(2021) Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild.
|
Text
moog2021statically.pdf - Accepted Version Download (532kB) | Preview |
Abstract
JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Ben Stock (Secure Web Applications Group, SWAG) Michael Backes (InfSec) |
Conference: | DSN IEEE/IFIP International Conference on Dependable Systems and Networks |
Depositing User: | Aurore Fass |
Date Deposited: | 23 Mar 2021 20:28 |
Last Modified: | 26 Jul 2021 10:39 |
Primary Research Area: | NRA5: Empirical & Behavioral Security |
URI: | https://publications.cispa.saarland/id/eprint/3385 |
Actions
Actions (login required)
View Item |