원문정보
초록
영어
The traditional static detection method for malicious JavaScript detection has high efficiency without the need of code executing, but it cannot detect new malicious script. While the dynamic method usually needs to execute code and extract features, which lead to low efficiency and highly difficulty. In this paper, we propose a half-dynamic detection method for classification, which can solve the problem of obfuscated malicious JavaScript. The proposed method starts with obtaining the intermediate-state machine code using the JavaScript interpreter to compile the JavaScript. After extracting the function calling sequence of machine code, the feature model of the sequence is built using N-gram. Then we use k-NN classifier for training and detecting the malicious script. N-gram can directly be used to statically analyze the sequence of the obfuscated JavaScript, but not available to recognize the maliciousness. Then N-gram on the call function sequence of the compiled machine code is proposed as an efficient half-dynamic malicious script detection method. Finally, the efficiency and effectiveness of the proposed method is demonstrated through the experiments.
목차
1. Introduction
2. Static JavaScript Obfuscation Classification Using N-gram and K-NN
2.1. N-gram Method
2.2. K-NN Classification Method
2.3. Direct Detection on JavaScript Code Obfuscation
3. Half-Dynamic Detection on Obfuscated Malicious JavaScript
3.1. JavaScript Machine code Generation
3.2. Detection Methodology and Results
4. Conclusions
Acknowledgements
References