论文信息 - "NOFUS: Automatically Detecting" + String.fromCharCode(32) + "ObFuSCateD ".toLowerCase() + "JavaScript Code"

"NOFUS: Automatically Detecting" + String.fromCharCode(32) + "ObFuSCateD ".toLowerCase() + "JavaScript Code"

Obfuscation is applied to large quantities of benign and malicious JavaScript throughout the web. In situations where JavaScript source code is being submitted for widespread use, such as in a gallery of browser extensions (e.g., Firefox), it is valuable to require that the code submitted is not obfuscated and to check for that property. In this paper, we describe NOFUS, a static, automatic classifier that distinguishes obfuscated and non-obfuscated JavaScript with high precision. Using a collection of examples of both obfuscated and non-obfuscated JavaScript, we train NOFUS to distinguish between the two and show that the classifier has both a low false positive rate (about 1%) and low false negative rate (about 5%). Applying NOFUS to collections of deployed JavaScript, we show it correctly identifies obfuscated JavaScript files from Alexa top 50 websites. While prior work conflates obfuscation with maliciousness (assuming that detecting obfuscation implies maliciousness), we show that the correlation is weak. Yes, much malware is hidden using obfuscation, but so is benign JavaScript. Further, applying NOFUS to known JavaScript malware, we show our classifier finds 15% of the files are unobfuscated, showing that not all malware is obfuscated.

[1] Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious JavaScript , 2007 .

[2] Sorin Lerner,et al. Staged information flow for javascript , 2009, PLDI '09.

[3] Benjamin Livshits,et al. GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[4] Benjamin Livshits,et al. NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[5] YoungHan Choi,et al. Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis , 2009, FGIT.

[6] Byung-Ik Kim,et al. Suspicious Malicious Web Site Detection with Strength Analysis of a JavaScript Obfuscation , 2010 .

[7] Christopher Krügel,et al. Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[8] Benjamin G. Zorn,et al. Zozzle: Low-overhead Mostly Static JavaScript Malware Detection , 2010 .

[9] Andreas Dewald,et al. Forschungsberichte der Fakultät IV – Elektrotechnik und Informatik C UJO : Efficient Detection and Prevention of Drive-by-Download Attacks , 2010 .

[10] Giovanni Vigna,et al. Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.