Automatic Simplification of Obfuscated JavaScript Code: A Semantics-Based Approach

Lu, Gen; Debray, Saumya

doi:10.1109/sere.2012.13

Cited by 29 publications

(28 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to face this problem, researchers have recently started to consider semantic approaches to malware detection in order to deal with metamorphism, i.e., obfuscation, (e.g., see [9,11,16,29,[26][27][28]32]). …”

Section: Related Workmentioning

confidence: 99%

Unveiling metamorphism by abstract interpretation of code properties

Preda

Giacobazzi

Debray

2015

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

interpretation Program semantics Metamorphic malware detection Self-modifying programs Metamorphic code includes self-modifying semantics-preserving transformations to exploit code diversification. The impact of metamorphism is growing in security and code protection technologies, both for preventing malicious host attacks, e.g., in software diversification for IP and integrity protection, and in malicious software attacks, e.g., in metamorphic malware self-modifying their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extracting metamorphic signatures from metamorphic code. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics. In particular, we introduce the notion of regular metamorphism, where the invariants of the phase semantics can be modeled as finite state automata representing the code structure of all possible metamorphic change of a metamorphic code, and we provide a static signature extraction algorithm for metamorphic code where metamorphic signatures are approximated in regular metamorphism.

show abstract

Section: Related Workmentioning

confidence: 99%

Unveiling metamorphism by abstract interpretation of code properties

Preda

Giacobazzi

Debray

2015

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the following subsections, we briefly discuss the major obfuscation techniques being used in wild [7].…”

Section: A Javascript Obfuscation Techniquesmentioning

confidence: 99%

JSObfusDetector: A binary PSO-based one-class classifier ensemble to detect obfuscated JavaScript code

Jodavi

Abadi

Parhizkar

2015

2015 the International Symposium on Artificial Intelligence and Signal Processing (AISP)

View full text Add to dashboard Cite

JavaScript code obfuscation has become a major technique used by malware writers to evade static analysis techniques. Over the past years, a number of dynamic analysis techniques have been proposed to detect obfuscated malicious JavaScript code at runtime. However, because of their runtime overheads, these techniques are slow and thus not widely used in practice. On the other hand, since a large quantity of benign JavaScript code is obfuscated to protect intellectual property, it is not effective to use the intrinsic features of obfuscated JavaScript code for static analysis purposes. Therefore, we are forced to distinguish between obfuscated and non-obfuscated JavaScript code so that we can devise an efficient and effective analysis technique to detect malicious JavaScript code. In this paper, we address this issue by presenting JSObfusDetector, a novel oneclass classifier ensemble to detect obfuscated JavaScript code. To construct the classifier ensemble, we apply a binary particle swarm optimization (PSO) algorithm, called ParticlePruner, on an initial ensemble of one-class SVM classifiers to find a subensemble whose members are both accurate and have diversity in their outputs. We evaluate JSObfusDetector using a dataset of obfuscated and non-obfuscated JavaScript code. The experimental results show that JSObfusDetector can achieve about 97% precision, 91% recall, and 94% F-measure.

show abstract

“…They also found that 71% of malicious JavaScript files are obfuscated while 30% of them use at least two types of obfuscation. By collecting bytecode execution paths from the analysed file, applying dynamic slicing and code transformations, the authors in [14] have managed to create a system that is able to deobfuscate several layers of the target program.…”

Section: Related Workmentioning

confidence: 99%

A Practical Guide for Detecting the Java Script-Based Malware Using Hidden Markov Models and Linear Classifiers

Cosovan¹,

Benchea²,

Gavriluţ³

2014

2014 16th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing

View full text Add to dashboard Cite

The World Wide Web evolved so rapidly that it is no longer considered a luxury, but a necessity. That is why currently the most popular infection vectors used by cybercriminals are either web pages or commonly used documents (such as pdf files). In both of these cases, the malicious actions performed are written in JavaScript. Because of this, JavaScript has become the preferred language for spreading malware. In order to be able to stop malicious content from executing, detection of its infection vector is crucial. In this paper we propose various methods for detecting JavaScript-based attack vectors.For achieving our goal we first need to fight metamorphism techniques usually used in JavaScript malicious code, which are by no means trivial: garbage instruction insertion, variable renaming, equivalent instruction substitution, function permutation, instruction reordering, and so on. Our approach to deal with metamorphism starts with splitting the JavaScript content in components and filtering the insignificant ones. We then use a data set, consisting in over one million JavaScript files in order to test several machine learning algorithms such as Hidden Markov Models, linear classifiers and hybrid approaches for malware detection.Finally, we analyze these detection methods from a practical point of view, emphasizing the need for a very low false positive rate and the ability to be trained on large datasets.

show abstract

Automatic Simplification of Obfuscated JavaScript Code: A Semantics-Based Approach

Cited by 29 publications

References 12 publications

Unveiling metamorphism by abstract interpretation of code properties

Unveiling metamorphism by abstract interpretation of code properties

JSObfusDetector: A binary PSO-based one-class classifier ensemble to detect obfuscated JavaScript code

A Practical Guide for Detecting the Java Script-Based Malware Using Hidden Markov Models and Linear Classifiers

Contact Info

Product

Resources

About