HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

Fass, Aurore and Backes, Michael and Stock, Ben
(2019) HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs.
In: ACM Conference on Computer and Communications Security (CCS 2019).
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
fass2019hidenoseek.pdf - Accepted Version
Download (1MB) | Preview

Abstract

In the malware field, learning-based systems have become popular to detect new malicious variants. Nevertheless, attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. In practice, the assumption of strong attackers is not realistic as it implies access to insider information. We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features, without needing any information about the system it is trying to evade. Our attack consists of changing the constructs of malicious JavaScript samples to reproduce a benign syntax. For this purpose, we automatically rewrite the Abstract Syntax Trees (ASTs) of malicious JavaScript inputs into existing benign ones. In particular, HideNoSeek uses malicious seeds and searches for isomorphic subgraphs between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by their malicious equivalents (same syntactic structure) and adjusts the benign data dependencies--without changing the AST--, so that the malicious semantics is kept. In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10,000 web pages. Also, we can produce on average 14 different malicious samples with the same AST as each Alexa top 10. Overall, a standard trained classifier has 99.98% false negatives with HideNoSeek inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Backes (InfSec)
Ben Stock (Secure Web Applications Group, SWAG)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Aurore Fass
Date Deposited: 23 Jun 2019 18:38
Last Modified: 23 Apr 2020 20:31
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/2936

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.