1. Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

2. Road Map Background Architecture and Evaluation

3. Heap Spraying Create NOP sled/shellcode: ◦ Create the shellcode and precedes the shell code with a block of NOP sled. Spray the NOP sled/shellcode: ◦ Allocate many copies of the NOP sled/shellcode in heap to increase the chance of success. Trigger the vulnerability. ◦ In order to redirect the program to Heap, where it is possible to hit the NOP sled and then shellcode.

4. Malware Cloaking Generally, two ways to check JavaScript Malware. ◦ Signatures ◦ Machine Learning All Need Source Code

5. Architecture of Zozzle Deobfuscate Feature Extraction Feature Selection Classifier Training Samples Bayesian Classifier Unknown JavaScript Unknown JavaScript Benign Malicious

6. De-obfuscated An exploit must unpack itself to run. ◦ That is, before an exploit is executed, it mush show its real source code. Zozzle intercept calls to Compile function in JavaScript Engine. ◦ eval() is called ◦ New code is included in tag

7. Feature Extraction Flat Features VS Hierarchical Features ◦ Flat Feature: Text from Source Code ◦ 1-level Hierarchical Feature: ◦ n-level Hierarchical Feature: Abstract Syntax Tree function f(){ shellcode… … } for(i=0; i<5000;i++){ … …Shellcode… ⋯ }

8. Feature Selection Zozzle only selects those features that are most likely to be predictive. Use χ 2 to test correlation

9. Classifier Training ZOZZLE uses a naïve Bayesian classifier, for its simplicity and efficiency How to calculate P(F k |L i )? Open Questions L i = Benign or Malicious

10. Feature & Throughput

11. Feature Extraction Accuracy & Feature False Positive& False Negative

12. Compare With Others

13. Questions