Detecting Obfuscated JavaScript Malware Using Sequences of Internal Function Calls

Abstract

Web browsers are often used as a popular means for compromising Internet hosts. An attacker may inject a JavaScript malware into a web page. When a victim visits this page, the malware is executed and attempts to exploit a specific browser vulnerability or download an unwanted program. Obfuscated JavaScript malware can easily evade signature-based detection by changing the appearance of JavaScript code. To address this problem, some previous studies have used static analysis in which some features are extracted from both benign and malicious web pages, and then a classifier is trained to distinguish between them. Because nowadays benign JavaScript code is often obfuscated, static analysis techniques generate many false alarms. In this paper, we use dynamic analysis to monitor a web page for detecting obfuscated JavaScript malware. We first load a set of malicious web pages in a real web browser and collect a sequence of predictive function calls using internal function debugging for each of them. We then group similar sequences into the same cluster based on the normalized Levenshtein distance (NLD) metric and generate a so-called behavioral signature for each cluster. A web page is detected as malicious only if the sequence of its intercepted function calls is matched with at least one generated behavioral signature. Our evaluation results show that the generated behavioral signatures are able to detect obfuscated JavaScript malware with a low false alarm rate.