Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Assumptions and Research Questions
Related Work
The Proposed Method
Analysis of Data
Conclusion and Future Work
References

Malicious JavaScript Detection by Features Extraction

Profile image of Gerardo CanforaGerardo Canfora
https://doi.org/10.5277/E-INF140105
visibility

description

14 pages

link

1 file

Abstract

In recent years, JavaScript-based attacks have become one of the most common and successful types of attack. Existing techniques for detecting malicious JavaScripts could fail for different reasons. Some techniques are tailored on specific kinds of attacks, and are ineffective for others. Some other techniques require costly computational resources to be implemented. Other techniques could be circumvented with evasion methods. This paper proposes a method for detecting malicious JavaScript code based on five features that capture different characteristics of a script: execution time, external referenced domains and calls to JavaScript functions. Mixing different types of features could result in a more effective detection technique, and overcome the limitations of existing tools created for identifying malicious JavaScript. The experimentation carried out suggests that a combination of these features is able to successfully detect malicious JavaScript code (in the best cases we obtained a precision of 0.979 and a recall of 0.978).

Figures (4)
Features totalUrl, and extUrl do not exhibit an evident difference between trusted and mali- cious samples. We recall here that totalUri counts the total number of URLs in the JavaScript, while eztUrl is the percentage of URLs outside the WUA domain contained in the script. A pos- sible reason why these two features are similar for both the samples is that trusted websites may include external URLs due to external banners or to external legal functions and components that the JavaScript needs for execution (images, flash animation, functions of other websites that the author of the WUA needs to recall). Using external resources in a malicious JavaScript is not so uncommon: examples are drive by download and session hijacking. External resources can be used when the attacker injects a malicious web page into a benign website and needs to lead the website user to click on a malicious link (which can not be part of the benign injected website). The feature funcCalls suggests that trusted websites have a larger number of functions called Figure 1. Boxplots of features Some kinds of malware aim at obtaining the control of the victim machine and the commanc centre, once infected the victim, could occupy computational resources of the victim for sending and executing remote commands. Furthermore some other kinds of malware could require time because they activate secondary tasks like down loading and running additional malware, as ir the case of drive-by-download.
Features totalUrl, and extUrl do not exhibit an evident difference between trusted and mali- cious samples. We recall here that totalUri counts the total number of URLs in the JavaScript, while eztUrl is the percentage of URLs outside the WUA domain contained in the script. A pos- sible reason why these two features are similar for both the samples is that trusted websites may include external URLs due to external banners or to external legal functions and components that the JavaScript needs for execution (images, flash animation, functions of other websites that the author of the WUA needs to recall). Using external resources in a malicious JavaScript is not so uncommon: examples are drive by download and session hijacking. External resources can be used when the attacker injects a malicious web page into a benign website and needs to lead the website user to click on a malicious link (which can not be part of the benign injected website). The feature funcCalls suggests that trusted websites have a larger number of functions called Figure 1. Boxplots of features Some kinds of malware aim at obtaining the control of the victim machine and the commanc centre, once infected the victim, could occupy computational resources of the victim for sending and executing remote commands. Furthermore some other kinds of malware could require time because they activate secondary tasks like down loading and running additional malware, as ir the case of drive-by-download.
Table 1. Results of the test of the null hypothesis Ho We used k-fold cross-validation: the dataset was randomly partitioned into & subsets of data. Fe: : Sy can ey iy i ee: cs he ja
Table 1. Results of the test of the null hypothesis Ho We used k-fold cross-validation: the dataset was randomly partitioned into & subsets of data. Fe: : Sy can ey iy i ee: cs he ja
This could be due to the fact that some trusted websites have values for the features comparable with the ones measured for ma- licious ones. This is evident by looking at the boxplots (figure 1), which show an area of overlapping between the boxplots of the trusted and malicious websites. The prob- lem is that some trusted websites could have values comparable with the malware while others do not. As a matter of fact, some trusted WUAs can contain more business functions than other ones, and require more client machine resources, and so on. This de- pends on the specific business goals of each trusted website. And, consequently, on the type and numbers of the functions that must Table 2. Precision, Recall and RocArea obtained by classifying Malicious and Trusted dataset, using the single features of the model, with the algorithms J48, LadTree, NBTree, RandomForest, RandomTree anc RepTree.
This could be due to the fact that some trusted websites have values for the features comparable with the ones measured for ma- licious ones. This is evident by looking at the boxplots (figure 1), which show an area of overlapping between the boxplots of the trusted and malicious websites. The prob- lem is that some trusted websites could have values comparable with the malware while others do not. As a matter of fact, some trusted WUAs can contain more business functions than other ones, and require more client machine resources, and so on. This de- pends on the specific business goals of each trusted website. And, consequently, on the type and numbers of the functions that must Table 2. Precision, Recall and RocArea obtained by classifying Malicious and Trusted dataset, using the single features of the model, with the algorithms J48, LadTree, NBTree, RandomForest, RandomTree anc RepTree.
Although the proposed features show to be ef- fective in detecting malicious javascript, mis- classification occurs however. The explanation maybe the following: each feature represents an indicator of the possibility that the JavaScript is malicious, rather than offering the certainty. The fact that in average a malicious JavaScript requires a longer execution time (as shown by boxplots) does not mean that all the benign JavaScripts require a small execution time (as outliers in boxplots show). Many payloads con- tained in malicious javascript entail a long time to be executed, but also some business logic of benign javascripts may require long time to be executed. For instance, a benign javascript may contain a multimedia file. The same ex- planation applies to justify the presence of mis- classification for all the other features. Benign files could have a smaller fragmentation because they have a simpler business logic or because of the style of the programmer who has written the code. able 3. Precision, Recall and RocArea obtained by classifying Malicious and Trusted dataset, using the three groups of features of the model, with the algorithms J48, LadTree, NBTree, RandomForest, RandomTree and RepTree In this paper we propose a method for detecting malicious websites that uses a classification based on five features.
Although the proposed features show to be ef- fective in detecting malicious javascript, mis- classification occurs however. The explanation maybe the following: each feature represents an indicator of the possibility that the JavaScript is malicious, rather than offering the certainty. The fact that in average a malicious JavaScript requires a longer execution time (as shown by boxplots) does not mean that all the benign JavaScripts require a small execution time (as outliers in boxplots show). Many payloads con- tained in malicious javascript entail a long time to be executed, but also some business logic of benign javascripts may require long time to be executed. For instance, a benign javascript may contain a multimedia file. The same ex- planation applies to justify the presence of mis- classification for all the other features. Benign files could have a smaller fragmentation because they have a simpler business logic or because of the style of the programmer who has written the code. able 3. Precision, Recall and RocArea obtained by classifying Malicious and Trusted dataset, using the three groups of features of the model, with the algorithms J48, LadTree, NBTree, RandomForest, RandomTree and RepTree In this paper we propose a method for detecting malicious websites that uses a classification based on five features.

Related papers

Hybrid Feature Classification Approach for Malicious JavaScript Attack Detection using Deep Learning
Journal of Computer Science IJCSIS

IJCSIS Vol 18 No. 5 May 2020 Issue, 2020

Abstract:- With the development and rapid growth in IT infrastructure, malicious code attacks are considered as the main threat to cybersecurity. Malicious JavaScript’s which are intentionally crafted by the attackers inside the web page over the web as an emerging security issue affecting millions of users. In past few years, a number of studies have been conducted based on machine learning for detection of malicious JavaScript code attacks has demonstrated a poor detection accuracy and increased performance overheads. In this paper, an effective interceptor approach for detection of multivariate and novel malicious JavaScript’s based on deep learning is proposed and evaluated. Hybrid feature set based on static and dynamic analysis were used. The dataset which was used in this study consists of 32,000 benign webpages and 12,900 malicious pages. The experimental results show that this approach was able to detect 99.01% of new malicious code variants.

View PDFchevron_right
AMA: Static Code Analysis of Web Page for the Detection of Malicious Scripts
Anu Vazhayil

Procedia Computer Science, 2016

JavaScript language, through its dynamic feature, provides user interactivity with websites. It also pose serious security threats to both user and website. On top of this, obfuscation is widely used to hide its malicious purpose and to evade the detection of antivirus software. Malware embedded in web pages is regularly used as part of targeted attacks. To hinder detection by antivirus scanners, the malicious code is usually obfuscated, often with encodings like hexadecimal, unicode, base64, escaped characters and rarely with substitution ciphers like Vigenere, Caesar and Atbash. The malicious iframes are injected to the websites using JavaScript and are also made hidden from the users perspective in-order to prevent detection. To defend against obfuscated malicious JavaScript code, we propose a mostly static approach called, AMA, Amrita Malware Analyzer, a framework capable of detecting the presence of malicious code through static code analysis of web page. To this end, the framework performs probable plaintext attack using strings likely contained in malicious web pages. But this approach targets only few among many possible obfuscation strategies. The evaluation based on the links provided in the Malware domain list demonstrates high level accuracy

View PDFchevron_right
Automatic classification of cross-site scripting in web pages using document-based and URL-based features
Eduardo Souto, Eduardo Feitosa

2012 IEEE Symposium on Computers and Communications (ISCC), 2012

View PDFchevron_right
Detection of Javascript Vulnerability At Client Agen
Divya Rishi Sahu

These days, most of companies expanding their business horizon through dynamic web sites based on Web 2.0 concept. The JavaScript is a key choice of web developers to build sophisticated dynamic web 2.0 application such social network site, blogs, e-commerce websites. On the other hand vulnerable JavaScript code is also exploited by the hackers to launch the attacks. Hacker may tamper the JavaScript code to perform attacks against the client's browser. In this work the series of attacks such as click-jacking, password capturing, phishing and cookies stealing are developed to understand to affect of vulnerable JavaScript code on web browser. The detection of vulnerable JavaScript code is a tedious task for security experts. Hence signature and regular expression based matching mechanism has been developed to detect the vulnerable JavaScript code.

View PDFchevron_right
A Protection Architecture for Malicious JavaScripts on Web Browsers
SDIWC Organization

‘Web-based Cyber Attacks’ for leaking private information or making target system to denial of service (DoS) are arising. Traditional Web-based cyber attacks hide malwares in the Web pages to make it install and make the client under control. Nowadays, however, these attacks have evolved to ‘Script-based Cyber Attacks’ which infect the visitors just by accessing a certain Web page, not using malwares. Traditional Web-based cyber attacks can be protected by detecting malwares, but script-based cyber attacks cannot be protected by the former method because no malwares are detected. Therefore, new architecture is necessary to prevent malicious behaviors on Web browsers. In this paper, a protection architecture is introduced to detect the connection requests for URLs which are used by the attacker, to detect Web pages which have malicious scripts, and to prevent the execution of the malicious JavaScript codes.

View PDFchevron_right
Injecting Comments to Detect JavaScript Code Injection Attacks
hossain shahriar

2011

Most web programs are vulnerable to cross site scripting (XSS) that can be exploited by injecting JavaScript code. Unfortunately, injected JavaScript code is difficult to distinguish from the legitimate code at the client side. Given that, server side detection of injected JavaScript code can be a layer of defense. Existing server side approaches rely on identifying legitimate script code, and an attacker can circumvent the technique by injecting legitimate JavaScript code. Moreover, these approaches assume that no JavaScript code is downloaded from third party websites. To address these limitations, we develop a server side approach that distinguishes injected JavaScript code from legitimate JavaScript code. Our approach is based on the concept of injecting comment statements containing random tokens and features of legitimate JavaScript code. When a response page is generated, JavaScript code without or incorrect comment is considered as injected code. Moreover, the valid comments are checked for duplicity. Any presence of duplicate comments or a mismatch between expected code features and actually observed features represents JavaScript code as injected. We implement a prototype tool that automatically injects JavaScript comments and deploy injected JavaScript code detector as a server side filter. We evaluate our approach with three JSP programs. The evaluation results indicate that our approach detects a wide range of code injection attacks.

View PDFchevron_right
The power of obfuscation techniques in malicious JavaScript code: A measurement study
Yash Panchal

2012 7th International Conference on Malicious and Unwanted Software, 2012

JavaScript based attacks have been reported as the top Internet security threats in recent years. Since most of the Internet users rely on anti-virus software to protect themselves from malicious JavaScript code, attackers exploit JavaScript obfuscation techniques to evade the detection of anti-virus software. To better understand the obfuscation techniques adopted by malicious JavaScript code, we conduct a measurement study. We first categorize observed JavaScript obfuscation techniques. Then we conduct a statistic analysis on the usage of different categories of obfuscation techniques in real-world malicious JavaScript samples. We also study the detection effectiveness of 20 most popular anti-virus software against obfuscation techniques. Based on the results, we analyze the cause of the popularity of obfuscation in malicious JavaScript code; the reason behind the choice of obfuscation techniques and the difference between benign obfuscation and malicious obfuscation. Moreover, we also provide suggestions for designing effective obfuscation detection approaches in future.

View PDFchevron_right
XSSDS: server-side detection of cross-site scripting attacks
Mohammed Hamada

… Conference, 2008. ACSAC …, 2008

Cross-site Scripting (XSS) has emerged to one of the most prevalent type of security vulnerabilities. While the reason for the vulnerability primarily lies on the serverside, the actual exploitation is within the victim's web browser on the client-side. Therefore, an operator of a web application has only very limited evidence of XSS issues. In this paper, we propose a passive detection system to identify successful XSS attacks. Based on a prototypical implementation, we examine our approach's accuracy and verify its detection capabilities. We compiled a data-set of 500.000 individual HTTP request/response-pairs from 95 popular web applications for this, in combination with both real word and manually crafted XSS-exploits; our detection approach results in a total of zero false negatives for all tests, while maintaining an excellent false positive rate for more than 80% of the examined web applications.

View PDFchevron_right
Neural Classification of Malicious Scripts: {A} study with JavaScript and VBScript
Rakshit Agrawal

Malicious scripts are an important computer infection threat vector. Our analysis reveals that the two most prevalent types of malicious scripts include JavaScript and VBScript. The percentage of detected JavaScript attacks are on the rise. To address these threats, we investigate two deep recurrent models, LaMP (LSTM and Max Pooling) and CPoLS (Convoluted Partitioning of Long Sequences), which process JavaScript and VBScript as byte sequences. Lower layers capture the sequential nature of these byte sequences while higher layers classify the resulting embedding as malicious or benign. Unlike previously proposed solutions, our models are trained in an end-to-end fashion allowing discriminative training even for the sequential processing layers. Evaluating these models on a large corpus of 296,274 JavaScript files indicates that the best performing LaMP model has a 65.9% true positive rate (TPR) at a false positive rate (FPR) of 1.0%. Similarly, the best CPoLS model has a TPR of 45.3% at an FPR of 1.0%. LaMP and CPoLS yield a TPR of 69.3% and 67.9%, respectively, at an FPR of 1.0% on a collection of 240,504 VBScript files.

View PDFchevron_right
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection
Charlie Curtsinger

2010

JavaScript malware-based attacks account for a large fraction of successful mass-scale exploitation happening today. From the standpoint of the attacker, the attraction is that these drive-by attacks can be mounted against an unsuspecting user visiting a seemingly innocent web page.

View PDFchevron_right

References (53)

  1. D. Flanagan, JavaScript: The Definitive Guide, 4th ed. O'Reilly Media, 2001. [Online]. http: //shop.oreilly.com/product/9780596000486.do
  2. "Javascript and timing attacks used to steal browser data," Blackhat 2013, last visit 19th June 2014. [Online].
  3. M. Cova, C. Kruegel, and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious JavaScript code," in Proc. of the Inter- national World Wide Web Conference (WWW), 2010, pp. 281-290.
  4. C. Eilers, HTML5 Security. Developer Press, 2013.
  5. O. Hallaraker and G. Vigna, "Detecting mali- cious JavaScript code in mozilla," in Proceedings of the 10th IEEE International Conference of Engineering of Complex Computer System, 2005, pp. 85-94.
  6. "Web workers, W3C candidate recommenda- tion," 2012, last visit 19th June 2014. [Online]. http://www.w3.org/TR/workers/
  7. B. Eshete, "Effective analysis, characterization, and detection of malicious web page," in Pro- ceedings of the 22nd International Conference on World Wide Web companion. International World Wide Web Conferences Steering Commit- tee, 2013, pp. 355-360.
  8. L. Martignoni, R. Paleari, and D. Bruschi, "A framework for behavior-based malware analy- sis in the cloud," in Proceedings of the 5th In- ternational Conference on Information Systems Security, 2009, pp. 178-192.
  9. M. F. Zolkipli and A. Jantan, "An approach for malware behavior identification and classifica- tion," in Proceedings of International Conference of Computer Research and Development, 2011.
  10. C. Ardito, P. Buono, D. Caivano, M. Costabile, and R. Lanzilotti, "Investigating and promoting UX practice in industry: An experimental study," International Journal of Human-Computer Stud- ies, Vol. 72, No. 6, 2014, pp. 542-551.
  11. "ClamAV. Clam antivirus." last visit 19th June 2014. [Online]. http://clamav.net
  12. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, "All your iFRAMEs point to us," in Proc. of USENIX Security Symposium, 2008.
  13. C. Seifert and R. Steenson, "Capture hon- eypot client (capture hpc)," Victoria Uni- versity of Wellington, NZ, 2006. [Online]. https://projects.honeynet.org/capture-hpc
  14. Y. M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowsk, S. Chen, and S. T. King, "Auto- mated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulner- abilities," in Proc. Of Network and Distributed System Security Symposium (NDSS), 2006.
  15. A. Büscher, M. Meier, and R. Benzmüller, "Throwing a monkeywrench into web attackers plans," in Proc. Of Communications and Multi- media Security (CMS), 2010, pp. 28-39.
  16. A. Ikinci, T. Holz, and F. Freiling, "Monkey-spider: Detecting malicious web- sites with low-interaction honeyclients," in Proc. of Conference "Sicherheit, Schutz und Zuverl 'assigkeit (SICHERHEIT), 2008, pp. 891-898.
  17. J. Nazario, "A virtual client honeypot," in Proc. Of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
  18. D. Canali, M. Cova, G. Vigna, and C. Kruegel, "Prophiler: a fast filter for the large-scale de- tection of malicious web pages," in Proc. of the International World Wide Web Conference (WWW), 2011, pp. 197-206.
  19. S. Karanth, S. Laxman, P. Naldurg, R. Venkate- san, J. Lambert, and J. Shin, "Zdvue: Prioriti- zation of JavaScript attacks to discover new vul- nerabilities," in Proceedings of the Fourth ACM Workshop on Artificial Intelligence and Security (AISEC 2011), 2011, pp. 637-652.
  20. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert, "Rozzle: De-cloaking internet malware," Mi- crosoft Research, Tech. Rep. MSR-TR-2011-94, 2011. [Online]. http://research.microsoft.com/ pubs/152601/rozzle-tr-10-25-2011.pdf
  21. A. Dewald, T. Holz, and F. Freiling, "ADSand- box: sandboxing JavaScript to fight malicious websites," in Proceedings of the 2010 ACM Sym- posium on Applied Computing (SAC '10), 2010, pp. 1859-1864.
  22. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, "Defending browsers against drive-by downloads: Mitigating heap-spraying code injec- tion attacks," in In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009, pp. 88-106.
  23. P. Ratanaworabhan, B. Livshits, and B. Zorn, "Nozzle: A defense against heap-spraying code injection attacks," in Proc. of USENIX Security Symposium, 2009.
  24. L. Lu, V. Yegneswaran, P. A. Porras, and W. Lee, "Blade: An attack-agnostic approach for prevent- ing drive-by malware infections," in Proc. of Conference on Computer and Communications Security (CCS), 2010, pp. 440-450.
  25. K. Rieck, T. Krueger, and A. Dewald, "Cujo: Efficient detection and prevention of drive-by-download attacks," in 26th Annual Computer Security Applications Conference (AC- SAC), 2010, pp. 31-39.
  26. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, "Zozzle: Fast and precise in-browser JavaScript malware detection," in Proc. of USENIX Security Symposium, 2010, pp. 3-3.
  27. M. Heiderich, T. Frosch, and T. Holz, "Iceshield: Detection and mitigiation of malicious websites with a frozen dom," in Proceedings of Recent Adances in Intrusion Detection (RAID), 2011, pp. 281-300.
  28. A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegle, and G. Vigna, "Revolver: An au- tomated approach to the detection of eva- sive web-based malware," in Proceedings of the 22nd USENIX conference on Security, 2013, pp. 637-652.
  29. G. Blanc, D. Miyamoto, M. Akiyama, and Y. Kadobayashi, "Characterizing obfuscated JavaScript using abstract syntax trees: Experi- menting with malicious scripts," in Proceedings of International Conference of Advanced Infor- mation Networking and Applications Workshops, 2012.
  30. C. K. Roy and J. R. Cordy, "A survey on software clone detection research," School of Computing Queen's University at Kingston, Ontario, TR 2007-541, 2007.
  31. P. Wang, L. Wang, J. Xiang, P. Liu, N. Gao, and J. Jing, "MJBlocker: A lightweight and run-time malicious JavaScript extensions blocker," in Pro- ceedings of International Conference on Software Security and Reliability, 2013.
  32. A. Barua, M. Zulkernine, and K. Welde- mariam, "Protecting web browser extension from JavaScript injection attacks," in Proceedings of International Conference of Complex Computer Systems, 2013.
  33. B. Sayed, I. Traore, and A. Abdelhalim, "De- tection and mitigation of malicious JavaScript using information flow control," in Proceedings of Twelfth Annual Conference on Privacy, Security and Trust (PST), 2014.
  34. K. Schutt, M. Kloft, A. Bikadorov, and K. Rieck, "Early detection of malicious behaviour in JavaScript code," in Proceedings of AISec 2012, 2012.
  35. O. Tripp, P. Ferrara, and M. Pistoia, "Hybrid security analysis of web JavaScript code via dy- namic partial evaluation," in Proceedings of In- ternational Symposium on Software Testing and Analysis, 2014.
  36. W. Xu, F. Zhang, and S. Zhu, "JStill: Mostly static detection of obfuscated malicious JavaScript code," in Proceedings of International Conference on Data and Application Security and Privacy, 2013.
  37. Q. Wang, J. Zhou, Y. Chen, Y. Zhang, and J.Zhao, "Extracting URLs from JavaScript via program analysis," in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, 2013, pp. 627-630.
  38. C. Yue and H. Wang, "Characterizing insecure JavaScript practices on the web," in Proceedings of the 18th international conference on World wide web, 2009, pp. 961-970.
  39. J. Politz, S. Eliopoulos, A. Guha, and S. Krish- namurthi, "Adsafety: Type-based verification of JavaScript sasndboxing," in Proceedings of the 20th USENIX conference on Security, 2011.
  40. A. Guha, C. Saftoiu, and S. Krishnamurthi, "The essence of JavaScript," in ECOOP 2010-Object-Oriented, 2011, pp. 1-25.
  41. M. Finifter, J. Weinberger, and A. Barth, "Pre- venting capability leaks in secure JavaScript sub- stes," in Proceedings of the Network and Dis- tributed System Security Symposium, 2010.
  42. A. Taly, U. Erlingsson, J. Mitchell, M. Miller, and J. Nagra, "Automated analysis of security-critical JavaScript apis," in 2011 IEEE Symposium on Security and Privacy, 2011, pp. 363-379.
  43. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir, "Browsershield: Vulnerability-driven filtering of dynamic html," ACM Transactions on the Web, Vol. 1, No. 3, 2007.
  44. "Facebook SDK for JavaScript," last visit 13th October 2014. [Online]. https: //developers.facebook.com/docs/javascript
  45. "Google Caja," last visit 13th October 2014. [Online]. https://developers.google.com/caja/
  46. O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yam- aguchi, "A proposal and implementation of auto- matic detection/collection system for cross-site scripting vulnerability," in Proceedings of the 18th International Conference on Advanced In- formation Networking and Applications, Vol. 2, 2014.
  47. E. Kirda, C.Kruegel, G. Vigna, and N. Jovanic, "Noxes: A client-side solution for mitigating cross-site scripting attacks," in Proceedings of the 2006 ACM symposium on Applied computing, 2006, pp. 330-337.
  48. "Weka 3: Data mining software in Java," last visit 19th June 2014. [Online].
  49. "Chrome DevTools overview," last visit 19th June 2014. [Online]. https://developers.google. com/chrome-developer-tools/
  50. "Robot Soft -mouse and keyboard recorder," last visit 13th October 2014. [Online]. http://www.robot-soft.com/
  51. "Actionable analytics for the web," last visit 19th June 2014. [Online]. http://www.alexa.com/
  52. "VirusTotal," last visit 19th June 2014. [Online]. https://www.virustotal.com/
  53. "hpHosts onliine," last visit 19th June 2014. [Online]. http://www.hosts-file.net/

Related papers

Detection of Obfuscated Malicious JavaScript Code
Ammar Alazab

Future Internet

Websites on the Internet are becoming increasingly vulnerable to malicious JavaScript code because of its strong impact and dramatic effect. Numerous recent cyberattacks use JavaScript vulnerabilities, and in some cases employ obfuscation to conceal their malice and elude detection. To secure Internet users, an adequate intrusion-detection system (IDS) for malicious JavaScript must be developed. This paper proposes an automatic IDS of obfuscated JavaScript that employs several features and machine-learning techniques that effectively distinguish malicious and benign JavaScript codes. We also present a new set of features, which can detect obfuscation in JavaScript. The features are selected based on identifying obfuscation, a popular method to bypass conventional malware detection systems. The performance of the suggested approach has been tested on JavaScript obfuscation attacks. The studies have shown that IDS based on selected features has a detection rate of 94% for malicious sa...

View PDFchevron_right
Detecting Obfuscated JavaScript Malware Using Sequences of Internal Function Calls
emad mahmodi

Web browsers are often used as a popular means for compromising Internet hosts. An attacker may inject a JavaScript malware into a web page. When a victim visits this page, the malware is executed and attempts to exploit a specific browser vulnerability or download an unwanted program. Obfuscated JavaScript mal-ware can easily evade signature-based detection by changing the appearance of JavaScript code. To address this problem, some previous studies have used static analysis in which some features are extracted from both benign and malicious web pages, and then a classifier is trained to distinguish between them. Because nowadays benign JavaScript code is often obfuscated, static analysis techniques generate many false alarms. In this paper, we use dynamic analysis to monitor a web page for detecting obfuscated JavaScript malware. We first load a set of malicious web pages in a real web browser and collect a sequence of predictive function calls using internal function debugging for each of them. We then group similar sequences into the same cluster based on the normalized Levenshtein distance (NLD) metric and generate a so-called behavioral signature for each cluster. A web page is detected as malicious only if the sequence of its intercepted function calls is matched with at least one generated behavioral signature. Our evaluation results show that the generated behavioral signatures are able to detect obfuscated JavaScript malware with a low false alarm rate.

View PDFchevron_right
JStill: Mostly Static Detection of Obfuscated Malicious JavaScript Code
Arunjith Rex

The dynamic features of the JavaScript language not only promote various means for users to interact with websites through Web browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious Jav-aScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.

View PDFchevron_right
A WEB CONTENT ANALYTICS ARCHITECTURE FOR MALICIOUS JAVASCRIPT DETECTION
Computer Science & Information Technology (CS & IT) Computer Science Conference Proceedings (CSCP)

Recent web-based cyber attacks are evolving into a new form of attacks such as private information theft and DDoS attack exploiting JavaScript within a web page. These attacks can be made just by accessing a web site without distribution of malicious codes and infection. Script-based cyber attacks are hard to detect with traditional security equipments such as Firewall and IPS because they inject malicious scripts in a response message for a normal web request. Furthermore, they are hard to trace because attacks such as DDoS can be made just by visiting a web page. Due to these reasons, it is expected that they could result in direct damages and great ripple effects. To cope with these issues, in this article, a proposal is made for techniques that are used to detect malicious scripts through real-time web content analysis and to automatically generate detection signatures for malicious JavaScript.

View PDFchevron_right
Detecting obfuscated JavaScripts using machine learning
Krzysztof Kryszczuk

2016

JavaScript is a common attack vector for attacking browsers, browser plug-ins, email clients and other JavaScript enabled applications. Malicious JavaScripts redirect victims to exploit kits, probe for known vulnerabilities to select a fitting exploit or manipulate the Document Object Model (DOM) of a web page in a harmful way. Malicious JavaScript code is often obfuscated in order to make it hard to detect using signature-based approaches. Since the only other reason to use obfuscation is to protect intellectual property, the share of scripts which are both benign and obfuscated is quite low, and could easily be captured with a whitelist. A detector that can reliably detect obfuscated JavaScripts would therefore be a valuable tool in fighting malicious JavaScripts. In this paper, we present a method for automatic detection of obfuscated JavaScript using a machine-learning approach. Using a dataset of regular, minified and obfuscated samples from a content delivery network and the A...

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved