Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis

Authors:
Younghan Choi;Taeghyoon Kim;Seokjin Choi;Cheolwon Lee
Affiliations:
The Attached Institute of ETRI, Daejeon, South Korea 305-700;The Attached Institute of ETRI, Daejeon, South Korea 305-700;The Attached Institute of ETRI, Daejeon, South Korea 305-700;The Attached Institute of ETRI, Daejeon, South Korea 305-700
Venue:
FGIT '09 Proceedings of the 1st International Conference on Future Generation Information Technology
Year:
2009

Citing 5
Cited 3

Detecting Malicious JavaScript Code in Mozilla

ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
A taxonomy of JavaScript redirection spam

AIRWeb '07 Proceedings of the 3rd international workshop on Adversarial information retrieval on the web
The ghost in the browser analysis of web-based malware

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
Spectator: detection and containment of JavaScript worms

ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference

JStill: mostly static detection of obfuscated malicious JavaScript code

Proceedings of the third ACM conference on Data and application security and privacy
Development the method of detection the malicious pages interconnection in the internet

Proceedings of the 6th International Conference on Security of Information and Networks
Anatomy of drive-by download attack

AISC '13 Proceedings of the Eleventh Australasian Information Security Conference - Volume 138

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recently, most of malicious web pages include obfuscated codes in order to circumvent the detection of signature-based detection systems. It is difficult to decide whether the sting is obfuscated because the shape of obfuscated strings are changed continuously. In this paper, we propose a novel methodology that can detect obfuscated strings in the malicious web pages. We extracted three metrics as rules for detecting obfuscated strings by analyzing patterns of normal and malicious JavaScript codes. They are N-gram , Entropy , and Word Size . N-gram checks how many each byte code is used in strings. Entropy checks distributed of used byte codes. Word size checks whether there is used very long string. Based on the metrics, we implemented a practical tool for our methodology and evaluated it using read malicious web pages. The experiment results showed that our methodology can detect obfuscated strings in web pages effectively.