International Journal of Open Information Technologies

This paper proposes an approach to increase the resilience of machine and deep learning algorithms to adversarial attacks. The paper considers various ways to conduct cross-site scripting attacks. A number of studies on the use of machine and deep learning (ML/DL) algorithms for detecting cross-site scripting attacks are analyzed. A general algorithm for conducting adversarial attacks on ML/DL algorithms is described. A scenario for an attack on a detector model operating in the "black box" mode is considered. The method for generating adversarial examples is reinforcement learning. MLP, CNN, and LSTM were selected as the models to be attacked. To generate adversarial attacks, the Proximal Policy Optimization (PPO) algorithm is used, which provides more stable training of the attacking model and has less sensitivity to hyperparameters, while maintaining sufficient performance. The solution based on the PPO algorithm uses selected mutations checked for syntactic correctness, which are then used to replenish the dataset when retraining the detector model. The experimental results demonstrate the efficiency and applicability of the proposed solution. Standard quality metrics were used. Despite the initially high F1-measure value, all models missed 98% or more of the adversarial examples, demonstrating complete instability to the adversarial attack. The authors implemented twelve mutations of XSS attacks, four of which showed the greatest efficiency. In addition to generating adversarial examples, logging of the obtained examples was implemented to form a dataset for additional training, as well as collecting statistics on successful and unsuccessful mutations.

The Open Web Application Security Project (OWASP) Top 10, https://owasp.org/www-project-top-ten/, 2021.

Cross Site Scripting (XSS). OWASP, https://owasp.org/www-community/attacks/xss/.

Weamie, S. Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey* // International Journal of Communications, Network and System Sciences, 15, 126-148, 2022

Mereani F. A., Howe J. M. Detecting Cross-Site Scripting Attacks Using Machine Learning // The International Conference on Advanced Machine Learning Technologies and Applications (AMLTA2018). — Cham, 2018. — S. 200—210.

Fawaz Mahiuob Mohammed Mokbal D. W., Wang X. Detect Cross-Site Scripting Attacks Using Average Word Embedding and Support Vector Machine // International Journal of Network Security. — 2022.

F. M. M. Mokbal [i dr.] XGBXSS: An Extreme Gradient Boosting Detection Framework for Cross-Site Scripting Attacks Based on Hybrid Feature Selection Approach and Parameters Optimization // Journal of Information Security and Applications. — 2021. — T. 58. — S. 102813.

Abaimov S., Bianchi G. CODDLE: Code-Injection Detection With Deep Learning // IEEE Access. — 2019. — T. 7. — S. 128617—128627.

Y. Fang [i dr.] DeepXSS: Cross Site Scripting Detection Based on Deep Learning // Proceedings of the 2018 International Conference on Computing and Artificial Intelligence. — Chengdu, China : Association for Computing Machinery, 2018. — S. 47—51. — (ICCAI ’18).

L. Lei [i dr.] XSS Detection Technology Based on LSTM-Attention // 2020 5th International Conference on Control, Robotics and Cybernetics (CRC). — 2020. — S. 175—180.

T. Hu [i dr.] Cross-site scripting detection with two-channel feature fusion embedded in self-attention mechanism // Computers Security. — 2023. — T. 124. — S. 102990.

Z. Liu [i dr.] GraphXSS: An efficient XSS payload detection approach based on graph convolutional network // Computers Security. — 2022. —T. 114. — S. 102597.

Namiot D. E., Il'jushin E. A., Chizhov I. V. ATAKI NA SISTEMY MAShINNOGO OBUChENIJa-OBShhIE PROBLEMY I METODY // International Journal of Open Information Technologies. – 2022. – T. 10. – #. 3. – S. 17-22.

Apostol Vassilev, Alina Oprea, Alie Fordyce, and Hyrum Anderson. Adversarial machine learning: A taxonomy and terminology of attacks and mitigations. Technical Report. // National Institute of Standards and Technology. 2024

Q. Wang [i dr.] Black-box adversarial attacks on XSS attack detection model // Computers Security. — 2022. — T. 113. — S. 102554.

L. Chen [i dr.] XSS adversarial example attacks based on deep reinforcement learning // Computers Security. — 2022. — T. 120. — S. 102831.

Foley M., Maffeis S. Haxss: Hierarchical Reinforcement Learning for XSS Payload Generation // 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). — 2022. — S. 147—158.

Y. Fang [i dr.] RLXSS: Optimizing XSS Detection Model to Defend Against Adversarial Attacks Based on Reinforcement Learning // Future Internet. — 2019. — T. 11, # 8.

X. Zhang [i dr.] Adversarial Examples Detection for XSS Attacks Based on Generative Adversarial Networks // IEEE Access. — 2020. — T. 8. — S. 10989—10996.

OWASP. Cross Site Scripting Prevention Cheat Sheet. —https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html.

PortSwigger. Cross-site scripting (XSS) cheat sheet. https://portswigger.net/web-security/crosssite-scripting/cheat-sheet.

J. Schulman [i dr.] Proximal Policy Optimization Algorithms // arXiv preprint arXiv:1707.06347v2 — 2017.

Cross site scripting XSS dataset for Deep learning. https://www.kaggle.com/datasets/syedsaqlainhussain/cross-site-scripting-xss-dataset-for-deep-learning.

XSS dataset. https://github.com/fawaz2015/XSS-dataset.

XSSDataSets, https://github.com/fmereani/Cross-Site-Scripting-XSS/tree/master/XSSDataSets.

Suhomlin, Vladimir Aleksandrovich, et al. "Model' cifrovyh navykov kiberbezopasnosti 2020." Sovremennye informacionnye tehnologii i IT-obrazovanie 16.3 (2020): 695-710.

Yudova, E. A., and Olga R. Laponina. "Analysis of the possibilities of using machine learning technologies to detect attacks on web applications." International Journal of Open Information Technologies 10.1 (2021): 61-68.

Merkulov, Artem S., and Olga R. Laponina. "Testing Cross-Site Scripting (XSS) Vulnerabilities in an Online Payment Web Application." International Journal of Open Information Technologies 7.10 (2019): 59-70.

Umnaja infrastruktura, fizicheskie i informacionnye aktivy, Smart Cities, BIM, GIS i IoT / V. P. Kuprijanovskij, V. V. Alen'kov, I. A. Sokolov [i dr.] // International Journal of Open Information Technologies. – 2017. – T. 5, # 10. – S. 55-86. – EDN ZISODV.

Razvitie transportno-logisticheskih otraslej Evropejskogo Sojuza: otkrytyj BIM, Internet Veshhej i kiber-fizicheskie sistemy / V. P. Kuprijanovskij, V. V. Alen'kov, A. V. Stepanenko [i dr.] // International Journal of Open Information Technologies. – 2018. – T. 6, # 2. – S. 54-100. – EDN YNIRFG.ferences