(2021) Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild.
|
Text
moog2021statically.pdf - Accepted Version Download (532kB) | Preview |
Abstract
JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Ben Stock (Secure Web Applications Group, SWAG) Michael Backes (InfSec) |
| Conference: | DSN IEEE/IFIP International Conference on Dependable Systems and Networks |
| Depositing User: | Aurore Fass |
| Date Deposited: | 23 Mar 2021 20:28 |
| Last Modified: | 26 Jul 2021 10:39 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/3385 |
Actions
Actions (login required)
 |
View Item |