Detection and classification of malicious JavaScript via attack behavior modelling
Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack beh...
Saved in:
Main Authors: | , , , , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2015
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/4953 https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-5956 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-59562020-02-27T03:18:31Z Detection and classification of malicious JavaScript via attack behavior modelling XUE, Yinxing WANG, Junjie LIU, Yang XIAO, Hao SUN, Jun CHANDRAMOHAN, Mahinthan Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS∗ , to learn DFA from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS∗ using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks. 2015-07-12T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4953 info:doi/10.1145/2771783.2771814 https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University malware detection malicious JavaScript L* behavior modelling Programming Languages and Compilers Software Engineering |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
malware detection malicious JavaScript L* behavior modelling Programming Languages and Compilers Software Engineering |
spellingShingle |
malware detection malicious JavaScript L* behavior modelling Programming Languages and Compilers Software Engineering XUE, Yinxing WANG, Junjie LIU, Yang XIAO, Hao SUN, Jun CHANDRAMOHAN, Mahinthan Detection and classification of malicious JavaScript via attack behavior modelling |
description |
Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS∗ , to learn DFA from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS∗ using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks. |
format |
text |
author |
XUE, Yinxing WANG, Junjie LIU, Yang XIAO, Hao SUN, Jun CHANDRAMOHAN, Mahinthan |
author_facet |
XUE, Yinxing WANG, Junjie LIU, Yang XIAO, Hao SUN, Jun CHANDRAMOHAN, Mahinthan |
author_sort |
XUE, Yinxing |
title |
Detection and classification of malicious JavaScript via attack behavior modelling |
title_short |
Detection and classification of malicious JavaScript via attack behavior modelling |
title_full |
Detection and classification of malicious JavaScript via attack behavior modelling |
title_fullStr |
Detection and classification of malicious JavaScript via attack behavior modelling |
title_full_unstemmed |
Detection and classification of malicious JavaScript via attack behavior modelling |
title_sort |
detection and classification of malicious javascript via attack behavior modelling |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2015 |
url |
https://ink.library.smu.edu.sg/sis_research/4953 https://ink.library.smu.edu.sg/context/sis_research/article/5956/viewcontent/issta2015.pdf |
_version_ |
1770575156842856448 |