research-article

An Efficient Method for Detecting Obfuscated Suspicious JavaScript Based on Text Pattern Analysis

Authors:

Katsunari Yoshioka,

Tsutomu MatsumotoAuthors Info & Claims

WTMC '16: Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity

Pages 3 - 11

https://doi.org/10.1145/2903185.2903189

Published: 30 May 2016 Publication History

Abstract

The malicious JavaScript is a common springboard for attackers to launch several types of network attacks, such as Drive-by-Download and malicious PDF delivery attack. In order to elude detection of signature matching, malicious JavaScript is often packed (so-called "obfuscation") with diversified algorithms therefore the occurrence of obfuscation is always a good pointer for potential maliciousness. In this investigation, we propose a light weight approach for quickly filtering obfuscated JavaScript by a novel method of tokenizing JavaScript text at letter level and information-theoretic measures, based on the previous work in the domain of detecting obfuscated malicious code as well as the pattern analysis of natural languages. The new approach is apparently time efficient compared to existing systems since it processes much less objects while it is also proved to be able to reach the acceptable detection accuracies.

References

[1]

Papadimitriou, C. et al. 2010. Entropy analysis of natural language written texts. J. Physical A. 389 (2010), 3260--3266.

[2]

Kallmeri, M. et al.2014. Word-length entropies and correlations of natural language written texts. J. Quantitative Linguistics. (2014), 22(2).

[3]

Ausloos, M. 2008. Equilibrium and dynamic methods when comparing an English text and its Esperanto translation. J. Physical A. 387 (2008), 6411--6420.

[4]

Sahin,G., Erenturk, M., and Hacinliyan, A. 2009. Detrended fluctuation analysis in natural languages using non-corpus parametrization. J. Chaos Solutions & Fractals. 41(2009), 198--205.

[5]

Marcelo, A., and Pedro, A. 2002. Long-range fractal correlations in literary corpora. J. Fractals. 10, 04 (2002).

[6]

Su, J., Yoshioka, K., Shikata, and J., Matsumoto, T. 2015. Detecting obfuscated suspicious JavaScript based on information-theoretic measures and novelty detection. In Proceeding of the 18th Annual International Conference on Information Security and Cryptology (Seoul, Korea, 2015). ICISC '15. Springer, Seoul, Korea.

[7]

Kim, B., Im, C., and Jung, H. 2011. Suspicious malicious web site detection with strength analysis of a JavaScript obfuscation. J. International Journal of Advanced Science and Technology. 26 (2011), 19--32.

[8]

Choi, Y., Kim, T., and Choi, S. 2010. Automatic detection for JavaScript obfuscation attacks in web pages through string pattern analysis. J. International Journal of Security and Its Application, 4, 2 (2010), 13--26.

[9]

Rieck, K., Krueger, T., and Dewald, A. 2010. Cujo: Efficient detection and prevention of Drive-by-download attacks. In Proceedings of the 27th Annual Computer Security Applications Conference (New York, USA, 2010). ACSAC '10. ACM, New York, 31--39. DOI= http://doi.acm.org/10.1145/1920261.1920267

Digital Library

[10]

Taharwa. I., et al, 2011. Obfuscated malicious JavaScript detection by causal relations finding. In Proceeding of 13th International Conference on Advanced Communication Technology (Korea, 2011). IEEE, Korea, 787--792.

[11]

Canali, D., Cova, M., Vigna, G., and Kruegel, C. 2010. A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In Proceeding of the 20th international conference on World wide web (New York, USA, 2011).WWW '11. ACM, New York, 197--206. DOI= http://doi.acm.org/10.1145/1963405.1963436

Digital Library

[12]

Laskov, P., and Srndic, N. 2011. Static detection of malicious JavaScript-Bearing PDF documents. In Proceedings of the 27th Annual Computer Security Applications (New York, USA, 2011). ACSAC '11. ACM, New York, 373--382. DOI= http://doi.acm.org/10.1145/2076732.2076785

Digital Library

[13]

Alexa Top Sites {online}. Available: http://www.alexa.com/topsites, 22 Dec, 2014

[14]

VirusTotal {online}. Available: https://www.virustotal.com/

[15]

Kamizono, M. et al. 2013. Datasets for Anti-Malware Research - MWS Datasets 2013. Technical Report. MWS2013 at Tokyo, Japan. Oct, 2013

[16]

Scholkopf, B. et al. 2000. Support Vector Method for Novelty Detection, S.A. Solla, T.K. Leen and K.-R. Muller (eds). MIT Press. 582--588.

Cited By

Ebad SDarem AAbawajy J(2021)Measuring Software Obfuscation Quality–A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.30945179(99024-99038)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3094517
Sohan MBasalamah A(2020)A Systematic Literature Review and Quality Analysis of Javascript Malware DetectionIEEE Access10.1109/ACCESS.2020.30316908(190539-190552)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3031690
AbdelKhalek MShosha A(2017)JSDESProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3107009(1-13)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3107009

Index Terms

An Efficient Method for Detecting Obfuscated Suspicious JavaScript Based on Text Pattern Analysis
1. Information systems
  1. Information retrieval
    1. Document representation
      1. Content analysis and feature selection
2. Security and privacy
  1. Network security

Recommendations

Detecting Obfuscated JavaScript Malware Using Sequences of Internal Function Calls
ACMSE '14: Proceedings of the 2014 ACM Southeast Conference

Web browsers are often used as a popular means for compromising Internet hosts. An attacker may inject a JavaScript malware into a web page. When a victim visits this page, the malware is executed and attempts to exploit a specific browser vulnerability ...
JSOD: JavaScript obfuscation detector

JavaScript obfuscation is a deliberate act of making a script difficult to understand by concealing its purpose. The prevalent use of obfuscation techniques to hide malicious codes and to preserve copyrights of benign scripts resulted in i missing ...
Detecting Obfuscated Viruses Using Cosine Similarity Analysis
AMS '07: Proceedings of the First Asia International Conference on Modelling & Simulation

Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WTMC '16: Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity

May 2016

66 pages

ISBN:9781450342841

DOI:10.1145/2903185

General Chairs:
Maciej Korczyński
Delft University of Technology, The Netherlands
,
Wojciech Mazurczyk
Warsaw University of Technology, Poland
,
Katsunari Yoshioka
Yokohama National University, Japan
,
Michel van Eeten
Delft University of Technology, The Netherlands
,
William Robertson
Northeastern University, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30, 2016

Xi'an, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
168
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ebad SDarem AAbawajy J(2021)Measuring Software Obfuscation Quality–A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.30945179(99024-99038)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3094517
Sohan MBasalamah A(2020)A Systematic Literature Review and Quality Analysis of Javascript Malware DetectionIEEE Access10.1109/ACCESS.2020.30316908(190539-190552)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3031690
AbdelKhalek MShosha A(2017)JSDESProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3107009(1-13)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3107009

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten