Intelligent Defense against Malicious JavaScript Code

@article{Krueger2012IntelligentDA,
  title={Intelligent Defense against Malicious JavaScript Code},
  author={Tammo Krueger and Konrad Rieck},
  journal={PIK - Praxis der Informationsverarbeitung und Kommunikation},
  year={2012},
  volume={35},
  pages={54 - 60}
}
  • T. Krueger, K. Rieck
  • Published 1 April 2012
  • Computer Science
  • PIK - Praxis der Informationsverarbeitung und Kommunikation
JavaScript is a popular scripting language for creating dynamic and interactive web pages. [] Key Method Embedded in a web proxy, Cujo transparently inspects web pages and blocks the delivery of malicious JavaScript code. A lightweight static and dynamic analysis is performed, which enables learning and detecting malicious patterns in the structure and behavior of JavaScript code.

Figures and Tables from this paper

A Machine Learning Approach to Malicious JavaScript Detection using Fixed Length Vector Representation
TLDR
The proposed Doc2Vec features provide better accuracy and fast classification in malicious JS code detection compared to conventional approaches, and are compared to other feature learning methods.
A Practical Guide for Detecting the Java Script-Based Malware Using Hidden Markov Models and Linear Classifiers
TLDR
This paper proposes various methods for detecting Java Script-based attack vectors, and analyzes these detection methods from a practical point of view, emphasizing the need for a very low false positive rate and the ability to be trained on large datasets.
JSOD: JavaScript obfuscation detector
TLDR
This work proposes JavaScript Obfuscation Detector JSOD, a completely static solution to detect obfuscated scripts including readable patterns, and compares it to the state-of-the-art approaches to detects obfuscated malicious and obfuscated benign script, namely, Zozzle and Noofus.
Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites
TLDR
This paper proposes the first large- scale measurement study of client-side prototype pollution among one million real-world websites and answers the questions of whether a prototypical object is controllable, whether and what properties can be manipulated, and whether the injected value leads to further consequences.
On the Integrity of Cross-Origin JavaScripts
TLDR
According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, temporal integrity changes are relatively common and it is possible to statistically predict whether a temporal integrity change is likely to occur.
DETECTION : A STATE OF ART SURVEY
TLDR
The detailed analysis carried out in this paper provides a new road map for the research in this area and classifies the detection methods in three categoriesstatic, dynamic and hybrid approaches.
Probabilistic Methods for Network Security. From Analysis to Response
TLDR
This thesis shows, how methods from statistics and machine learning can improve the security cycle of analysis, detection and response to threats by carefully layering probabilistic methods andMachine learning techniques, and creates solid solutions for pressing security problems.
Data Mining Based Strategy for Detecting Malicious PDF Files
  • Samir G. Sayed, M. Shawkey
  • Computer Science
    2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)
  • 2018
TLDR
A new algorithm is presented for detecting malicious PDF files based on data mining techniques to achieve high detection rate and low false positive rate with small computational overhead.
Malware Slums: Measurement and Analysis of Malware on Traffic Exchanges
TLDR
A first of its kind analysis of the different types of malware that are propagated through these traffic exchanges, including blacklisted domains, malicious JavaScript, malicious Flash, and malicious shortened URLs are presented.
Drive-by Disclosure: A Large-Scale Detector of Drive-by Downloads Based on Latent Behavior Prediction
TLDR
The proposed Drive-by Disclosure leverages availability of AST representation to predict script's latent behaviors statically and facilitates distinction between scripting practices of drive-by downloads and disguised transformations.
...
...

References

SHOWING 1-10 OF 41 REFERENCES
Detection and analysis of drive-by-download attacks and malicious JavaScript code
TLDR
A novel approach to the detection and analysis of malicious JavaScript code is presented that uses a number of features and machine-learning techniques to establish the characteristics of normal JavaScript code and is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established profiles.
Cujo: efficient detection and prevention of drive-by-download attacks
TLDR
The efficacy of Cujo is demonstrated, where it detects 94% of the drive-by downloads with few false alarms and a median run-time of 500 ms per web page---a quality that has not been attained in previous work on detection of drive- by-download attacks.
Throwing a MonkeyWrench into Web Attackers Plans
TLDR
MonkeyWrench is a low-interaction web-honeyclient allowing automatic identification of malicious web pages by performing static analysis of the HTML-objects in a web page as well as dynamic analysis of scripts by execution in an emulated browser environment and is able to identify the exact vulnerability triggered by a malicious page.
IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM
TLDR
This paper presents IceShield, a JavaScript based tool that enables in-line dynamic code analysis as well as de-obfuscation, and a set of heuristics to detect attempts of attacking either a website or the user accessing its contents, and demonstrates how dynamic analysis of websites can be accomplished directly in the browser.
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
TLDR
This work proposes a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode, and demonstrates that the system performs accurate detection with no false positives.
ZDVUE: prioritization of javascript attacks to discover new vulnerabilities
TLDR
ZDVUE is a tool for automatic prioritization of suspicious JavaScript traces, which can lead to early detection of potential zero-day vulnerabilities, and is used in the organization on a routine basis to automatically filter, analyze, and prioritize thousands of downloaded JavaScript files.
Prophiler: a fast filter for the large-scale detection of malicious web pages
TLDR
The authors' filter, called Prophiler, uses static analysis techniques to quickly examine a web page for malicious content, and automatically derive detection models that use these features using machine-learning techniques applied to labeled datasets.
Rozzle: De-cloaking Internet Malware
TLDR
Rozzle, a JavaScript multi-execution virtual machine, is proposed as a way to explore multiple execution paths within a single execution so that environment-specific malware will reveal itself, and it is shown that Rozzle triples the effectiveness of online runtime detection.
The Ghost in the Browser: Analysis of Web-based Malware
TLDR
This work identifies the four prevalent mechanisms used to inject malicious content on popular web sites: web server security, user contributed content, advertising and third-party widgets, and presents examples of abuse found on the Internet.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities
TLDR
The design and implementation of the Strider HoneyMonkey Exploit Detection System is described, which consists of a pipeline of “monkey programs” running possibly vulnerable browsers on virtual machines with different patch levels and patrolling the Web to seek out and classify web sites that exploit browser vulnerabilities.
...
...