IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India

Efficient Malicious Domain Detection Using Word

Segmentation and BM Pattern Matching
Sachin Gupta
Department of Computer Science & Engineering
APEX Institute of Engineering & Technology, Jaipur
ersachingupta11@gmail.com

AbstractOn the World Wide Web, the malicious links are
highly problematic in the dissemination channels as a source code
to the malware broadcasting. These suspicious malicious links
gives full access to the web attackers as an instrument of web
pages on internet. It is easily affected by the results of attackers
on the system of victim where system is utilized easily for
performing the cyber-attacks such as stealing the financial
credentials, phishing-spamming, hacking and many more such
web attacks. The developed system must be accurate and fast
enough to detect these types of such cyber-attacks by observing
the ability to find new developed malicious URLs or malicious
source code contents. It is the critical task to detect the malicious
contents in network of the web pages over the World Wide Web.
The various malicious cyber-attacks like spamming, code
phishing are done by using the malicious URLs to mount these
types of cyber-attacks. Internet unlawful activities are found in
Malicious Web sites as cornerstone of the Malicious URLs. The
main threat is to identify these attacks so that the suspicious
URLs can be easily resolved as malicious URLs along with its
source code of the web pages.
In this paper, a method has been proposed which is highly
useful in the field of World Wide Web networking of domains for
detecting the malicious URLs by using BM (Boyer-Moore) [1]
string pattern matching algorithm based on word segmentation
approach [2]. The nature of attacks is identified as a malicious
URL or source code of the web sites questioned on the World
Wide Web. The proposed approach is based on the real time
system for getting suspicious URL from the DNS server followed
by the detection on the basis of word segmentation of source
code. The discriminative features of this system are verified by
using the proposed method which gives a variety of properties
including text and link in the source code as highly powerful and
novel approach in the detection of suspicious URLs.
Keywords BM (Boyer-Moore) Pattern, Malicious Web
Pages, Classification Module, Web-Based Attacks.
I. INTRODUCTION
We have learned from the initial age of the malicious URL
detection to manage personal risk. There are many perilous
situations which can be studied to identify malicious detection.
However, the property for detecting the malicious source code
on the internet gives few heuristics to power the system as safe
Web sites. A wide range of gregariously undesirable
individuals, including spam-advertised, malicious source
codes are supported by unlawful websites. It is the killer
application on the World Wide Web which gives huge risk for
cyber-crimes such as stealing the financial credentials which
increases the risk of malicious source codes while browsing
the web contents by the web users. Various approaches have
been proposed to address the Web-prediction of malicious
attacks to discover the pure URLs from the complete database
of DNS server. A mundane remedy has been utilized to
declare the malicious URLs as a blacklist of malevolent
URLs. It can be constructed correctly as human proposals
given by the proposed techniques for time saving and positive
results. The unknown maleficent URLs cannot be found
efficiently as suspicious URL matching is highly problematic
in the distribution of the URLs from the database of DNS
server. This research effort of blacklisting has been given a
relegation model to address malignant URL by applying the
critical role of the URL disclosure where it is fixed on culling.
It is on the basis of prediction of URL features which are built
in the connection of safe URL detections.
A. Background
Filenames are used to discover the files on a local server
because the Uniform Resource Locators (URLs) is able to
locate Web pages of sites and perform the operation of
separation in web resources. Visiting a site is done by the way
of typing a URL by the user into the address bar of the
browser. A critical step is to find and click the links which are
available in the source code of the web pages so that it can be
redirected to other web pages containing the safeguard in the
source code. Generally URLs are the easiest readable and
understandable text, which gives better link to other sites or an
email messages by email client. URLs are defined as
following manner:
<protocol>://<name of the host><complete path>
In the <protocol> portion, network protocol must be used
to declare the required resource locator. There are many
common obligations used in the connection of URL prototype
standards where we can use Hypertext Transport Protocol or
HTTP in the middle layer OSI model as Transport Layer
Security.

[978-1-5090-2807-8/16/$31.00 2016 IEEE]

 IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India
Fig 1. The Components and Example of a URL
In Figure 1, the entire fragmentation of URLs is classified
and specified as the HTTP protocol of the OSI layer. Although
we cannot combine the entire protocol model as a
classification of URLs because most of the URLs are
rendezvous. We have noticed that phishing of the URLs or the
contents of web pages are broken through applying the tricks
by the user of World Wide Web in real.
B. Motivation
BM algorithm provides fuzzy matching results by using string
matching technique. The right-to-left conversion method is
applied in BM algorithm and there are two heuristic rules
available, applied for finding the bad character and the better
suffix pattern. By using above conversion method the right
jump distance can be finalized easily [3]. The static analysis
techniques provide better source code analysis in the BM
pattern matching technique. Source code of each and every
URL is analyzed by using the technique of BM Matching
Source Code Analyzer.
In this paper, URL forwarding and exploitation [4] are
explored for the feasibility of detecting malicious domains
visited on a cellular network which is based completely on
lexical characteristics of the domain names. In addition to
traditional quantitative features of BM pattern matching
technique for domain names, we also use a word segmentation
algorithm to segment the domain names into particular words
for extremely expand the size of the feature set.
A brief review to understand the background of the
problem and associated work is presented in section 2 as
literature survey. The proposed method for Malicious URL
Detection and Identification is presented in Section 3. The
algorithmic and observational analyses of proposed model are
defined in section 4. The section 5 gives the conclusion of the
proposed model and future work on the proposed model.
II. LITERATURE SURVEY
Passive Detection of Malicious Uniform Resource Locator is
the complete analytical survey of data which are available on
the source web page. It is used to check whether the source
code contains the malicious objects or not so that it can be
classified as codes under the malicious detection category and
it is done by pattern matching algorithm [1]. The data spotter
is used to download the source code followed by the
comparison of the same with the available virus signature in
the database. If comparison and matching are successful than
the data spotter declares the matched URL as a suspicious
URL. URL Malicious detection solution is given by Fuqiang
Yu[1] which is based on the pattern matching procedure of
BM technique.
The specific steps are as follows:
Step1: BM pattern matching algorithm for URL source and
virus signatures.
Step2: The malicious URL and code description are stored
in the database as a BM model matching substring.
Step3: Detection of malignant Web data structure for
malignant web page source codes followed by preparation
of database signature matching.
Step4: Detect malicious Web algorithm descriptions to
search gathered URL of the source code and perform the
malicious signature matching.
The maleficent URL disclosure predicated on BM pattern
matching algorithm has been implemented and this procedure
provides the suspicious URLs by suing the pattern matching in
the downloaded URL source codes which is available by the
virus finder in the virus URL database. The BM string pattern
matching algorithm provides higher efficiency in the detection
of malevolent URLs.
The virus characteristics are matched by using BM matching
algorithm to concede the source codes of URL for verifying
the safety of URL in the database. Fuqiang Yu has detected
203 Web Page search images as Malicious URL detection [1]
predicated using the BM pattern technique. Another method is
kaspersky scanning in which 190 URLs are purely confirmed
by the same author as a detection of malicious URLs with the
complete estimated error of only 6.9%, and the final felicitous
estimation is given by 91.1%. He has proved that protected
URLs given by the malicious detection algorithm are highly
safe for search engines for finding the safer web images. Wei
Wang and Kenneth E. Shirley have given a method for
detecting malignant domains utilizing word segmentation
approach.
They find that word segmentation approach if applied to
domain names, adds generous predictive power to a logistic
regression model that classifies domain names based on their
lexical features. In their experiments on real-word data,
models that used word segmentation decreased relative
misclassification rates and increased related AUC rates by
practically 10% compared to similar models that didnt use
word segmentation approach. Their method also provides
interpretable results which showed the words engaged users to
malicious sites. These words would commonly change over
time as attackers change their methods, but a model equivalent
as the one presented here could be fit to a sliding window of
new data to continuously monitor and detect new words that
are being used in malicious domains. Their results, of course,
depend on the data we used i.e. fresh domains visited on a
cellular network and presented WoT prestige ratings as the
outcome. Using different brink for the outcome variable,
 IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India
different time decreases for the query that collected the WoT
reputation ratings, or a different outcome variable altogether
(such as one that is clearly tailored to mobile traffic) are
attractive directions for next work. They also plan to modify
further into the relative performance of our models on fresh
domains vs. relatively low-traffic domains, since our data set
of domains that had not been seen in the prior 30 days consists
of a mixture of these two types of domains.
Alexander Moshchuk and Henry M. Levy [5] have given a
new method for detecting the Malicious Web Content which
applies Execution-Based technique in their research. Their
approach gives challenging aspects as achieving better
interactive performance and more as defending malicious
URL detection in the database of DNS server. They have
mentioned that the analysis is based on execution model of
malicious URL detection with some defined limitations.
Haotian Liu, Xiang Pan and Zhengyang Qu [6] have given
method for detecting malicious web sites using learning based
suspicious URLs. They proposed a learning based approach
for separating Web sites into 3 classes: benign, phishing, and
malware. The analysis is only based on URL itself beyond
accessing the target website, which removes the run-time
latency and safeguards user from being exposed to browser-
based vulnerabilities. By carefully selecting features and
learning algorithms, our system achieves 97.53% veracity on
detecting malicious Web sites.
Matthew G. Schultz and Eleazar Eskin [7] have given the
method of data mining for efficient and fast detection of
malicious URL and malicious source code as executable. They
have given the method which presents the first contribution for
finding the undetectable malicious source executable. The
Multi-Naive Bayes method gives better comparison of their
results in the popularity of signature based patterns and the
results shows 97.76% efficiency over the detection amounts of
malicious detection as signature-based methods.
III. PROBLEM STATEMENT AND PROPOSED APPROACH
The binary distribution problem is used to classify the
URL reputation where positive results are considered as
malicious URLs and negative results shows that the URLs are
not malicious URLs [1]. If the dissemination of the URL is
based on the technique of the learning-based model then the
values for malicious detection can be highly efficient and
accurate in comparison to other models [9]. Another aspect is
to classify the web sites containing the malicious source code
with the relationship among the various URLs in the database
of DNS server is lexical.
A. Word Segmentation Technique [2]
The features that we generated to forecast maliciousness
fall into five groups:
(a) Basic features; (b) Character indicator variables; (c)
Log-prospects; (d) Top-level domains; and (e) Words.
Basic Features: We measured four basic features:
i. Number of characters: the number of characters in
the domain name, excluding the top-level domain and
all periods. (Mean=11.5).
ii. Number of hyphens: the number of hyphens in the
domain name (mean = 0.12).
iii. Number of digits: the number of digits in the domain
name (mean = 0.09).
iv. Number of numbers: the number of numbers in the
domain name, where a number is defined as follows:
A string of consecutive digits of length > 0 (mean =
0.04).To allow non-linear relationships between these features
and the outcome, we binned the number of characters into
deciles, and the other three basic features into the basket {0, 1,
2, 3}. The hypothetical football-related domain 4downs-
10yards.com, for example, incorporates 14 characters, 3
digits, one hyphen, and two numbers. Rather than 4 feature
vectors, the collect versions of these four basic features
contain 10, 4, 4, and 4 feature vectors, respectively.
Character Indicator Variables: We created 36 binary
features to quota the presence of each character from a to
z and each digit from 0 to 9 in each domain name. The most
and least frequently appearing characters were e and q,
consequently (occurring at least one time in 198,304 and 5,152
domain names, accordingly), and the most and minimum
frequently occurring digits were 1 and 7, consequently
(occurring at least once in 3,980 and 1,193 domain names,
respectively).
Log-likelihood: We computed the log-likelihood of the
sequence of characters in each domain name using a first-
order Markov model as the possibility model for characters in
the English language. To define the transition probabilities
between characters, we figure out the table of first-order
transitions from a list of the top 1/3 million unigrams from the
Google n-grams corpus [10]. For each domain, we removed
digits and hyphens, and then computed the log-likelihood of
the sequence of remaining characters, using the dissemination
of first characters in the unigram list as the probability
dissemination of first characters for each domain. We also
figure out a normalized version of this feature in which we
divided the log-prospects by the number of characters in the
domain (omitting digits and hyphens) to account for the fact
that longer domains on average have lower log-prospects.
Last, we binned these values into deciles (as we did with the
number of characters feature), and we combined an
additional, 11th bin for the 197 domain names in the data that
only contained digits and hyphens (and thus had a lost value
for the log-prospects) [11].
Top-level domains: We noticed 857 uncommon top-level
domains (TLDs) in our data, where every domain belongs to
exactly one TLD (defined as existing on the Mozilla Public
Suffix List [14]). The most common TLD is .com (58% of
domains in our sample), and the next 5 very common are
.net, .org, .de, and .co.uk (5%, 11%, 3%, and 3% of
domains, respectively). 337 of the 857 TLDs were only
observed once.
Words: Another source for features in domain names is
individual words. First, we define some notations. In a set of
domain names, we invoke a token as a single occurrence of a
word within a domain name, where each particular token type
 IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India

in the data defines a word. The glossary is the list of all words
observed across the collection of domain names. If the domain (2) Public class of the malicious code data structure are as
www.duckduckgo.com, for example, were segmented into follows:
three tokens, {duck, duck, go}, it would only contain Public class url_information
two words: go and duck. {
Private string Identification; // Length 14 bytes
Public string name_of_www; // Length 200 bytes
B. Proposed Approach
Private string url_description; // Length 4 bytes
At the time of accessing the malicious web pages, the Private sting description; // Length 200 bytes
malicious web system or browser susceptibility uses the }
advantage of the program as Trojans. Other malicious
programs can also be downloaded by using these methods on
the host resulting where the state of host is unsafe [12]. The
internet Explorer susceptibility risk level is higher while using
the internet browser. Generally, there are two methods
available to utilize this risk level from higher to lower. These
methods are as follows:
i. The implementation of shell code in the web source
code is leaded due to loopholes error that contains
shell code.
ii. The program is downloaded and run by using these
methods after applying the component or other
susceptibilities.
Generally, create object () function and ActiveXObject () are
the most common functions available in object tags of the
URL address files [13]. The specific steps of the proposed
approach are as follows:
i. Apply word segmentation technique for all the domain
names found in the source code of web pages.
ii. Classify the domain segments using BM pattern. Fig 2. Flow Chart of Signature Matching
iii. Virus signatures and URL source are matched by using
the BM pattern matching algorithm.
iv. Collected URLs are searched in the source code of A. Algorithm
malicious URL detection by using malicious web URL BM Pattern (* pattern, * buffer, * url)
algorithm in the malicious signature database. Input: Buffer of the web page as source code and pattern of
v. BM mode of the matching substring is stored in the the virus signatures from the database and the name of URL.
database as the description of malicious URL or Output: 1 as true and 0 as false.
malicious code signature basis. Steps of algorithm are as follows:
vi. Malicious source code of web pages and signature 1. Apply word segmentation technique for all the
matching in database are detected as malicious web data domain names found in the source code of web page.
structures in the database to prepare better malicious 2. ADO connection database technology is used for
pattern matching. finding the pattern matching of the virus signatures to
vii. Matching the substring in to the new collected malicious characterize the database of the virus featured items.
signatures of malicious URLs. 3. Live matching of source code and viruses are
determined by the comparison of the virus signatures
IV. ALGORITHMIC AND OBSERVATIONAL MODEL to find whether the matching of string comes to the
Web Data Structures for detecting Malicious Web Objects end of string or not. If false value is returned by
are as follows: above matching, perform the stem 4 otherwise
perform step 5.
(1) The data structure are as follows for malicious URL code 4. Calculate number of jumps in bytes according to the
features: jump rules of the bad character and by using the good
{ suffix rule, the jump length is calculated.
Private string Identification; // Length 14 bytes 5. Returns true if virus signature matching is successful,
Public string URL_signature; // length 200 bytes otherwise it returns false and go to stem 3.
Private string URL_type; //length 4 bytes 6. Return the final result as true of false and returned to
} called module.
 IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India
B. Observational Model
The collected virus URLs and the entire URLs are the part of
the experiment in the comparison phase and all the virus
detection are validated in virus signature database by using
detection of matching algorithm. PHP and VC languages are
used to validate and to analyze the virus signature patterns in
the implementation [14]. The complete performance
evaluation of the malicious URL detection and the system
performance of the algorithm are given by rate of the virus
URL detection in the measurement.
. of further features with which to relegate domains. Various
Fig 3. Detection Number Diagram of Malicious URL
The number of daily visited malicious URLs is shown in
Fig. 3 due to uncommon distribution of the web page [15].
The number of malicious URL are captured as the category of
music, pornography or others due to the malicious page
detection algorithm are better than any other methods, thus
total number of malicious source codes are distributed and
captured as virus URLs. Code obfuscation of 27% has been
seen in this malicious URL detection and the source code
detection as failure is of 27%. The URL exploit detection is
found for 33% as complete detection in the malicious code
and malicious URL. Other 40% URL redirection is found in
the complete analysis of the detected malicious URL of the
malicious web pages.
V. CONCLUSION AND FUTURE WORK
We have reviewed and analyzed the subsisting malware
detection techniques and compared it with the advantage and
disadvantage and withal discuss some current quandary are
still remain. From the analysis, researcher has focused an
incipient dynamic feature extraction of malware detection
techniques. The output of our lightweight method could likely
be acclimated to apply near-authentic time detection of
dubious domains when a utilizer endeavors to visit a domain
on a World Wide Web network.
In this paper, an incipient method is proposed for the
maleficent URL detection utilizing Word Segmentation and
BM Pattern Matching technique. The malicious source codes
and URL are detected by using the proposed approach. BM
Pattern matching feature gives the complete analysis of the
malicious source code so the source code of the URLs is
detected as malicious URLs. Detection for the maleficent URL
are proven in this paper and the accuracy of malicious URL
detection is more than 85% while other anti-virus software
gives poor results in the same scenario. If a domain is
estimated to have a high probability of being malevolent
predicated merely on its denomination, then a more costly
analysis (such as web content-predicated analysis) could be
acclimated to regulate further action, such as blocking the site
or inserting a speed bump. In this way, the expected word
segmentation and BM Matching Pattern techniques outline
here could amend subsisting systems that use machine
learning to find malignant domains by engendering thousands
aspects of the malicious URL detection are presented in this
paper and we have introduced various associated techniques in
the association of URL classification process where target
website is detected as malicious or not.
In future, more research can be done to find malignant URLs
from web documents by exploiting the hyperlink architecture
of web. We have identified that this proposed method can be
elongated with a coalescence of the Dynamically Mining
Patterns without Pre-defined Elements.
REFERENCES
[1] Fuqiang Yu, Malicious URL Detection Algorithm based on BM Pattern
Matching, International Journal of Security and Its Applications, Vol.9,
No.9, pp.33-44, 2015.
[2] Wei Wang and Kenneth E. Shirley, Breaking Bad: Detecting malicious
domains using word segmentation, AT&T Labs Research, New York,
NY 10007,
[3] F. Noriyuki and H. Pkenichi, A personal system for web image
retrieval, Proceedings of the 4th international symposium Information
and communication technologies, (2005), pp. 209-216.
[4] E. Kirda, C. Kruegel and G. Vigna, A Client-side Solution for
Mitigating Cross-site Scripting Attacks, Proc. of 2006 ACM
Symposium on Applied Computing, (2006), pp. 330-337.
[5] Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble
and Henry M. Levy, SpyProxy: Execution-based Detection of
Malicious Web Content, Proceedings of 16th USENIX Security
Symposium on USENIX Security Symposium, Article No. 3, ISBN:
111-333-5555-77-9, (2007).
[6] Haotian Liu, Xiang Pan and Zhengyang Qu, Learning based Malicious
Web Sites Detection using Suspicious URLs, Proc. of the
34thInternational Conference on Software Engineering, Northwestern
University, IL, USA, (2009)
[7] Matthew G. Schultz, Eleazar Eskin and Erez Zadok, Data Mining
Methods for Detection of New Malicious Executables, SP '01
Proceedings of the 2001 IEEE Symposium on Security and Privacy,
Page 38 IEEE Computer Society Washington, DC, USA,
2001.
[8] A. Mori, T. Lzumida and T. Sawada, A Tool for Analyzing and
Detecting Malicious Mobile Code, Proc. of the 28thInternational
Conference on Software Engineering, (2006), pp. 831 -834.
[9] P. Euripides, V. Epimendes and M. Evangelos, Searching for logo and
trademark images on the web, Proceedings of the 6th ACM
international conference Image and video retrieval, (2007), pp. 541 -548.
[10] X F. He, D. Cai and J R. Wen, Clustering and searching WWW images
using link and page layout analysis, ACM Transactions on Multimedia
Computing, Communications, and Applications, vol. 3, no. 2, (2007),
pp. 10-35.
[11] T. Dziubak and J. Matulewski, An object-oriented implementation of a
solver of the time- dependent Schrodinger equation using the CUDA
technology, COMPUTER PHYSICS COMMUNICATIONS, vol. 183,
no. 3. (2012), pp. 800-812.
 IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India

[12] K. Wang and A R. Smith, Efficient kinematical simulation of reflection
high-energy electron diffraction streak patterns for crystal surfaces,
COMPUTER PHYSICS COMMUNICATIONS, vol. 182, no. 10,
(2011), pp. 2208-2212.
[13] S.-W. Hsiao, Y. S. Sun, F.-C. Ao and M. C. Chen, A Secure Proxy-
Based Cross-Domain Communication for Web Mashups, 2011 Ninth
IEEE European Conference on Web Services (ECOWS), (2011), pp. 57
64.
[14] C.-M. Chen and Y.-H. Ou, Secure Mechanism for Mobile Web
Browsing, 2011 IEEE 17th International Conference on Parallel and
Distributed Systems (ICPADS), (2011), pp. 924 - 928.
[15] R. Bhandari and U. Suman, Broker based secure web service
composition using star topology, 2012 CSI Sixth International
Conference on Software Engineering (CONSEG), (2012), pp 1 -7.