Detecting Malicious Websites Based on The System Provenance Dependency Graph and GraphSAGE
摘要
Malicious websites pose significant security and economic risks by distributing malware and stealing sensitive data. Existing detection methods, including static code, dynamic code, and provenance analysis, face challenges such as evasion strategies and limited feature extraction capabilities. This paper introduces a novel approach combining system provenance dependency graphs with GraphSAGE to address these limitations. The proposed method optimizes graph construction by splitting nodes with strong centrality based on process execution characteristic and integrating “virtual time nodes/edges” to confront disconnected graphs. A GraphSAGE-MLP model is developed to automatically extract nonlinear features from system provenance dependency graph, enabling robust detection without browser modifications. Experiments across Firefox Windows, Chrome Windows, Chrome Linux and Firefox Linux environments demonstrate the method’s superiority, achieving performance improvements of up to 3.4% compared to existing approaches.