Detection and classification of malicious JavaScript via attack behavior modelling

Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack beh...

Full description

Saved in:
Bibliographic Details
Main Authors: XUE, Yinxing, WANG, Junjie, LIU, Yang, XIAO, Hao, SUN, Jun, CHANDRAMOHAN, Mahinthan
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2015
Subjects:
L*
Online Access:https://ink.library.smu.edu.sg/sis_research/4953
https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5956
record_format dspace
spelling sg-smu-ink.sis_research-59562020-02-27T03:18:31Z Detection and classification of malicious JavaScript via attack behavior modelling XUE, Yinxing WANG, Junjie LIU, Yang XIAO, Hao SUN, Jun CHANDRAMOHAN, Mahinthan Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS∗ , to learn DFA from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS∗ using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks. 2015-07-12T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4953 info:doi/10.1145/2771783.2771814 https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University malware detection malicious JavaScript L* behavior modelling Programming Languages and Compilers Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic malware detection
malicious JavaScript
L*
behavior modelling
Programming Languages and Compilers
Software Engineering
spellingShingle malware detection
malicious JavaScript
L*
behavior modelling
Programming Languages and Compilers
Software Engineering
XUE, Yinxing
WANG, Junjie
LIU, Yang
XIAO, Hao
SUN, Jun
CHANDRAMOHAN, Mahinthan
Detection and classification of malicious JavaScript via attack behavior modelling
description Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS∗ , to learn DFA from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS∗ using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks.
format text
author XUE, Yinxing
WANG, Junjie
LIU, Yang
XIAO, Hao
SUN, Jun
CHANDRAMOHAN, Mahinthan
author_facet XUE, Yinxing
WANG, Junjie
LIU, Yang
XIAO, Hao
SUN, Jun
CHANDRAMOHAN, Mahinthan
author_sort XUE, Yinxing
title Detection and classification of malicious JavaScript via attack behavior modelling
title_short Detection and classification of malicious JavaScript via attack behavior modelling
title_full Detection and classification of malicious JavaScript via attack behavior modelling
title_fullStr Detection and classification of malicious JavaScript via attack behavior modelling
title_full_unstemmed Detection and classification of malicious JavaScript via attack behavior modelling
title_sort detection and classification of malicious javascript via attack behavior modelling
publisher Institutional Knowledge at Singapore Management University
publishDate 2015
url https://ink.library.smu.edu.sg/sis_research/4953
https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf
_version_ 1770575156842856448