risks," Website, 2017. [Online]. Available: https://www.owasp.org/images/7/72/OWASP\_Top\_10-2017\_(en).pdf |
6 | D. E. Simos, B. Garn, J. Zivanovic, and M. Leithner, "Practical Combinatorial Testing for XSS Detection using Locally Optimized Attack Models," in Proc. of ICSTW, pp. 122-130, 2019. |
7 | OWASP, "OWASP top 10 - 2021 The Ten Most Critical Web Application Security Risks," Website, 2021. [Online]. Available: https://owasp.org/Top10/ |
8 | Y. Zhou and P. Wang, "An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligence," Computers & Security, vol. 82, pp. 261-269, 2019. DOI |
9 | N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)," in Proc. of IEEE Computer Society, USA, pp. 258-263, 2006. |
10 | G. Deepa and P. S. Thilagam, "Securing web applications from injection and logic vulnerabilities: Approaches and challenges," Information and Software Technology, vol. 74, pp. 160-180, 2016. DOI |
11 | R. Pelizzi and R. Sekar, "Protection, Usability and Improvements in Reflected XSS Filters," in Proc. of ASIACCS, New York, NY, USA, p. 5, 2012. |
12 | S. Gupta and B. B. Gupta, "XSS-immune: A Google chrome extension-based XSS defensive framework for contemporary platforms of web applications," Security and Communication Networks, vol. 9, pp. 3966-3986, 2016. DOI |
13 | I. Tariq, M. A. Sindhu, R. A. Abbasi, A. S. Khattak, O. Maqbool, and G. F. Siddiqui, "Resolving cross-site scripting attacks through genetic algorithm and reinforcement learning," Expert Systems with Applications, vol. 168, p. 114386, 2021. DOI |
14 | T. Jim, N. Swamy, and M. Hicks, "Defeating Script Injection Attacks with Browser-Enforced Embedded Policies," in Proc. of ICWWW, New York, NY, USA, pp. 601-610, 2007. |
15 | J. Atwood and D. Towsley, "Diffusion-convolutional neural networks," Advances in neural information processing systems, vol. 29, 2016. |
16 | G. Wassermann and Z. Su, "Static Detection of Cross-Site Scripting Vulnerabilities," in Proc. of ICSE, New York, NY, USA, pp. 171-180, 2008. |
17 | T. N. Kipf and M. Welling, "Semi-supervised classification with graph convolutional networks," arXiv preprint arXiv:1609.02907, 2016. |
18 | W. Hamilton, Z. Ying, and J. Leskovec, "Inductive representation learning on large graphs," Advances in neural information processing systems, vol. 30, 2017. |
19 | J. Pennington, R. Socher, and C. D. Manning, "Glove: Global vectors for word representation," in Proc. of EMNLP, pp. 1532-1543, 2014. |
20 | W. Melicher, C. Fung, L. Bauer, and L. Jia, "Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning," in Proc. of the Web Conference 2021, pp. 2684-2695, 2021. |
21 | M. Mohammadi, B. Chu, and H. R. Lipford, "Detecting cross-site scripting vulnerabilities through automated unit testing," in Proc. of QRS, pp. 364-373, 2017. |
22 | Precise Security, "Cross-Site Scripting (XSS) Makes Nearly 40% of All Cyber Attacks in 2019," Website, 2020. [Online]. Available: https://www.precisesecurity.com/articles/cross-site-scripting-xss-makes-nearly-40-of-all-cyber-attacks-in-2019/ |
23 | J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, "Analysis of Field Data on Web Security Vulnerabilities," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 2, pp. 89-100, 2014. DOI |
24 | U. Sarmah, D. K. Bhattacharyya, and J. K. Kalita, "A survey of detection methods for XSS attacks," Journal of Network and Computer Applications, vol. 118, pp. 113-143, 2018. DOI |
25 | D. Bates, A. Barth, and C. Jackson, "Regular Expressions Considered Harmful in Client-Side XSS Filters," in Proc. of ICWWW, New York, NY, USA, pp. 91-100, 2010. |
26 | M. Johns, B. Engelmann, and J. Posegga, "XSSDS: Server-Side Detection of Cross-Site Scripting Attacks," in Proc. of ACSAC, pp. 335-344, 2008. |
27 | F. M. M. Mokbal, W. Dan, W. Xiaoxi, Z. Wenbin, and F. Lihua, "XGBXSS: An Extreme Gradient Boosting Detection Framework for Cross-Site Scripting Attacks Based on Hybrid Feature Selection Approach and Parameters Optimization," Journal of Information Security and Applications, vol. 58, p. 102813, 2021. DOI |
28 | J. Gilmer, S. S. Schoenholz, P. F. Riley, O. Vinyals, and G. E. Dahl, "Neural message passing for quantum chemistry," in Proc. of ICML, pp. 1263-1272, 2017. |
29 | Y. Fang, Y. Li, L. Liu, and C. Huang, "DeepXSS: Cross site scripting detection based on deep learning," in Proc. of ICCAI, pp. 47-51, 2018. |
30 | J. Bruna, W. Zaremba, A. Szlam, and Y. LeCun, "Spectral networks and locally connected networks on graphs," arXiv preprint arXiv:1312.6203, 2013. |
31 | M. Niepert, M. Ahmed, and K. Kutzkov, "Learning convolutional neural networks for graphs," in Proc. of ICML, pp. 2014-2023, 2016. |
32 | L. Yao, C. Mao, and Y. Luo, "Graph convolutional networks for text classification," in Proc. of AAAI, vol. 33, pp. 7370-7377, 2019. |
33 | Q. Li, Z. Han, and X.-M. Wu, "Deeper insights into graph convolutional networks for semi-supervised learning," in Proc. of AAAI, 2018. |
34 | G. Xu, X. Xie, and S. Huang, "JSCSP: A Novel Policy-Based XSS Defense Mechanism for Browsers," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 862-878, 2022. |