WIXLIB

Future Internet 2019, 11, 1774 of 13Figure 1. Architecture of reinforcement learning cross-site scripting (RLXSS).3.2. Mining XSS Adversarial Samples through Reinforcement Learning3.2.1. PreprocessingThe preprocessing inputs the initial malicious samples into the black-box and the white-boxdetection model for filtering. For the black-box detection tool, it saves the feedback interceptedsamples as a malicious sample set, which is used ass the adversarial attack black-box tool. For thewhite-box detection model, it saves samples with attack detection confidence greater than the thresholdas a set of malicious samples, which is used as the adversarial attack white-box model. Finally, it takesthe malicious sample block in the two datasets as malicious samples of RLXSS adversarial attack forthe black- and white-box XSS detection software.3.2.2. Black- and White-Box Detection EnvironmentIn order to implement a convenient interface to call different environments, the moduleencapsulates the black-box detection tool API and the white-box detection model API. The black-boxdetection tool interface uses the web crawler to carry the detection sample to request the detectionweb page, and the web page has the black-box detection tool installed to protect against the XSS attack.According to whether the request is blocked, the result is fed back. While the white-box detectionmodel interface pre-process the detection samples, it will input them in the white-box detection modelfor detection. Besides, it obtains the confidence of the detection samples classified as XSS attacks andfeeds back the results.The reward function is defined according to the difference between the black- and white-boxdetection model. The reward of the black-box model mainly depends on whether or not it escapesdetection. The reward of the white-box model mainly depends on the extent of confidence reduction.The specific definition of the reward function is shown in formula:(rt result score, score,1 result1 thresholdi f is blackbox Truei f is blackbox False(1)In the formula, the isblackbox parameter indicates whether the environment is a black-boxdetection model; the result parameter is the feedback value of the black-box and white-box detectionAPI; the threshold parameter is the confidence threshold of the white-box detection model; and thescore parameter is the reward for a successful escape.

Future Internet 2019, 11, 1775 of 13When the modified malicious samples are classified as benign samples and the reward value eisnot lower than the set threshold, the malicious samples are stored as adversarial samples; otherwise,they will be transmitted to the agent based on DDQN to continue to try the adversarial attacks.3.2.3. Agent Based on DDQNIn the agent module, the detection samples are processed by word segmentation and vectorization.The word vector and environment state are input into the DDQN algorithm model. According to theoutput prediction of DDQN, the escape action selector chooses the optimal escape action. Finally, themodifier converts XSS samples based on the selected actions.A. DDQNIn reinforcement learning, the decision maker or learner is called the Agent. The sum of all otherinteractions with them is called the Environment, and the environment generated such as game scoresis called the Reward. DeepMind’s VMnih first proposed the deep Q-networks (DQN) network in 2013.DQN uses end-to-end reinforcement learning to learn strategies from high-dimensional input andachieves comparable results to professional players in the many challenges of the Atari2600 game [14].DQN is a deep Q network based on the Q-learning algorithm. The main improvements are as follows:(1)(2)(3)Limit the reward value and the error term to a limited range and define the Q value and thegradient to be within a valid limited range to improve the stability of the model.Adopt the experience replay training mechanism. The training of deep neural network requiresthat the samples be independent and identically distributed. However, the data acquired byreinforcement learning have a strong correlation. Direct training will lead to the problem oftraining instability. DQN stores the transferred samples of each step into memory D based onthe experience replay mechanism, and each time, a mini-batch transfer sample is randomlyextracted from D. The parameters are updated according to the gradient descent and randomizedby introducing the experience replay sampling, which weakens the correlation between the data,thereby improving the stability of the model.Use a deep neural network to approximate the current value function. In addition, use anothernetwork to generate a target value function. Every Cround, the target value function is updatedwith the current value function, and the other rounds keep the target value function unchanged.There is an overestimation problem in the DQN algorithm, which may lead to overestimationof a non-optimal action, such that the Q value exceeds the Q value of the optimal action. Finally, themodel cannot obtain the optimal action. In order to solve the problem of overestimation of the DQNalgorithm, Van Hasselt et al. [15] proposed the double DQN algorithm (DDQN), which decomposesthe target value function into the action selection value function and action evaluation value function.It can solve the problem of overestimation by decoupling action selection and action evaluation.The neural network part of DQN can be seen as a new neural network with an old neural network.They have the same structure, but their internal parameter updates are delayed. The idea of DDQN isto use another neural network to eliminate some effects of maximum error. Therefore, DDQN uses theQ-estimated neural network to estimate the maximum action value of Qmax(s’, a’) in Q reality. Then,we use this action estimated by Q to select Q(s’) in Q reality. The basic operating principle of DDQN isshown in Figure 2.

Future Internet 2019, 11, 1776 of 13Figure 2. DDQN technical principle framework.The time and space complexity of RLXSS depends mainly on the DDQN algorithm:YtDoubleDQN Rt 1 γQ(St 1 , argmax Q(St 1 , a; θt )θt )(2)aIn the algorithm, the parameter t represents the current step of the algorithm; the parameter arepresents the action selected by the algorithm; St 1 represents the new state of DDQN; θ represents theweight in the new neural network. We can see from the algorithm that DDQN is the time complexityof recursion, and its spatial complexity is twice that of the neural network.B. XSS escape technology and action spaceFigure 3 shows a schematic diagram of the structure of common XSS attack vectors, includingtags, attribute expressions, event expressions, content, and other components.Figure 3. XSS attack vector structure diagram.According to the characteristics of XSS attack, we present four types of XSS attack escapetechnologies proposed in this paper, including encoding obfuscation, sensitive word substitution,position morphology transformation, and adding special characters. The attack vectors are generatedbased on the escape strategy, which is used for adversarial attack the detection tools or models to mineadversarial samples that escape detection and retain aggressive features. On the basis of four types ofescape techniques, the escape action space of the XSS attack is defined as follows: Add an assignment expression before the eventReplace the alert function with another functionUse the top function to modify the alert function

Future Internet 2019, 11, 177 7 of 13Add a random string at the end of the labelAdd a random string at the end of the sampleGeneral the event replacement tag for any characterAdd a comment between the function and the parameterAdd a calculation expression before the functionReplace the bracketsReplace the spaceReplace the eventAdd blank characters after the eventRandomly convert the uppercase and lowercase letters of the label and event character wordsAttribute expression and event expression positional transformationUnicode encodingHTML entity encodingRegular XSS statements are often killed by detection software, but these action spaces provideescape methods for XSS attack. These action spaces will be used by the Agent to mutate the XSS code,which can produce a valid XSS payload.3.2.4. Mining XSS Adversarial SamplesThe XSS adversarial attack model is constructed based on the DDQN reinforcement learningalgorithm. The malicious samples are input into the black-box or white-box XSS detection tool, andthe corresponding detection results are obtained. When the inspection result and the current sampleare input into the Agent, the adversarial model selects the optimal escape action in the action spacebased on the environmental state. After transforming the malicious samples, they are re-input intothe black-box or white-box XSS detection tool for detection. Feedback rewards are given according towhether the escaping results are successful or exceed the maximum number of attempts. Otherwise, itcontinues to find the optimal escape strategy. What is more, the samples of successful escape detectionare saved as XSS adversarial samples.3.3. Optimizing the Ability of XSS Detection Models to Defend against Adversarial Attacks through RetrainingBased on the DDQN reinforcement learning algorithm, we built the adversarial attack of theblack-box and white-box detection model. We mined the adversarial attack samples with successfulescape detection and retaining attack function, thus verifying the effectiveness of the attack model.However, the purpose of our research is to optimize the detection model rather than implementthe attack. Therefore, this paper proposes a retraining model, marking the adversarial sample as amalicious sample and then retraining the detection model. By continuously training the adversarialmodel and the detection model, the ability of the detection model to defend against adversarial attackis improved. In summary, we try to improve the DeepXSS model’s ability to defend against adversarialattacks through the RLXSS model.4. Experiments and Evaluations4.1. DatasetThe XSSed project was created in early February 2007. It provides information on all things relatedto cross-site scripting vulnerabilities and is the largest online archive of XSS vulnerable websites. In theexperiment, we used 33,426 samples from the XSSed database (http://www.xssed.com/) as XSSmalicious samples and as the initial dataset for adversarial attacks. The data we used are real andvalid attack samples collected by www.xssed.com over the past 10 years. Therefore, we believe thatwe can generate samples more suitable for the real environment by training on this dataset.

Future Internet 2019, 11, 1778 of 134.2. Experimental EnvironmentRLXSS was programmed based on Python3, Keras-rl, and OpanAIGym. Keras-rl [16] is anopen-source toolkit for deep reinforcement learning based on Keras. OpanAIGym [17] is an open-sourcetoolkit for developing and comparing reinforcement learning algorithms, which is usually used toprovide an environment for reinforcement learning. We chose two common website security softwarepackages, SafeDog [18] (Apache Version V4.0) and XSSChop [19] (version: b6d98f6; update date:35 January 2019) as the black-box model for the adversarial attacks’ target. We chose DeepXSS as thetarget of the white-box model for the adversarial attack and as the final target model of optimizingdefense capability. The detail experiment environment is listed in Table 1.Table 1. Experiment environment.SystemRAMCPUGPUUbuntu 16.04.4 LTS16Gi7-7700 CPU @ 3.60 GHzNVIDIA GeForce GTX 1060 6 GBVersions of Python andExtension LibraryPython 3.6.7 keras-rl 0.4.2gym 0.9.5requests 2.18.4tensorflow 1.13.1 keras 2.0.9gensim 3.2.0h5py 2.9.0sklearn 0.20.34.3. Evaluation Method4.3.1. Evaluation CriteriaIn order to evaluate the experiment objectively, the DR (detection rate) and ER (escape rate) wereused. Their definitions are shown in the formulas below.Number o f malicious samples detectedTotal number o f malicious samples(3)Number o f escaping Success 1 DRTotal number o f malicious samples(4)DR ER The ER (escape rate) reflects the proportion of the target detection model or tool classifyingmalicious samples into benign samples after escape transformation. The higher the proportion, themore vectors represent escape, which indicates that the defection of the model of defense adversarialattack is greater. The DR (detection rate), which reflects the escape detection model or tool, can stilldetect the proportion of malicious attack samples. The higher the detection rate, the stronger theability of the model or tool to defend against attacks. The DR reflects the proportion of maliciousattack samples after escape confusion, and the detection model or tool can still detect malicious attacksamples. For example, the higher the detection rate, the stronger the ability of the model or tool todefend against the adversarial attack.4.3.2. Evaluation ModelIn order to test the detection rate and escape rate of the adversarial model, we not only usedthe most popular XSS detection software (SafeDog and XSSChop), but also trained the LSTM modelfor evaluation. To get a better LSTM model, the paper tuned the Size, Iter, Window, and Negativeparameters in Word2Vec. Through the control variable method, only one parameter was modified at atime, and the effects of different parameters on the recall rate, accuracy, accuracy, and F1 value of theLSTM detection model were compared. The experimental results of the Word2Vec parameter tuningare shown in Figure 4.

Future Internet 2019, 11, 1779 of 13Figure 4. Word2Vec parameter tuning relationship diagram for LSTM.The experiment comprehensively considered the recall, precision, accuracy, F1 value, and trainingtime to adjust the parameters. Finally, we decided to set the training parameters of Word2Vec asfollows: “size” to 60; “windows” to 10; “negative” to 20, and “iter” to 70.To evaluate the LSTM model trained in the experiment objectively, we compared the model withthe traditional machine learning algorithm based on ADTree and AdaBoost proposed by WangRui.Their method used the same XSS malicious sample dataset as this paper. The paper also selected theSafeDog and XSSChop for comparative experiments. The comparing results are shown in Table 2.Table 2. Comparative experiment of the XSS detection model for LSTM.ModelPrecisionRecallF1 0.9480.762From the result, the accuracy of the LSTM-based XSS attack detection model was 99.5%; the recallrate was 97.9%; and the F1 value was 98.7%. The performance in terms of accuracy, recall, and F1 wassuperior to the traditional machine learning algorithms ADTree and AdaBoost. The accuracy of theLSTM model in this paper was slightly lower than SafeDog and XSSChop, but the accuracy rates ofthe three were all more than 99.5%. Besides, the LSTM detection model trained in the experiment wassuperior to the website SafeDog and XSSChop in terms of recall rate and F1 value. In summary, theLSTM-based detection model trained in the experiment had obvious advantages in accuracy, recallrate, and F1 value, which proves that the model can effectively detect cross-site scripting attacks.4.4. Adversarial Attack Experiment ResultsWe entered the XSS dataset into the adversarial model and got a batch of XSS adversarial samplesafter training. We organized these samples and named them the “adversarial dataset”. The adversarial

Future Internet 2019, 11, 17710 of 13dataset was used to test various XSS detection software and calculate the escape rate and detectionrate. Comparing the results of SafeDog, XSSChop, and the LSTM model (we named it DeepXSS), thedetails are shown in Table 3.Table 3. Adversarial result. DR, detection rate; ER, escape 50.1410.0930.0825The results of the adversarial attack showed that the escape rate of SafeDog was 14.1%, XSSChopwas 9.3%, and DeepXSS was 8.25%. The XSS adversarial attack model based on reinforcement learningproposed in this paper can effectively mine the adversarial samples of the white-box and black-boxdetection model to escape detection. According to the results of the adversarial attack experiment, wesuccessfully mined the general XSS escape strategy for SafeDog and the general XSS escape strategyfor XSSChop, which are analyzed in the following.(a) The general XSS escape strategies for SafeDog and the adversarial samples for SafeDoggenerated according to the generic escape strategy are shown in Figure 5.Figure 5. Examples of generic XSS escape strategies for SafeDog.For the filtered tags of source , svg , img , iframe , we added useless characters accordingto the escape action so that the number of characters between the “ ” character and the “ ” characterswas greater than a certain threshold to bypass SafeDog’s detection and retained the attack function ofattack vectors.(b) The general XSS escape strategies for XSSChop and the adversarial samples for XSSChopgenerated according to the generic escape strategy are shown in Figure 6.Next, we will further enhance the ability of the DeepXSS model to defend against adversarialattacks through the retraining model.

Future Internet 2019, 11, 17711 of 13Figure 6. Examples of generic XSS escape strategies for XSSChop.On the one hand, Strategy A is as follows. A string was added before the attack vector, and itsstructure satisfied: “ ” ”space” ”any length of letters or numbers” ” ”; at the same time, if theattack vector contained events such as onload, onerror, and so on, we needed to ensure that therewas no “space” before the corresponding event. Finally, we could change the position of the eventexpression in the attack vector and replace the space with “/”. An attack vector bypassing XSSChopdetection was constructed. On the other hand, Bypass Strategy B was as follows. According to theescape action, we added an arbitrary assignment expression before onload, ontoggle, onerror, onclick,and other events of the attack vector, so that its structure satisfied “any length of letters or numbers” “ ” “single or double quotes” “any length of letters or numbers” “single or double

can be modified [5]. What is more, there are some studies on the adversarial attack of cybersecurity detection models, which aim at malware detection research. Rosenberg et al. [6] proposed a black-box adversarial attack based on the Application Programming Interface (API) for calling machine-based