Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection

Abstract

It is common for attackers to launch famous Drive-bydownload attacks by using malicious JavaScript on the Internet. In a typical case, attackers compromise legitimate websites and inject malicious JavaScript which is used to bounce the visitors to other pre-set malicious pages and infect them. In order to evade detectors, attackers obfuscate their malicious JavaScript so that the maliciousness can be hidden. In this paper, we propose a new approach for detecting suspicious obfuscated JavaScript based on information-theoretic measures and the idea of novelty detection. According to results of experiments, it can be seen the new system improves several potential weaknesses of previous systems.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Pages278-293
Number of pages16
Volume9558
ISBN (Print)9783319308395
DOIs
StatePublished - 2016
Event18th International Conference on Information Security and Cryptology, ICISC 2015 - Seoul, Korea, Republic of

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9558
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other18th International Conference on Information Security and Cryptology, ICISC 2015
CountryKorea, Republic of
CitySeoul
Period15/11/2515/11/27

Fingerprint

Websites
Internet
Detectors
Experiments

Keywords

  • Novelty detection
  • Obfuscated JavaScript
  • Renyi entropy

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Su, J., Yoshioka, K., Shikata, J., & Matsumoto, T. (2016). Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). (Vol. 9558, pp. 278-293). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9558). Springer Verlag. DOI: 10.1007/978-3-319-30840-1_18

Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection. / Su, Jiawei; Yoshioka, Katsunari; Shikata, Junji; Matsumoto, Tsutomu.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 9558 Springer Verlag, 2016. p. 278-293 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9558).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Su, J, Yoshioka, K, Shikata, J & Matsumoto, T 2016, Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 9558, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9558, Springer Verlag, pp. 278-293, 18th International Conference on Information Security and Cryptology, ICISC 2015, Seoul, Korea, Republic of, 25-27 November. DOI: 10.1007/978-3-319-30840-1_18
Su J, Yoshioka K, Shikata J, Matsumoto T. Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 9558. Springer Verlag. 2016. p. 278-293. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). Available from, DOI: 10.1007/978-3-319-30840-1_18

Su, Jiawei; Yoshioka, Katsunari; Shikata, Junji; Matsumoto, Tsutomu / Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 9558 Springer Verlag, 2016. p. 278-293 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9558).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

@inbook{a716ba657ed84e5ea1583f63eb1620f7,
title = "Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection",
keywords = "Novelty detection, Obfuscated JavaScript, Renyi entropy",
author = "Jiawei Su and Katsunari Yoshioka and Junji Shikata and Tsutomu Matsumoto",
year = "2016",
doi = "10.1007/978-3-319-30840-1_18",
isbn = "9783319308395",
volume = "9558",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "278--293",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - CHAP

T1 - Detecting obfuscated suspicious javascript based on information-theoretic measures and novelty detection

AU - Su,Jiawei

AU - Yoshioka,Katsunari

AU - Shikata,Junji

AU - Matsumoto,Tsutomu

PY - 2016

Y1 - 2016

N2 - It is common for attackers to launch famous Drive-bydownload attacks by using malicious JavaScript on the Internet. In a typical case, attackers compromise legitimate websites and inject malicious JavaScript which is used to bounce the visitors to other pre-set malicious pages and infect them. In order to evade detectors, attackers obfuscate their malicious JavaScript so that the maliciousness can be hidden. In this paper, we propose a new approach for detecting suspicious obfuscated JavaScript based on information-theoretic measures and the idea of novelty detection. According to results of experiments, it can be seen the new system improves several potential weaknesses of previous systems.

AB - It is common for attackers to launch famous Drive-bydownload attacks by using malicious JavaScript on the Internet. In a typical case, attackers compromise legitimate websites and inject malicious JavaScript which is used to bounce the visitors to other pre-set malicious pages and infect them. In order to evade detectors, attackers obfuscate their malicious JavaScript so that the maliciousness can be hidden. In this paper, we propose a new approach for detecting suspicious obfuscated JavaScript based on information-theoretic measures and the idea of novelty detection. According to results of experiments, it can be seen the new system improves several potential weaknesses of previous systems.

KW - Novelty detection

KW - Obfuscated JavaScript

KW - Renyi entropy

UR - http://www.scopus.com/inward/record.url?scp=84961173599&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84961173599&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-30840-1_18

DO - 10.1007/978-3-319-30840-1_18

M3 - Conference contribution

SN - 9783319308395

VL - 9558

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 278

EP - 293

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

PB - Springer Verlag

ER -