Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2021-06-01 DOI:10.1109/DSN48987.2021.00065

Marvin Moog, M. Demmel, M. Backes, Aurore Fass

{"title":"Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild","authors":"Marvin Moog, M. Demmel, M. Backes, Aurore Fass","doi":"10.1109/DSN48987.2021.00065","DOIUrl":null,"url":null,"abstract":"JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.","PeriodicalId":222512,"journal":{"name":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN48987.2021.00065","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.

查看原文本刊更多论文

静态检测JavaScript混淆和最小化技术

JavaScript既是一种流行的客户端编程语言，也是一种攻击媒介。当恶意软件开发人员转换他们的JavaScript代码来隐藏其恶意意图并阻碍检测时，善意的开发人员也转换他们的代码，例如优化网站性能。在本文中，我们对野外代码转换进行了深入的研究。具体地说，我们执行JavaScript文件的静态分析，以构建它们的抽象语法树(AST)，并使用控制流和数据流对其进行扩展。随后，我们定义了两个分类器，利用基于ast的特征来检测转换后的样本以及特定的转换技术。除了恶意样本，我们发现转换代码在Node.js库和客户端JavaScript上越来越流行，例如，90%的Alexa Top 10k网站包含转换脚本。这样，代码转换就不是恶意的指示器。最后，我们展示了良性代码转换技术及其频率与流行的恶意代码转换技术不同。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量