TY - GEN
T1 - Obfuscated malicious javascript detection scheme using the feature based on divided URL
AU - Morishige, Shoya
AU - Haruta, Shuichiro
AU - Asahina, Hiromu
AU - Sasase, Iwao
PY - 2018/2/27
Y1 - 2018/2/27
N2 - On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.
AB - On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.
KW - Drive-by-Download attacks
KW - JavaScript detection
KW - Obfuscation techniques
UR - http://www.scopus.com/inward/record.url?scp=85050643403&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050643403&partnerID=8YFLogxK
U2 - 10.23919/APCC.2017.8303992
DO - 10.23919/APCC.2017.8303992
M3 - Conference contribution
AN - SCOPUS:85050643403
T3 - 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017
SP - 1
EP - 6
BT - 2017 23rd Asia-Pacific Conference on Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd Asia-Pacific Conference on Communications, APCC 2017
Y2 - 11 December 2017 through 13 December 2017
ER -