Obfuscated malicious javascript detection scheme using the feature based on divided URL

Abstract

On web application services, detecting obfuscated malicious JavaScript utilized for the attacks such as Drive-by-Download is an urgent demand. Obfuscation is a technique that modifies some elements of program codes and is used to evade the pattern matching of traditional anti-virus softwares. In particular, encode obfuscation is adopted in almost all malicious JavaScript codes as the most effective technique to hide their malicious intents. Therefore, many approaches focus on encode obfuscation to detect malicious JavaScript. However, we point out that malicious JavaScript obfuscated by the techniques except for encode obfuscation can easily evade those approaches. Motivated by the above, in this paper, we first investigated the malicious files that previous schemes cannot detect, and found that some files contain divided URL in their codes. In order to detect such JavaScript codes as malicious, we propose obfuscated malicious JavaScript detection scheme using the feature based on divided URL. We focus on the fact that the segments of URL are declared as variables and connected later. Our scheme stores variables and their contents in the dictionary type object and in the connection parts, verifies that malicious URL can be reconstructed. By the computer simulation with real dataset, we show that our scheme improves the detection effectiveness of the conventional scheme.