TY - GEN
T1 - JStill
T2 - 3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013
AU - Xu, Wei
AU - Zhang, Fangfang
AU - Zhu, Sencun
PY - 2013
Y1 - 2013
N2 - The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.
AB - The dynamic features of the JavaScript language not only promote various means for users to interact with websites throughWeb browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.
UR - http://www.scopus.com/inward/record.url?scp=84874870332&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84874870332&partnerID=8YFLogxK
U2 - 10.1145/2435349.2435364
DO - 10.1145/2435349.2435364
M3 - Conference contribution
AN - SCOPUS:84874870332
SN - 9781450318907
T3 - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
SP - 117
EP - 128
BT - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
Y2 - 18 February 2013 through 20 February 2013
ER -