基于攻击行为建模的恶意JavaScript检测与分类

Proceedings of the 2015 International Symposium on Software Testing and Analysis Pub Date : 2015-07-13 DOI:10.1145/2771783.2771814

Yinxing Xue, Junjie Wang, Yang Liu, Hao Xiao, Jun Sun, Mahinthan Chandramohan

{"title":"基于攻击行为建模的恶意JavaScript检测与分类","authors":"Yinxing Xue, Junjie Wang, Yang Liu, Hao Xiao, Jun Sun, Mahinthan Chandramohan","doi":"10.1145/2771783.2771814","DOIUrl":null,"url":null,"abstract":"Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS*, to learn DFAs from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS* using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks.","PeriodicalId":264859,"journal":{"name":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":"{\"title\":\"Detection and classification of malicious JavaScript via attack behavior modelling\",\"authors\":\"Yinxing Xue, Junjie Wang, Yang Liu, Hao Xiao, Jun Sun, Mahinthan Chandramohan\",\"doi\":\"10.1145/2771783.2771814\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS*, to learn DFAs from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS* using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks.\",\"PeriodicalId\":264859,\"journal\":{\"name\":\"Proceedings of the 2015 International Symposium on Software Testing and Analysis\",\"volume\":\"12 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-07-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"31\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2015 International Symposium on Software Testing and Analysis\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2771783.2771814\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2771783.2771814","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 31

摘要

现有的恶意JavaScript (JS)检测工具和商业反病毒工具大多使用基于特征或基于签名的方法来检测JS恶意软件。这些工具在抗混淆和JS恶意软件变体方面很弱，更不用说提供攻击行为的详细信息了。这些限制的根源在于这些方法无法捕获攻击行为。在本文中，我们提出使用确定性有限自动机(Deterministic Finite Automaton, DFA)来抽象和总结相同攻击类型的恶意JS的共同行为。我们提出了一个名为JS*的自动行为学习框架，从JS恶意软件的动态执行轨迹中学习dfa，并结合数据依赖分析、防御规则和跟踪重播机制实现了一个有效的在线教师。我们使用10000个良性和276个恶意JS样本的真实世界数据来评估JS*，以涵盖8种最具传染性的攻击类型。结果表明，与商业反病毒工具相比，我们的方法在恶意软件检测和分类方面具有可扩展性和有效性。我们还展示了如何使用dfa来检测变体和新的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detection and classification of malicious JavaScript via attack behavior modelling

Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS*, to learn DFAs from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS* using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2015 International Symposium on Software Testing and Analysis

自引率

0.00%

发文量