A simple client-side defense against environment-dependent web-based malware

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI:10.1109/MALWARE.2013.6703694

Gen Lu, Karan Chadha, S. Debray

{"title":"A simple client-side defense against environment-dependent web-based malware","authors":"Gen Lu, Karan Chadha, S. Debray","doi":"10.1109/MALWARE.2013.6703694","DOIUrl":null,"url":null,"abstract":"Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment-dependent behavior discrepancy of various forms, including those seen in real malware.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2013.6703694","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment-dependent behavior discrepancy of various forms, including those seen in real malware.

查看原文本刊更多论文

针对依赖于环境的基于web的恶意软件的简单客户端防御

基于web的恶意软件往往依赖于环境，这对防御基于web的攻击提出了重大挑战，因为恶意代码可能仅在特定的环境条件下(如浏览器的版本)才会暴露和激活，而在分析期间可能不会触发。本文提出了一种防御依赖于环境的恶意软件的简单方法。这种技术的目标不是增加检测器中的分析覆盖率，而是确保客户机将采用与检测器检查的相同的执行路径。该技术被设计为与检测器一起工作，它可以处理现有多路径探索技术无法处理的情况，并提供了一种有效的方法来识别JavaScript程序在用户环境中的执行行为与在沙盒检测器中的行为之间的差异，从而检测可能由环境依赖性引起的假阴性。实验表明，该技术可以有效检测各种形式的环境依赖行为差异，包括真实恶意软件中的行为差异。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)

自引率

0.00%

发文量