Non-Invasive Malicious Javascript Detection

EJ Jung, Computer Science, University of San Francisco, San Francisco, CA

Stevenson Hall 1300
11:00 AM - 11:50 AM

Malicious JavaScript detection is challenging in several ways. First, it is usually invisible to users, so it cannot be avoided by users’ vigilance. Second, it is often heavily obfuscated to bypass signature-based detection mechanisms and term-based classifiers such as the Bayesian classifier often used for spam detection. We have combined a web crawler for targeted collection of malicious JavaScript, a de-obfuscator that derives URLs from malicious JavaScript, and multiple classifiers for a comprehensive detection framework. Among tested, Support-Vector Machine showed the best performance. Given our test set from well-known malicious JavaScript repositories and high-traffic websites, our framework detects around 90% of malicious JavaScript and 99.9% of good scripts correctly. These results are published in Malware 2009, ACM DSMM '09, and ACM CCS '09 in poster session. This detection rate is already useful in real-time detection, especially when blacklists are not up to date and static and dynamic analysis imposes too much delay for web surfing. To improve the detection even further, we are currently building more detailed-blacklists using our crawlers.