Obfuscated malicious javascript detection scheme using the feature based on divided URL

Shoya Morishige, Shuichiro Haruta, Hiromu Asahina, Iwao Sasase

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.

Original languageEnglish
Title of host publication2017 23rd Asia-Pacific Conference on Communications
Subtitle of host publicationBridging the Metropolitan and the Remote, APCC 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-6
Number of pages6
Volume2018-January
ISBN (Electronic)9781740523905
DOIs
Publication statusPublished - 2018 Feb 27
Event23rd Asia-Pacific Conference on Communications, APCC 2017 - Perth, Australia
Duration: 2017 Dec 112017 Dec 13

Other

Other23rd Asia-Pacific Conference on Communications, APCC 2017
CountryAustralia
CityPerth
Period17/12/1117/12/13

Fingerprint

Websites
Pattern matching
Glossaries
Viruses
World Wide Web
Computer simulation

Keywords

  • Drive-by-Download attacks
  • JavaScript detection
  • Obfuscation techniques

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Signal Processing

Cite this

Morishige, S., Haruta, S., Asahina, H., & Sasase, I. (2018). Obfuscated malicious javascript detection scheme using the feature based on divided URL. In 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017 (Vol. 2018-January, pp. 1-6). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.23919/APCC.2017.8303992

Obfuscated malicious javascript detection scheme using the feature based on divided URL. / Morishige, Shoya; Haruta, Shuichiro; Asahina, Hiromu; Sasase, Iwao.

2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017. Vol. 2018-January Institute of Electrical and Electronics Engineers Inc., 2018. p. 1-6.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Morishige, S, Haruta, S, Asahina, H & Sasase, I 2018, Obfuscated malicious javascript detection scheme using the feature based on divided URL. in 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017. vol. 2018-January, Institute of Electrical and Electronics Engineers Inc., pp. 1-6, 23rd Asia-Pacific Conference on Communications, APCC 2017, Perth, Australia, 17/12/11. https://doi.org/10.23919/APCC.2017.8303992
Morishige S, Haruta S, Asahina H, Sasase I. Obfuscated malicious javascript detection scheme using the feature based on divided URL. In 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017. Vol. 2018-January. Institute of Electrical and Electronics Engineers Inc. 2018. p. 1-6 https://doi.org/10.23919/APCC.2017.8303992
Morishige, Shoya ; Haruta, Shuichiro ; Asahina, Hiromu ; Sasase, Iwao. / Obfuscated malicious javascript detection scheme using the feature based on divided URL. 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017. Vol. 2018-January Institute of Electrical and Electronics Engineers Inc., 2018. pp. 1-6
@inproceedings{94ba799d177d4fcd8fb65189878206da,
title = "Obfuscated malicious javascript detection scheme using the feature based on divided URL",
abstract = "On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.",
keywords = "Drive-by-Download attacks, JavaScript detection, Obfuscation techniques",
author = "Shoya Morishige and Shuichiro Haruta and Hiromu Asahina and Iwao Sasase",
year = "2018",
month = "2",
day = "27",
doi = "10.23919/APCC.2017.8303992",
language = "English",
volume = "2018-January",
pages = "1--6",
booktitle = "2017 23rd Asia-Pacific Conference on Communications",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Obfuscated malicious javascript detection scheme using the feature based on divided URL

AU - Morishige, Shoya

AU - Haruta, Shuichiro

AU - Asahina, Hiromu

AU - Sasase, Iwao

PY - 2018/2/27

Y1 - 2018/2/27

N2 - On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.

AB - On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.

KW - Drive-by-Download attacks

KW - JavaScript detection

KW - Obfuscation techniques

UR - http://www.scopus.com/inward/record.url?scp=85050643403&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050643403&partnerID=8YFLogxK

U2 - 10.23919/APCC.2017.8303992

DO - 10.23919/APCC.2017.8303992

M3 - Conference contribution

AN - SCOPUS:85050643403

VL - 2018-January

SP - 1

EP - 6

BT - 2017 23rd Asia-Pacific Conference on Communications

PB - Institute of Electrical and Electronics Engineers Inc.

ER -