SEARCH

SEARCH BY CITATION

Keywords:

  • obfuscated JavaScript;
  • drive-by-download;
  • static analysis;
  • AST;
  • machine learning;
  • malicious code detection

ABSTRACT

JavaScript obfuscation is a deliberate act of making a script difficult to understand by concealing its purpose. The prevalent use of obfuscation techniques to hide malicious codes and to preserve copyrights of benign scripts resulted in (i) missing detection of malicious scripts that are obfuscated and (ii) raising false alarms due to the benign scripts that are obfuscated. Automatic detection of obfuscated JavaScript is generally undertaken by tackling the problem from the readability perspective. Recently, Microsoft research team analyzed different levels of context-based features to distinguish obfuscated malicious scripts from obfuscated benign ones. In this work, we raise the issue of existing readable versions of obfuscated scripts. Further, we discuss the challenges posed by readably obfuscated scripts against both JavaScript malware detectors and obfuscated scripts detectors. Therefore, we propose JavaScript Obfuscation Detector (JSOD), a completely static solution to detect obfuscated scripts including readable patterns. To evaluate JSOD, we compare it to the state-of-the-art approaches to detect obfuscated malicious and obfuscated benign script, namely, Zozzle and Nofus. Our experimental results demonstrate the importance to detect readably obfuscated scripts and their sophisticated variations. Furthermore, they also show the superiority of JSOD approach against all relevant solutions. Copyright © 2014 John Wiley & Sons, Ltd.