Malicious JavaScript Detection by Features Extraction

• Autorzy: Canfora G , Mercaldo F , Visaggio C A

Identyfikatory

DOI

10.5277/e-Inf140105

• Języki publikacji: EN

Abstrakty

EN

In recent years, JavaScript-based attacks have become one of the most common and successful types of attack. Existing techniques for detecting malicious JavaScripts could fail for different reasons. Some techniques are tailored on specific kinds of attacks, and are ineffective for others. Some other techniques require costly computational resources to be implemented. Other techniques could be circumvented with evasion methods. This paper proposes a method for detecting malicious JavaScript code based on five features that capture different characteristics of a script: execution time, external referenced domains and calls to JavaScript functions. Mixing different types of features could result in a more effective detection technique, and overcome the limitations of existing tools created for identifying malicious JavaScript. The experimentation carried out suggests that a combination of these features is able to successfully detect malicious JavaScript code (in the best cases we obtained a precision of 0.979 and a recall of 0.978).

Słowa kluczowe

EN

JavaScript; detecting malicious; execution; external referenced domains; calls to JavaScript functions

• Wydawca: Oficyna Wydawnicza Politechniki Wrocławskiej
• Czasopismo: e-Informatica Software Engineering Journal
• Rocznik: 2014
• Tom: Vol. 8, nr 1
• Strony: 65--78
• Opis fizyczny: Bibliogr. 53 poz., rys., tab.

Twórcy

autor

Canfora G

• Department of Engineering, University of Sannio

autor

Mercaldo F

• Department of Engineering, University of Sannio

autor

Visaggio C A

• visaggio@unisannio.it
• Department of Engineering, University of Sannio

Bibliografia

• [1] D. Flanagan, JavaScript: The Definitive Guide, 4th ed. O’Reilly Media, 2001. [Online]. http: //shop.oreilly.com/product/9780596000486.do
• [2] “Javascript and timing attacks used to steal browser data,” Blackhat 2013, last visit 19th June 2014. [Online]. http://threatpost.com/JavaScript-and-timingattacks- used-to-steal-browser-data/101559
• [3] M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-by-download attacks and malicious JavaScript code,” in Proc. of the International World Wide Web Conference (WWW), 2010, pp. 281–290.
• [4] C. Eilers, HTML5 Security. Developer Press, 2013.
• [5] O. Hallaraker and G. Vigna, “Detecting malicious JavaScript code in mozilla,” in Proceedings of the 10th IEEE International Conference of Engineering of Complex Computer System, 2005, pp. 85–94.
• [6] “Web workers, W3C candidate recommendation,” 2012, last visit 19th June 2014. [Online]. http://www.w3.org/TR/workers/
• [7] B. Eshete, “Effective analysis, characterization, and detection of malicious web page,” in Proceedings of the 22nd International Conference on World Wide Web companion. International World Wide Web Conferences Steering Committee, 2013, pp. 355–360.
• [8] L. Martignoni, R. Paleari, and D. Bruschi, “A framework for behavior-based malware analysis in the cloud,” in Proceedings of the 5th International Conference on Information Systems Security, 2009, pp. 178–192.
• [9] M. F. Zolkipli and A. Jantan, “An approach for malware behavior identification and classification,” in Proceedings of International Conference of Computer Research and Development, 2011.
• [10] C. Ardito, P. Buono, D. Caivano, M. Costabile, and R. Lanzilotti, “Investigating and promoting UX practice in industry: An experimental study,” International Journal of Human-Computer Studies, Vol. 72, No. 6, 2014, pp. 542–551.
• [11] “ClamAV. Clam antivirus.” last visit 19th June 2014. [Online]. http://clamav.net
• [12] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, “All your iFRAMEs point to us,” in Proc. of USENIX Security Symposium, 2008.
• [13] C. Seifert and R. Steenson, “Capture honeypot client (capture hpc),” Victoria University of Wellington, NZ, 2006. [Online]. https://projects.honeynet.org/capture-hpc
• [14] Y. M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowsk, S. Chen, and S. T. King, “Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities,” in Proc. Of Network and Distributed System Security Symposium (NDSS), 2006.
• [15] A. Büscher, M. Meier, and R. Benzmüller, “Throwing a monkeywrench into web attackers plans,” in Proc. Of Communications and Multimedia Security (CMS), 2010, pp. 28–39.
• [16] A. Ikinci, T. Holz, and F. Freiling, “Monkey-spider: Detecting malicious websites with low-interaction honeyclients,” in Proc. of Conference "Sicherheit, Schutz und Zuverl´’assigkeit (SICHERHEIT), 2008, pp. 891–898.
• [17] J. Nazario, “A virtual client honeypot,” in Proc. Of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
• [18] D. Canali, M. Cova, G. Vigna, and C. Kruegel, “Prophiler: a fast filter for the large-scale detection of malicious web pages,” in Proc. of the International World Wide Web Conference (WWW), 2011, pp. 197–206.
• [19] S. Karanth, S. Laxman, P. Naldurg, R. Venkatesan, J. Lambert, and J. Shin, “Zdvue: Prioritization of JavaScript attacks to discover new vulnerabilities,” in Proceedings of the Fourth ACM Workshop on Artificial Intelligence and Security (AISEC 2011), 2011, pp. 637–652.
• [20] C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert, “Rozzle: De-cloaking internet malware,” Microsoft Research, Tech. Rep. MSR-TR-2011-94, 2011. [Online]. http://research.microsoft.com/ pubs/152601/rozzle-tr-10-25-2011.pdf
• [21] A. Dewald, T. Holz, and F. Freiling, “ADSandbox: sandboxing JavaScript to fight malicious websites,” in Proceedings of the 2010 ACM Symposium on Applied Computing (SAC ’10), 2010, pp. 1859–1864.
• [22] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, “Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks,” in In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009, pp. 88–106.
• [23] P. Ratanaworabhan, B. Livshits, and B. Zorn, “Nozzle: A defense against heap-spraying code injection attacks,” in Proc. of USENIX Security Symposium, 2009.
• [24] L. Lu, V. Yegneswaran, P. A. Porras, and W. Lee, “Blade: An attack-agnostic approach for preventing drive-by malware infections,” in Proc. of Conference on Computer and Communications Security (CCS), 2010, pp. 440–450.
• [25] K. Rieck, T. Krueger, and A. Dewald, “Cujo: Efficient detection and prevention of drive-by-download attacks,” in 26th Annual Computer Security Applications Conference (ACSAC), 2010, pp. 31–39.
• [26] C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, “Zozzle: Fast and precise in-browser JavaScript malware detection,” in Proc. of USENIX Security Symposium, 2010, pp. 3–3.
• [27] M. Heiderich, T. Frosch, and T. Holz, “Iceshield: Detection and mitigiation of malicious websites with a frozen dom,” in Proceedings of Recent Adances in Intrusion Detection (RAID), 2011, pp. 281–300.
• [28] A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegle, and G. Vigna, “Revolver: An automated approach to the detection of evasive web-based malware,” in Proceedings of the 22nd USENIX conference on Security, 2013, pp. 637–652.
• [29] G. Blanc, D. Miyamoto, M. Akiyama, and Y. Kadobayashi, “Characterizing obfuscated JavaScript using abstract syntax trees: Experimenting with malicious scripts,” in Proceedings of International Conference of Advanced Information Networking and Applications Workshops, 2012.
• [30] C. K. Roy and J. R. Cordy, “A survey on software clone detection research,” School of Computing Queen’s University at Kingston, Ontario, TR 2007-541, 2007.
• [31] P. Wang, L. Wang, J. Xiang, P. Liu, N. Gao, and J. Jing, “MJBlocker: A lightweight and run-time malicious JavaScript extensions blocker,” in Proceedings of International Conference on Software Security and Reliability, 2013.
• [32] A. Barua, M. Zulkernine, and K. Weldemariam, “Protecting web browser extension from JavaScript injection attacks,” in Proceedings of International Conference of Complex Computer Systems, 2013.
• [33] B. Sayed, I. Traore, and A. Abdelhalim, “Detection and mitigation of malicious JavaScript using information flow control,” in Proceedings of Twelfth Annual Conference on Privacy, Security and Trust (PST), 2014.
• [34] K. Schutt, M. Kloft, A. Bikadorov, and K. Rieck, “Early detection of malicious behaviour in JavaScript code,” in Proceedings of AISec 2012, 2012.
• [35] O. Tripp, P. Ferrara, and M. Pistoia, “Hybrid security analysis of web JavaScript code via dynamic partial evaluation,” in Proceedings of International Symposium on Software Testing and Analysis, 2014.
• [36] W. Xu, F. Zhang, and S. Zhu, “JStill: Mostly static detection of obfuscated malicious JavaScript code,” in Proceedings of International Conference on Data and Application Security and Privacy, 2013.
• [37] Q. Wang, J. Zhou, Y. Chen, Y. Zhang, and J.Zhao, “Extracting URLs from JavaScript via program analysis,” in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, 2013, pp. 627–630.
• [38] C. Yue and H. Wang, “Characterizing insecure JavaScript practices on the web,” in Proceedings of the 18th international conference on World wide web, 2009, pp. 961–970.
• [39] J. Politz, S. Eliopoulos, A. Guha, and S. Krishnamurthi, “Adsafety: Type-based verification of JavaScript sasndboxing,” in Proceedings of the 20th USENIX conference on Security, 2011.
• [40] A. Guha, C. Saftoiu, and S. Krishnamurthi, “The essence of JavaScript,” in ECOOP 2010-Object-Oriented, 2011, pp. 1–25.
• [41] M. Finifter, J. Weinberger, and A. Barth, “Preventing capability leaks in secure JavaScript substes,” in Proceedings of the Network and Distributed System Security Symposium, 2010.
• [42] A. Taly, U. Erlingsson, J. Mitchell, M. Miller, and J. Nagra, “Automated analysis of security-critical JavaScript apis,” in 2011 IEEE Symposium on Security and Privacy, 2011, pp. 363–379.
• [43] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir, “Browsershield: Vulnerability-driven filtering of dynamic html,” ACM Transactions on the Web, Vol. 1, No. 3, 2007.
• [44] “Facebook SDK for JavaScript,” last visit 13th October 2014. [Online]. https: //developers.facebook.com/docs/javascript
• [45] “Google Caja,” last visit 13th October 2014. [Online]. https://developers.google.com/caja/
• [46] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi, “A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability,” in Proceedings of the 18th International Conference on Advanced Information Networking and Applications, Vol. 2, 2014.
• [47] E. Kirda, C.Kruegel, G. Vigna, and N. Jovanic, “Noxes: A client-side solution for mitigating cross-site scripting attacks,” in Proceedings of the 2006 ACM symposium on Applied computing, 2006, pp. 330–337.
• [48] “Weka 3: Data mining software in Java,” last visit 19th June 2014. [Online]. http://www.cs.waikato.ac.nz/ml/weka/
• [49] “Chrome DevTools overview,” last visit 19th June 2014. [Online]. https://developers.google. com/chrome-developer-tools/
• [50] “Robot Soft - mouse and keyboard recorder,” last visit 13th October 2014. [Online]. http://www.robot-soft.com/
• [51] “Actionable analytics for the web,” last visit 19th June 2014. [Online]. http://www.alexa.com/
• [52] “VirusTotal,” last visit 19th June 2014. [Online]. https://www.virustotal.com/
• [53] “hpHosts onliine,” last visit 19th June 2014. [Online]. http://www.hosts-file.net/