Exploring Malware Behavior of Webpages Using Machine Learning Technique: An Empirical Study

Round 1

Reviewer 1 Report

This paper performs an empirical study on the features in webpages that
are most vulnerable to malware attacks. A machine learning technique called bagging is used to
improve the feature selection accuracy. Some observations are the following:

1) The introduction part is well-written and clearly identifies the contributions of this work.
2) Please change the title of Section 2 to "Literature Review"
3) Lines 261-262: Bagging as an ensemble was chosen as it mostly performs better than a single classifier, bagging
ensemble classifier can be utilized to expand the accuracy of classification. I think something is wrong in this sentence
or it need to be written in a more understandable way.
4) According to the authors, "significant amount of research has been conducted on malware attack" and this is generally true

The authrs used phishing, botnet and honeypot datasets were used for performance
evaluation. It would be nice to see some comparison results to other techniques or at least, some explanation
is required why the paper is missing such comparisons.

5) In Fig.4 shouldn't the label be "Number of Occurences"? (Verical axis)

Author Response

Please find our response to Reviewer 1(see attachment).

Author Response File: Author Response.pdf

Reviewer 2 Report

The authors of this paper present some research in which they explore malware behavior of webpages using purpotedly machine learning-They also claim that what they are conducting is an empirical study. I have struggled to find the problem that this paper is addressing simply because the title and the contribution are largely at variance. This is owing to the fact that the authors have mixed a lot of things while tring to solve their problem, which in real sense is lost as soon as the paper starts. Firstly, the author states that "To analyze these behaviors,phishing and botnet data  were obtained from UC Irvine", and they validate using MHN server. It is really not clear how many samples of this dataset were used and what was the exact percentage used to train the model and what % was used to test the learning model. The authors have just jumped to Table 1 to give a comparison in Table 1. The author need to do an overhaul of the data analysis (Section 3.5) and systematically show the reader how each step was achieved. Also, it is not clear how the honeypot has validated the outcome. Also, most of the contribution of this work is explained at the introduction section (Line 59 to 91), as a reader, I may have been exposed to a lot before I could start reading. Suggested changes include, rewrite the abstract and mention the problem being solved, avoid mixup of many areas. Is phishing dataset different from botnet dataset? Are these datasets trained together, and rework on Section 3.5. Also, explain what each and every aspect of Figure 4, 5 (visualization) means.

Author Response

Please find our response to Reviewer 2 (see attachment).

Author Response File: Author Response.pdf

Round 2

Reviewer 2 Report

Paper needs to be proof read extensively before full acceptance/ publication

Author Response

The paper was proof read by a professional proof reader before submitting it to MDPI electronics. I have also thoroughly checked and made some minor corrections (see attachment).

Author Response File: Author Response.pdf