Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast and Precise In-Browser JavaScript Malware Detection

Published byElena Wilgus Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast and Precise In-Browser JavaScript Malware Detection"— Presentation transcript:

1 Fast and Precise In-Browser JavaScript Malware Detection
ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

2 What is the Problem? JavaScript allows authors to run any code when a user visits a web page JS-based malware attacks are the majority of successful mass-scale exploitation Malware is easy to hide: self-generating code that produces more code to run JS severs important functionality for many sites In-browser solutions have not been fully accepted because of the performance hit Browsers use offline scanning to check URLs but there are too many sites and malware typically comes and goes frequently

3 Challenges Performance Accuracy Obfuscated malware Malware transience
Detection is not fast enough to be used in a browser Accuracy False positive rates of 5% is acceptable for static analysis tools but is over 100x what is acceptable for in-browser detection Obfuscated malware Most JavaScript code is frequently obfuscated so purely static detection is generally ineffective Ex. eval, document.write generate code at runtime that is difficult to pattern-match Malware transience Offline-only scanning is not effective because web malware “infects fast and dies young” Nearly 20% of malicious URLs were gone after 1 day

4 To increase the changes to successful exploitation, multiple exploits often exist within the same page eval, <iframe>, <script> unfolding reveals obfuscated code, but depth is not a good indicator Used by JavaScript libraries to save space through client-side code generation Used as weak copy protection to avoid code piracy

5 Solution : Zozzle Performance Accuracy De-obfuscation
AST-based detection is fast and scalable Fast classification: throughput at over 1 MB of JavaScript code per second Accuracy AST-based detection uses hierarchical (context-sensitive) features more precise than text-based Low false positive rate: % (< 1 in 1/4 million) De-obfuscation Uses JavaScript engine of a browser to expose obfuscation and get the final, expanded version of JavaScript code

6 What Is Zozzle? A highly precise, mostly static detector for malware written in JavaScript suitable for in- browser deployment 3 Steps: JavaScript context collection and labeling as benign or malicious Feature extraction and training of a naïve Bayesian classifier Applying the classifier to a new JavaScript context to determine if it is benign or malicious

7 Zozzle: How It Works JavaScript runtime engine exposes attempts to obscure malware JS code is unfolded to just before it’s executed Intercept calls to compile() in the JavaScript engine It’s invoked when eval is called and whenever new code is included with an <iframe> or <script> tag Observe JS code at each level of its unpacking just before it's executed by the engine.

8 How It Works cont. A static classifier trained with a context-sensitive AST (abstract syntax tree) and a collection of labeled malware samples analyzes JS Nozzle runtime detector dynamically crawls millions of URLs and collects sample malware by observing the behavior of running JS code Tries to avoid transience and cloaking by scanning a wide range of URLs

9 Benign vs. Malicious Samples

Download ppt "Fast and Precise In-Browser JavaScript Malware Detection"

Similar presentations

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Hulk: Eliciting Malicious Behavior in Browser Extensions

Hulk: Eliciting Malicious Behavior in Browser Extensions
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
6/16/20151 Recent Results in Automatic Web Resource Discovery Soumen Chakrabartiv Presentation by Cui Tao.

6/16/20151 Recent Results in Automatic Web Resource Discovery Soumen Chakrabartiv Presentation by Cui Tao.
Automatic Discovery and Classification of search interface to the Hidden Web Dean Lee and Richard Sia Dec 2 nd 2003.

Automatic Discovery and Classification of search interface to the Hidden Web Dean Lee and Richard Sia Dec 2 nd 2003.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

Similar presentations

Ads by Google