Crafting Text Adversarial Examples to Attack the Deep-Learning-based Malicious URL Detection

Detecting malicious URLs is of great significance to reduce cyber crimes and maintain Internet security. Currently, Deep Learning (DL) techniques have been widely used to improve the classical malicious URL detection models, as DL-based detection models can perform an in-depth analysis of the text information of the URL, and detect the fishing URLs of unknown cyber attack types with high accuracy. Any missed blocking of malicious URLs can potentially result in a huge loss of information and property. In this paper, we focus on the vulnerability of the existing DL-based malicious URL detection models and show that they are sensitive to adversarial samples. First, we construct URL adversarial samples based on the component-level and character-level perturbations and use them to attack mainstream DL-based detection models, resulting in obvious decreases in the detection accuracies. Meanwhile, the perturbations are under the constraints that each adversarial sample URL is hardly distinguished from the original URL with naked eyes. Furthermore, under most circumstances, the adversarial samples constructed by replacing 14 types of characters and perturbing other all components except the scheme component lead to the largest increased number of missed blocking of malicious URLs, i.e., a bigger drop in the accuracy than other constructed methods. Finally, extensive experiments demonstrate the effectiveness of our adversarial examples. Even if the adversarial training is used against our adversarial samples, the adversarial samples still work and bring oblivious decreases in their accuracy.