Abstract
Recently, most of malicious web pages include obfuscated codes in order to circumvent the detection of signature-based detection systems. It is difficult to decide whether the sting is obfuscated because the shape of obfuscated strings are changed continuously. In this paper, we propose a novel methodology that can detect obfuscated strings in the malicious web pages. We extracted three metrics as rules for detecting obfuscated strings by analyzing patterns of normal and malicious JavaScript codes. They are N-gram, Entropy, and Word Size. N-gram checks how many each byte code is used in strings. Entropy checks distributed of used byte codes. Word size checks whether there is used very long string. Based on the metrics, we implemented a practical tool for our methodology and evaluated it using read malicious web pages. The experiment results showed that our methodology can detect obfuscated strings in web pages effectively.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Chellapilla, K., Maykov, A.: A Taxonomy of JavaScript Redirection Spam. In: Proceedings of the 3rd International Workshop on Adversarial Information Retrieval on Web (AIRWeb 2007) (2007)
Chenetee, S., Rice, A.: Spiffy: Automated JavaScript Deobfuscation. In: PacSec 2007 (2007)
Feinstein, B., Peck, D.: Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious JavaScript. Black Hat USA (2007)
Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECC 2005) (2005)
Ikinci, A., Holz, T., Freiling, F.: Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients. In: Proceedings of Sicherheit 2008 (2008)
Livshits, B., Cui, W.: Spectator: Detection and Containment of JavaScript Worms. In: Proceedings of the USENIX 2008 Annual Technical Conference on Annual Technical Conference (2008)
MySQL - open source database, http://www.mysql.com
Nazario, J.: Reverse Engineering Malicious Javascript. In: CanSecWest 2007 (2007)
OpenWebSpider - open source web spider, http://www.openwebspider.org
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost in the Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets (2007)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)
Wang, Y., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Petrol with Strider HoneyMonkey. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2006) (2006)
Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference Software Engineering (ICSE 2008) (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, Y., Kim, T., Choi, S., Lee, C. (2009). Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis. In: Lee, Yh., Kim, Th., Fang, Wc., Ślęzak, D. (eds) Future Generation Information Technology. FGIT 2009. Lecture Notes in Computer Science, vol 5899. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10509-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-10509-8_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10508-1
Online ISBN: 978-3-642-10509-8
eBook Packages: Computer ScienceComputer Science (R0)