An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis

Abstract

The malicious JavaScript is a common springboard for attackers to launch several types of ne twork attacks, such as Drive-by-Download and malicious PDF delivery attack. In order to elude detection of signature matching, malicious JavaScript is often packed (so-called "obfuscation") with diversified algorithms therefore the occurrence of obfuscation is always a good pointer for potential maliciousness. In this investigation, we propose a light weight approach for quickly filtering obfuscated JavaScript by a novel method of tokenizing JavaScript text at letter level and information-theoretic measures, based on the previous work in the domain of detecting obfuscated malicious code as well as the pattern analysis of natural languages. The new approach is apparently time efficient compared to existing systems since it processes much less objects while it is also proved to be able to reach the acceptable detection accuracies.

Original languageEnglish
Title of host publicationWTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016
PublisherAssociation for Computing Machinery, Inc
Pages3-11
Number of pages9
ISBN (Electronic)9781450342841
DOIs
StatePublished - 2016 May 30
Event2016 ACM International Workshop on Traffic Measurements for Cybersecurity, WTMC 2016 - Xi'an, China

Other

Other2016 ACM International Workshop on Traffic Measurements for Cybersecurity, WTMC 2016
CountryChina
CityXi'an
Period16/5/30 → …

Keywords

  • Information-theoretic measures
  • Obfuscated JavaScript
  • Text pattern analysis

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this

Su, J., Yoshioka, K., Shikata, J., & Matsumoto, T. (2016). An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. In WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016. (pp. 3-11). Association for Computing Machinery, Inc. DOI: 10.1145/2903185.2903189

An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. / Su, Jiawei; Yoshioka, Katsunari; Shikata, Junji; Matsumoto, Tsutomu.

WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016. Association for Computing Machinery, Inc, 2016. p. 3-11.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Su, J, Yoshioka, K, Shikata, J & Matsumoto, T 2016, An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. in WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016. Association for Computing Machinery, Inc, pp. 3-11, 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, WTMC 2016, Xi'an, China, 30 May. DOI: 10.1145/2903185.2903189
Su J, Yoshioka K, Shikata J, Matsumoto T. An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. In WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016. Association for Computing Machinery, Inc. 2016. p. 3-11. Available from, DOI: 10.1145/2903185.2903189

Su, Jiawei; Yoshioka, Katsunari; Shikata, Junji; Matsumoto, Tsutomu / An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis.

WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016. Association for Computing Machinery, Inc, 2016. p. 3-11.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

@inbook{29c5e32feb674c5691c0781bfbf5c418,
title = "An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis",
keywords = "Information-theoretic measures, Obfuscated JavaScript, Text pattern analysis",
author = "Jiawei Su and Katsunari Yoshioka and Junji Shikata and Tsutomu Matsumoto",
year = "2016",
month = "5",
doi = "10.1145/2903185.2903189",
pages = "3--11",
booktitle = "WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016",
publisher = "Association for Computing Machinery, Inc",

}

TY - CHAP

T1 - An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis

AU - Su,Jiawei

AU - Yoshioka,Katsunari

AU - Shikata,Junji

AU - Matsumoto,Tsutomu

PY - 2016/5/30

Y1 - 2016/5/30

N2 - The malicious JavaScript is a common springboard for attackers to launch several types of ne twork attacks, such as Drive-by-Download and malicious PDF delivery attack. In order to elude detection of signature matching, malicious JavaScript is often packed (so-called "obfuscation") with diversified algorithms therefore the occurrence of obfuscation is always a good pointer for potential maliciousness. In this investigation, we propose a light weight approach for quickly filtering obfuscated JavaScript by a novel method of tokenizing JavaScript text at letter level and information-theoretic measures, based on the previous work in the domain of detecting obfuscated malicious code as well as the pattern analysis of natural languages. The new approach is apparently time efficient compared to existing systems since it processes much less objects while it is also proved to be able to reach the acceptable detection accuracies.

AB - The malicious JavaScript is a common springboard for attackers to launch several types of ne twork attacks, such as Drive-by-Download and malicious PDF delivery attack. In order to elude detection of signature matching, malicious JavaScript is often packed (so-called "obfuscation") with diversified algorithms therefore the occurrence of obfuscation is always a good pointer for potential maliciousness. In this investigation, we propose a light weight approach for quickly filtering obfuscated JavaScript by a novel method of tokenizing JavaScript text at letter level and information-theoretic measures, based on the previous work in the domain of detecting obfuscated malicious code as well as the pattern analysis of natural languages. The new approach is apparently time efficient compared to existing systems since it processes much less objects while it is also proved to be able to reach the acceptable detection accuracies.

KW - Information-theoretic measures

KW - Obfuscated JavaScript

KW - Text pattern analysis

UR - http://www.scopus.com/inward/record.url?scp=84978832829&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84978832829&partnerID=8YFLogxK

U2 - 10.1145/2903185.2903189

DO - 10.1145/2903185.2903189

M3 - Conference contribution

SP - 3

EP - 11

BT - WTMC 2016 - Proceedings of the 2016 ACM International Workshop on Traffic Measurements for Cybersecurity, Co-located with Asia CCS 2016

PB - Association for Computing Machinery, Inc

ER -