Research On Drive-by Download Detection Based On Machine Learning

With the continuous development of the Internet,the security problems also appear.Drive-by download attacks distribute malware downloads and execute them by users accessing Web pages containing exploitative code for their browser vulnerabilities.Since its emergence,Drive-by download attacks have developed and become the main way of malware distribution.In this paper,the detection technology of this attack is deeply studied at home and abroad.An attack detection method based on AdaBoost-SVM algorithm is proposed,and the detection system is designed and implemented.The main work and innovation of this paper are as follows:Based on HTTP,five features that can distinguish normal download behavior from Drive-by download download download behavior are proposed.On the basis of the research on the principle of Drive-by download attack and the analysis of existing attack data sets,the detection technology at home and abroad is deeply studied.Combining with the characteristics of existing research,the detection rate of the system is improved.Based on HTTP,this paper proposes a method to obtain the distribution path of executable files,which greatly facilitates the extraction and calculation of the above features,and stores the captured data packets on this basis.To overcome the shortcomings of existing detection models,a Drive-by-download detection method based on AdaBoost-SVM algorithm is proposed in this paper.AdaBoost algorithm is used to divide the classification process into several SVM weak classifiers,and the weak classifiers are trained iteratively to generate strong classifiers.According to the features proposed in this paper,the classifier is trained by using the data set collected in this paper,which proves that the detection model based on AdaBoost-SVM algorithm proposed in this paper can effectively detect malicious download behavior.Drive-by download attack detection system is designed and implemented,and the result of detection is visualized.On the basis of the proposed algorithm with better detection performance,the prototype system is implemented.By comparing the detection performance with anti-virus software,this paper finds that the system can better distinguish the normal download behavior from the Drive-by download download behavior.It proves that the proposed method and the designed system can effectively detect the Drive-by download behavior.