Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Moog, Marvin and Demmel, Markus and Backes, Michael and Fass, Aurore
(2021) Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild.
In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021).
Conference: DSN IEEE/IFIP International Conference on Dependable Systems and Networks

[img]
Preview
Text
moog2021statically.pdf - Accepted Version

Download (532kB) | Preview

Abstract

JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.

Actions

Actions (login required)

View Item View Item