(2018) JaSt: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript.
|
Text
fass2018jast.pdf Download (1MB) | Preview |
Abstract
JavaScript is a browser scripting language initially created to enhance the interactivity of web sites and to improve their user-friendliness. However, as it offloads the work to the user's browser, it can be used to engage in malicious activities such as Crypto-Mining, Drive-by-Download attacks, or redirections to web sites hosting malicious software. Given the prevalence of such nefarious scripts, the anti-virus industry has increased the focus on their detection. The attackers, in turn, make increasing use of obfuscation techniques, so as to hinder analysis and the creation of corresponding signatures. Yet these malicious samples share syntactic similarities at an abstract level, which enables to bypass obfuscation and detect even unknown malware variants. In this paper, we present JaSt, a low-overhead solution that combines the extraction of features from the abstract syntax tree with a random forest classifier to detect malicious JavaScript instances. It is based on a frequency analysis of specific patterns, which are either predictive of benign or of malicious samples. Even though the analysis is entirely static, it yields a high detection accuracy of almost 99.5% and has a low false-negative rate of 0.54%.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Ben Stock (Secure Web Applications Group, SWAG) Michael Backes (InfSec) |
| Conference: | DIMVA GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment |
| Depositing User: | Aurore Fass |
| Date Deposited: | 13 Apr 2018 08:09 |
| Last Modified: | 15 Oct 2022 11:56 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/2594 |
Actions
Actions (login required)
 |
View Item |