Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

7-2015

Abstract

Existing malicious JavaScript (JS) detection tools and commercial anti-virus tools mostly use feature-based or signature-based approaches to detect JS malware. These tools are weak in resistance to obfuscation and JS malware variants, not mentioning about providing detailed information of attack behaviors. Such limitations root in the incapability of capturing attack behaviors in these approches. In this paper, we propose to use Deterministic Finite Automaton (DFA) to abstract and summarize common behaviors of malicious JS of the same attack type. We propose an automatic behavior learning framework, named JS∗ , to learn DFA from dynamic execution traces of JS malware, where we implement an effective online teacher by combining data dependency analysis, defense rules and trace replay mechanism. We evaluate JS∗ using real world data of 10000 benign and 276 malicious JS samples to cover 8 most-infectious attack types. The results demonstrate the scalability and effectiveness of our approach in the malware detection and classification, compared with commercial anti-virus tools. We also show how to use our DFAs to detect variants and new attacks.

Keywords

malware detection, malicious JavaScript, L*, behavior modelling

Discipline

Programming Languages and Compilers | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Proceedings of the 2015 International Symposium on Software Testing and Analysis, Baltimore, USA, July 13-17

First Page

48

Last Page

59

ISBN

9781450336208

Identifier

10.1145/2771783.2771814

Publisher

ACM

City or Country

USA

Additional URL

https://doi.org/10.1145/2771783.2771814

Download

Share

COinS