Please use this identifier to cite or link to this item:
Publication type: Conference paper
Type of review: Peer review (publication)
Title: Detecting obfuscated JavaScripts using machine learning
Authors: Aebersold, Simon
Kryszczuk, Krzysztof
Paganoni, Sergio
Tellenbach, Bernhard
Trowbridge, Timothy
DOI: 10.21256/zhaw-3848
Proceedings: ICIMP 2016 the Eleventh International Conference on Internet Monitoring and Protection : May 22-26, 2016, Valencia, Spain
Volume(Issue): 1
Page(s): 11
Pages to: 17
Conference details: ICIMP 2016 the Eleventh International Conference on Internet Monitoring and Protection, Valencia, Spain, 22-26 May 2016
Issue Date: 2016
Publisher / Ed. Institution: Curran Associates
Publisher / Ed. Institution: Red Hook
ISBN: 978-1-61208-475-6
ISSN: 2308-3980
Language: English
Subjects: Obfuscated JavaScript; Detection; Malicious JavaScript; Machine learning
Subject (DDC): 006: Special computer methods
Abstract: JavaScript is a common attack vector for attacking browsers, browser plug-ins, email clients and other JavaScript enabled applications. Malicious JavaScripts redirect victims to exploit kits, probe for known vulnerabilities to select a fitting exploit or manipulate the Document Object Model (DOM) of a web page in a harmful way. Malicious JavaScript code is often obfuscated in order to make it hard to detect using signature-based approaches. Since the only other reason to use obfuscation is to protect intellectual property, the share of scripts which are both benign and obfuscated is quite low, and could easily be captured with a whitelist. A detector that can reliably detect obfuscated JavaScripts would therefore be a valuable tool in fighting malicious JavaScripts. In this paper, we present a method for automatic detection of obfuscated JavaScript using a machine-learning approach. Using a dataset of regular, minified and obfuscated samples from a content delivery network and the Alexa top 500 websites, we show that it is possible to distinguish between obfuscated and non-obfuscated scripts with precision and recall around 99%. We also introduce a novel set of features, which help detect obfuscation in JavaScripts. Our results presented here shed additional light on the problem of distinguishing between malicious and benign scripts.
Fulltext version: Published version
License (according to publishing contract): Not specified
Departement: School of Engineering
Organisational Unit: Institute of Applied Information Technology (InIT)
Appears in collections:Publikationen School of Engineering

Files in This Item:
File Description SizeFormat 
sec_v9_n34_2016_10.pdf324.04 kBAdobe PDFThumbnail

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.