DeepXSS: Cross Site Scripting Detection Based on Deep Learning

Nowadays, Cross Site Scripting (XSS) is one of the major threats to Web applications. Since it's known to the public, XSS vulnerability has been in the TOP 10 Web application vulnerabilities based on surveys published by the Open Web Applications Security Project (OWASP). How to effectively detect and defend XSS attacks are still one of the most important security issues. In this paper, we present a novel approach to detect XSS attacks based on deep learning (called DeepXSS). First of all, we used word2vec to extract the feature of XSS payloads which captures word order information and map each payload to a feature vector. And then, we trained and tested the detection model using Long Short Term Memory (LSTM) recurrent neural networks. Experimental results show that the proposed XSS detection model based on deep learning achieves a precision rate of 99.5% and a recall rate of 97.9% in real dataset, which means that the novel approach can effectively identify XSS attacks.

[1]  Bill Chu,et al.  Detecting Cross-Site Scripting Vulnerabilities through Automated Unit Testing , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[2]  François Chollet,et al.  Keras: The Python Deep Learning library , 2018 .

[3]  Jong Hyuk Park,et al.  XSSClassifier: An Efficient XSS Attack Detection Approach Based on Machine Learning Classifier on SNSs , 2017, J. Inf. Process. Syst..

[4]  Rui Wang,et al.  Machine Learning Based Cross-Site Scripting Detection in Online Social Network , 2014, 2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS).

[5]  Dipesh Vaya,et al.  Analysis of Prevention of XSS Attacks at Client Side , 2017 .

[6]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[7]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[8]  Srinivas Katkoori,et al.  LSTM-Based Memory Profiling for Predicting Data Attacks in Distributed Big Data Systems , 2017, 2017 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW).

[9]  K. P. Jevitha,et al.  Prediction of Cross-Site Scripting Attack Using Machine Learning Algorithms , 2014, ICONIAAC '14.

[10]  Tomas Mikolov,et al.  Inferring Algorithmic Patterns with Stack-Augmented Recurrent Nets , 2015, NIPS.

[11]  C. Malarvizhi,et al.  A Survey on Detection and Prevention of Cross-Site Scripting Attack , 2015 .

[12]  Mahesh Chandra Govil,et al.  Text-mining based predictive model to detect XSS vulnerable files in web applications , 2015, 2015 Annual IEEE India Conference (INDICON).

[13]  Jugal K. Kalita,et al.  An Unsupervised Method for Detection of XSS Attack , 2017, Int. J. Netw. Secur..

[14]  Jeffrey Dean,et al.  Efficient Estimation of Word Representations in Vector Space , 2013, ICLR.