JStill: Mostly static detection of obfuscated malicious javascript code

Wei Xu, Fangfang Zhang, Sencun Zhu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

31 Citations (Scopus)

Abstract

The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.

Original languageEnglish (US)
Title of host publicationCODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
Pages117-128
Number of pages12
DOIs
StatePublished - Mar 18 2013
Event3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013 - San Antonio, TX, United States
Duration: Feb 18 2013Feb 20 2013

Publication series

NameCODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

Other

Other3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013
CountryUnited States
CitySan Antonio, TX
Period2/18/132/20/13

Fingerprint

Websites
Static analysis
Viruses
Inspection
Experiments

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Software

Cite this

Xu, W., Zhang, F., & Zhu, S. (2013). JStill: Mostly static detection of obfuscated malicious javascript code. In CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (pp. 117-128). (CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy). https://doi.org/10.1145/2435349.2435364
Xu, Wei ; Zhang, Fangfang ; Zhu, Sencun. / JStill : Mostly static detection of obfuscated malicious javascript code. CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. 2013. pp. 117-128 (CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy).
@inproceedings{df829c4e0e6b4c76a23e01d72a556eac,
title = "JStill: Mostly static detection of obfuscated malicious javascript code",
abstract = "The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.",
author = "Wei Xu and Fangfang Zhang and Sencun Zhu",
year = "2013",
month = "3",
day = "18",
doi = "10.1145/2435349.2435364",
language = "English (US)",
isbn = "9781450318907",
series = "CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy",
pages = "117--128",
booktitle = "CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy",

}

Xu, W, Zhang, F & Zhu, S 2013, JStill: Mostly static detection of obfuscated malicious javascript code. in CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, pp. 117-128, 3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013, San Antonio, TX, United States, 2/18/13. https://doi.org/10.1145/2435349.2435364

JStill : Mostly static detection of obfuscated malicious javascript code. / Xu, Wei; Zhang, Fangfang; Zhu, Sencun.

CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. 2013. p. 117-128 (CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - JStill

T2 - Mostly static detection of obfuscated malicious javascript code

AU - Xu, Wei

AU - Zhang, Fangfang

AU - Zhu, Sencun

PY - 2013/3/18

Y1 - 2013/3/18

N2 - The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.

AB - The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.

UR - http://www.scopus.com/inward/record.url?scp=84874870332&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84874870332&partnerID=8YFLogxK

U2 - 10.1145/2435349.2435364

DO - 10.1145/2435349.2435364

M3 - Conference contribution

AN - SCOPUS:84874870332

SN - 9781450318907

T3 - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

SP - 117

EP - 128

BT - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

ER -

Xu W, Zhang F, Zhu S. JStill: Mostly static detection of obfuscated malicious javascript code. In CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. 2013. p. 117-128. (CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy). https://doi.org/10.1145/2435349.2435364