Detection of Malicious Websites Using Symbolic Classifier

Malicious websites are web locations that attempt to install malware, which is the general term for anything that will cause problems in computer operation, gather confidential information, or gain total control over the computer. In this paper, a novel approach is proposed which consists of the implementation of the genetic programming symbolic classifier (GPSC) algorithm on a publicly available dataset to obtain a simple symbolic expression (mathematical equation) which could detect malicious websites with high classification accuracy. Due to a large imbalance of classes in the initial dataset, several data sampling methods (random undersampling/oversampling, ADASYN, SMOTE, BorderlineSMOTE, and KmeansSMOTE) were used to balance the dataset classes. For this investigation, the hyperparameter search method was developed to find the combination of GPSC hyperparameters with which high classification accuracy could be achieved. The first investigation was conducted using GPSC with a random hyperparameter search method and each dataset variation was divided on a train and test dataset in a ratio of 70:30. To evaluate each symbolic expression, the performance of each symbolic expression was measured on the train and test dataset and the mean and standard deviation values of accuracy (ACC), A U C , precision, recall and f1-score were obtained. The second investigation was also conducted using GPSC with the random hyperparameter search method; however, 70%, i.e., the train dataset, was used to perform 5-fold cross-validation. If the mean accuracy, A U C , precision, recall, and f1-score values were above 0.97 then final training and testing (train/test 70:30) were performed with GPSC with the same randomly chosen hyperparameters used in a 5-fold cross-validation process and the final mean and standard deviation values of the aforementioned evaluation methods were obtained. In both investigations, the best symbolic expression was obtained in the case where the dataset balanced with the KMeansSMOTE method was used for training and testing. The best symbolic expression obtained using GPSC with the random hyperparameter search method and classic train–test procedure (70:30) on a dataset balanced with the KMeansSMOTE method achieved values of A C C ¯ , A U C ¯ , P r e c s i o n ¯ , R e c a l l ¯ and F 1 - s c o r e ¯ (with standard deviation) 0.9992 ± 2.249 × 10 − 5 , 0.9995 ± 9.945 × 10 − 6 , 0.9995 ± 1.09 × 10 − 5 , 0.999 ± 5.17 × 10 − 5 , 0.9992 ± 5.17 × 10 − 6 , respectively. The best symbolic expression obtained using GPSC with a random hyperparameter search method and 5-fold cross-validation on a dataset balanced with the KMeansSMOTE method achieved values of A C C ¯ , A U C ¯ , P r e c s i o n ¯ , R e c a l l ¯ and F 1 - s c o r e ¯ (with standard deviation) 0.9994 ± 1.13 × 10 − 5 , 0.9994 ± 1.2 × 10 − 5 , 1.0 ± 0 , 0.9988 ± 2.4 × 10 − 5 , and 0.9994 ± 1.2 × 10 − 5 , respectively.