Antivirus applied to Google Chrome's extension malware

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-05-02 DOI:10.1016/j.cose.2025.104465

Gabriela Leite Pereira, Leonardo Silvino Brito, Sidney Marlon Lopes de Lima

{"title":"Antivirus applied to Google Chrome's extension malware","authors":"Gabriela Leite Pereira, Leonardo Silvino Brito, Sidney Marlon Lopes de Lima","doi":"10.1016/j.cose.2025.104465","DOIUrl":null,"url":null,"abstract":"<div><h3>Background and Objective</h3><div>Despite the massive use of antivirus on personal computers, malicious applications are on the rise. Nowadays, modern malware uses browser extensions rather than portable files. A three-month study found that Chrome users downloaded malicious extensions 33 million times. Some of these extensions received more than ten million installs. These malicious extensions captured keystrokes, including passwords, and screenshots.</div></div><div><h3>Methods</h3><div>This work aims to create antivirus software to detect malicious Google Chrome extensions (CRX). Our engine runs the CRX suspicious sample to infect a monitored Windows OS in a controlled environment. In total, our antivirus monitors and considers 1098 actions that the suspicious CRX file can perform when executed. The audited behaviors serve as input neurons for author neural networks. The aim is to recognize the pattern of malicious add-ons and separate them from benign ones. Instead of deep networks, authorial networks are of low computational complexity. Due to the excellent results in different areas, there is a common belief that deep learning can always provide the best results. In fact, this consideration is false. To prove the theory, the author's antivirus uses shallow morphological neural networks.</div></div><div><h3>Results</h3><div>Author antivirus is both accurate and efficient, based on neural networks. The authorial antivirus can combine high accuracy with reduced learning time. The antivirus achieved a 99.99 % success rate in detecting malware. It distinguished between benign CRX files and malware. Training takes an average of 0.60 s. The researchers investigate different initial conditions, learning functions and antivirus architectures.</div></div><div><h3>Conclusions</h3><div>Intelligent antiviruses can fix traditional antiviruses' flaws. They rely on a client's prior infection to act against new threats. Unlike this reactive approach, our antivirus detects harmful add-ons before the user triggers them. Unlike most traditional antiviruses, our antivirus works differently. It can detect the malicious intent of a suspicious add-on before the user clicks it. Our antivirus detects malware preventively rather than reactively. Our antivirus, also, is statistically superior to commercial and state-of-the-art antiviruses.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104465"},"PeriodicalIF":4.8000,"publicationDate":"2025-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001543","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Background and Objective

Despite the massive use of antivirus on personal computers, malicious applications are on the rise. Nowadays, modern malware uses browser extensions rather than portable files. A three-month study found that Chrome users downloaded malicious extensions 33 million times. Some of these extensions received more than ten million installs. These malicious extensions captured keystrokes, including passwords, and screenshots.

Methods

This work aims to create antivirus software to detect malicious Google Chrome extensions (CRX). Our engine runs the CRX suspicious sample to infect a monitored Windows OS in a controlled environment. In total, our antivirus monitors and considers 1098 actions that the suspicious CRX file can perform when executed. The audited behaviors serve as input neurons for author neural networks. The aim is to recognize the pattern of malicious add-ons and separate them from benign ones. Instead of deep networks, authorial networks are of low computational complexity. Due to the excellent results in different areas, there is a common belief that deep learning can always provide the best results. In fact, this consideration is false. To prove the theory, the author's antivirus uses shallow morphological neural networks.

Results

Author antivirus is both accurate and efficient, based on neural networks. The authorial antivirus can combine high accuracy with reduced learning time. The antivirus achieved a 99.99 % success rate in detecting malware. It distinguished between benign CRX files and malware. Training takes an average of 0.60 s. The researchers investigate different initial conditions, learning functions and antivirus architectures.

Conclusions

Intelligent antiviruses can fix traditional antiviruses' flaws. They rely on a client's prior infection to act against new threats. Unlike this reactive approach, our antivirus detects harmful add-ons before the user triggers them. Unlike most traditional antiviruses, our antivirus works differently. It can detect the malicious intent of a suspicious add-on before the user clicks it. Our antivirus detects malware preventively rather than reactively. Our antivirus, also, is statistically superior to commercial and state-of-the-art antiviruses.

查看原文本刊更多论文

防病毒应用于b谷歌Chrome的扩展恶意软件

背景与目的尽管在个人电脑上大量使用杀毒软件，但恶意软件仍呈上升趋势。如今，现代恶意软件使用浏览器扩展而不是可移植文件。一项为期三个月的研究发现，Chrome用户下载了3300万次恶意扩展。其中一些扩展获得了超过一千万的安装量。这些恶意扩展捕获击键，包括密码和屏幕截图。方法本工作旨在创建防病毒软件来检测恶意谷歌Chrome扩展（CRX）。我们的引擎运行CRX可疑样本来感染受控环境中受监控的Windows操作系统。总的来说，我们的防病毒监控并考虑1098个动作，可疑的CRX文件可以执行时执行。被审计的行为作为作者神经网络的输入神经元。其目的是识别恶意插件的模式，并将其与良性插件区分开来。与深度网络相比，作者网络具有较低的计算复杂度。由于深度学习在不同领域都取得了优异的成绩，人们普遍认为深度学习总能提供最好的结果。事实上，这种考虑是错误的。为了证明这一理论，作者使用了浅形态神经网络进行反病毒。结果基于神经网络的作者反病毒算法准确、高效。作者反病毒算法具有较高的准确率和较短的学习时间。该反病毒软件检测恶意软件的成功率为99.99%。它区分了良性的CRX文件和恶意软件。训练平均耗时0.60秒。研究人员研究了不同的初始条件、学习函数和反病毒架构。结论智能杀毒软件可以弥补传统杀毒软件的缺陷。他们依靠客户先前的感染来应对新的威胁。与这种反应性方法不同，我们的防病毒软件在用户触发有害附加组件之前检测到它们。与大多数传统的反病毒软件不同，我们的反病毒软件的工作方式不同。它可以在用户点击可疑插件之前检测到它的恶意意图。我们的防病毒检测恶意软件是预防性的，而不是被动的。我们的反病毒软件在统计上也优于商业和最先进的反病毒软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.