DbDHunter: An ensemble-based anomaly detection approach to detect drive-by download attacks

Drive-by download attacks, typically implemented in JavaScript, are among the most common attack vectors in recent years. To confront these attacks, several anomaly detection techniques have been proposed. The techniques are able to detect previously unseen drive-by download attacks, but they often produce many false alarms that make them difficult to use in practice. In this paper, we address this problem by presenting DbDHunter, a novel ensemble-based anomaly detection approach to detect drive-by download attacks. It is motivated by the observation that the detection performance of an ensemble that is composed of multiple base classifiers tends to be better than any of them. DbDHunter constructs an initial ensemble of one-class classifiers and applies a binary particle swarm optimization algorithm, called SwarmSnips, on the ensemble to find a near-optimal sub-ensemble for classifying web pages as benign or malicious. To combine the outputs of one-class classifiers in the sub-ensemble, DbDHunter uses a specific ordered weighted averaging operator, called the SIOWA operator. The results of our experiments performed on a dataset of benign and malicious web pages show that DbDHunter can achieve about 96.3% detection rate, 1.8% false alarm rate, and 97% accuracy.