{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,2]],"date-time":"2026-05-02T07:16:52Z","timestamp":1777706212054,"version":"3.51.4"},"reference-count":12,"publisher":"SAGE Publications","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IFS"],"published-print":{"date-parts":[[2022,7,21]]},"abstract":"<jats:p>A drive-by download is a method of hackers planting the Web Trojan, which exploits browser vulnerabilities to execute malicious software. Because people usually access web pages with various browsers daily, drive-by downloads have become one of the most common threats in recent years. Most previous studies utilize the abstract syntax tree(AST) with deep learning methods to detect such attacks, which achieved high accuracy but are time-consuming and challenging to explain. Also, some methods use dynamic analysis, which needs a specific environment and is time-consuming with the complex operation. In order to solve these problems, the paper proposes DDIML, an explainable machine learning model based on novel features with static analysis. These features are extracted from five aspects: code obfuscation, URL redirection, special behaviors, encoding characters, and CSS attributes. The most popular machine learning algorithm, Random forest, is applied for building the classifier detection model. In addition, we use both local and global explanations to improve the model and prove that the proposed model could be trusted. The Experimental results show that our proposed model can efficiently detect drive-by downloads with a detection precision of 0.983 and a recall of 0.980. The average detection time for each sample is only 16.07ms in total.<\/jats:p>","DOI":"10.3233\/jifs-212496","type":"journal-article","created":{"date-parts":[[2022,4,22]],"date-time":"2022-04-22T11:27:20Z","timestamp":1650626840000},"page":"3429-3442","source":"Crossref","is-referenced-by-count":0,"title":["DDIML: Explainable detection model for drive-by-download attacks"],"prefix":"10.1177","volume":"43","author":[{"given":"Xiaole","family":"Liu","sequence":"first","affiliation":[{"name":"School of Cyber Science and Engineering, Sichuan University, Chengdu, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Cheng","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Sichuan University, Chengdu, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yong","family":"Fang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Sichuan University, Chengdu, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","reference":[{"key":"10.3233\/JIFS-212496_ref8","doi-asserted-by":"crossref","unstructured":"Aurore Fass , Robert Krawczyk P. , Michael Backes and Ben Stock , Jast: Fully syntactic detection of malicious (obfuscated) javascript, In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 303\u2013325. Springer, 2018.","DOI":"10.1007\/978-3-319-93411-2_14"},{"key":"10.3233\/JIFS-212496_ref9","doi-asserted-by":"crossref","first-page":"105721","DOI":"10.1016\/j.asoc.2019.105721","article-title":"Samuel Ndichu, Sangwook Kim, Seiichi Ozawa, Takeshi Misu and Kazuo Makishima, A machine learning approach to detection of javascript-based attacks using ast features and paragraph vectors","volume":"84","author":"Samuel Ndichu","year":"2019","journal-title":"Applied Soft Computing"},{"issue":"3","key":"10.3233\/JIFS-212496_ref10","doi-asserted-by":"crossref","first-page":"184","DOI":"10.1049\/trit.2020.0026","article-title":"Deobfuscation, unpacking, and decoding of obfuscated malicious javascript for machine learning models detection performance improvement","volume":"5","author":"Samuel Ndichu","year":"2020","journal-title":"CAAI Transactions on Intelligence Technology"},{"key":"10.3233\/JIFS-212496_ref11","doi-asserted-by":"crossref","first-page":"101764","DOI":"10.1016\/j.cose.2020.101764","article-title":"Detecting malicious javascript code based on semantic analysis,","volume":"93","author":"Yong Fang","year":"2020","journal-title":"Computers & Security"},{"issue":"10","key":"10.3233\/JIFS-212496_ref13","doi-asserted-by":"crossref","first-page":"3440","DOI":"10.3390\/app10103440","article-title":"Malicious javascript detection based on bidirectional lstm model","volume":"10","author":"Xuyan Song","year":"2020","journal-title":"Applied Sciences"},{"key":"10.3233\/JIFS-212496_ref16","doi-asserted-by":"crossref","unstructured":"Junxia Guo , Qiyun Cao , Rilian Zhao and Zheng Li , Improving detection accuracy for malicious javascript using gan, In International Conference on Web Engineering, pages 163\u2013170. Springer, 2020.","DOI":"10.1007\/978-3-030-50578-3_12"},{"issue":"5","key":"10.3233\/JIFS-212496_ref18","doi-asserted-by":"crossref","first-page":"1131","DOI":"10.1587\/transcom.E93.B.1131","article-title":"Design and implementation of high interaction client honeypot for drive-by-download attacks","volume":"93","author":"Mitsuaki Akiyama","year":"2010","journal-title":"IEICE Transactions on Communications"},{"key":"10.3233\/JIFS-212496_ref19","doi-asserted-by":"crossref","first-page":"135","DOI":"10.1016\/j.jnca.2013.03.009","article-title":"Efficient and effective realtime prediction of drive-by download attacks","volume":"38","author":"Gaya Jayasinghe","year":"2014","journal-title":"Journal of Network and Computer Appli- cations"},{"issue":"19","key":"10.3233\/JIFS-212496_ref25","doi-asserted-by":"crossref","first-page":"1","DOI":"10.17485\/ijst\/2017\/v10i19\/114828","article-title":"Detection of malicious javascript code in web pages,(19)","volume":"10","author":"Dharmaraj Patil","year":"2017","journal-title":"Indian Journal of Science and Technology"},{"key":"10.3233\/JIFS-212496_ref26","unstructured":"Nayeem Khan A. , Mohammad Alzaharani Y. Hushmat Kar A. , Hybrid feature classification approach for malicious javascript attack detection using deep learning, International Journal of Computer Science and Information Security (IJCSIS) 18(5) (2020)."},{"key":"10.3233\/JIFS-212496_ref32","doi-asserted-by":"crossref","first-page":"100357","DOI":"10.1016\/j.iot.2021.100357","article-title":"Detection of malicious javascript on an imbalanced dataset","volume":"13","author":"Mimura","year":"2021","journal-title":"Internet of Things"},{"key":"10.3233\/JIFS-212496_ref33","doi-asserted-by":"crossref","first-page":"102218","DOI":"10.1016\/j.cose.2021.102218","article-title":"Jscontana: Malicious javascript detection using adaptable context analysis and key feature extraction","volume":"104","author":"Zhang","year":"2021","journal-title":"Computers & Security"}],"container-title":["Journal of Intelligent &amp; Fuzzy Systems"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JIFS-212496","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T09:46:19Z","timestamp":1777455979000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JIFS-212496"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,21]]},"references-count":12,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.3233\/jifs-212496","relation":{},"ISSN":["1064-1246","1875-8967"],"issn-type":[{"value":"1064-1246","type":"print"},{"value":"1875-8967","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,7,21]]}}}