Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

The Real-Time Detection of the Malicious JavaScript

실시간으로 악성 스크립트를 탐지하는 기술

  • Received : 2015.04.15
  • Accepted : 2015.06.11
  • Published : 2015.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not create a trail, whether the JavaScript code is malicious or not must be decided. The real attack action is completed while the browser runs the JavaScript code. For these reasons, there is a need for a real-time classification and determination technique for malicious JavaScript. This paper proposes the Analysis Engine for detecting malicious JavaScript by adopting the requirements above. The analysis engine performs static analysis using signature-based detection and dynamic analysis using behavior-based detection. Static analysis can detect malicious JavaScript code, whereas dynamic analysis can detect the action of the JavaScript code.

자바 스크립트는 정적인 HTML 문서에 동적인 기능을 제공하기 위해 자주 사용되는 언어이며, 최근에 HTML5 표준이 발표됨으로써 더욱더 관심 받고 있다. 이렇게 자바 스크립트의 중요도가 커짐에 따라, 자바 스크립트를 사용하는 공격( DDos 공격, 개인 정보 유출 등 )이 더욱 더 위협적으로 다가오고 있다. 이 악성 자바 스크립트는 흔적을 남기지 않기 때문에, 자바 스크립트 코드만으로 악성유무를 판단해야 하며, 실제 악성 행위가 브라우저에서 자바 스크립트가 실행될 때 발생되기 때문에, 실시간으로 그 행위를 분석해야만 한다. 이러한 이유로 본 논문은 위 요구사항을 만족하는 분석 엔진을 소개하려 한다. 이 분석 엔진은 시그니쳐 기반의 정적 분석으로 스크립트 코드의 악성을 탐지하고, 행위 기반의 동적 분석으로 스크립트의 행위를 분석하여 악성을 판별하는 실시간 분석 기술이다.

Keywords

References

  1. Lu, Gen, and Saumya Debray. "Automatic simplification of obfuscated JavaScript code: A semantics-based approach." Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on. IEEE, 2012, http://www.cs.arizona.edu/-genlu/pub/js-deobf-web.pdf.
  2. Lee, Jusuk, Kyoochang Jeong, and Heejo Lee. "Detecting metamorphic malwares using code graphs." Proceedings of the 2010 ACM symposium on applied computing. ACM, 2010, http://ccs.korea.ac.kr/pds/SAC10.pdf
  3. Saxena, Prateek, et al. "FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications." NDSS. 2010, http://www.andrew.cmu.edu/user/ppoosank/papers/FLAX.pdf
  4. ECMA-262 "EMCAScript Langauge Specification", http://www.ecma-international.org/publications/standards/Ecma-262.htm
  5. Chugh, Ravi, et al. "Staged information flow for JavaScript." ACM Sigplan Notices. Vol. 44. No. 6. ACM, 2009, http://cseweb.ucsd.edu/-lerner/papers/pldi09-sif.pdf
  6. Xie, Yichen, and Alex Aiken. "Static Detection of Security Vulnerabilities in Scripting Languages." USENIX Security. Vol. 6. 2006, https://www.usenix.org/legacy/event/sec06/tech/full_papers/xie/xie_html/
  7. Chowdhary, Mahak, Shrutika Suri, and Mansi Bhutani. "Comparative Study of Intrusion Detection System." (2014), http://www.ijcseonline.org/pub_paper/IJCSE-00229.pdf
  8. Newsome, James, Brad Karp, and Dawn Song. "Polygraph: Automatically generating signatures for polymorphic worms." Security and Privacy, 2005 IEEE Symposiumon. IEEE, 2005, https://cse.sc.edu//-huangct/CSCE715F10/715presentation10.pdf
  9. YARA Documentation, http://yara.readthedocs.org/en/latest/index.html
  10. Document Object Model, http://www.w3.org/DOM/
  11. Charikar, Moses S. "Similarity estimation techniques from rounding algorithms." Proceedings of the thiry-fourth annual ACM symposium on Theory of computing. ACM, 2002, http://www.cs.princeton.edu/courses/archive/spring04/cos598B/bib/CharikarEstim.pdf
  12. Hamming, Richard W. "Error detecting and error correcting codes." Bell System technical journal 29.2 (1950): 147-160, http://www.lee.eng.uerj.br/-gil/redesII/hamming.pdf https://doi.org/10.1002/j.1538-7305.1950.tb00463.x
  13. Linn, Cullen, and Saumya Debray. "Obfuscation of executable code to improve resistance to static disassembly." Proceedings of the 10th ACM conference on Computer and communications security. ACM, 2003, https://www.cs.arizona.edu/solar/papers/CCS2003.pdf
  14. Dong, Guowei, et al. "Detecting cross site scripting vulnerabilities introduced by HTML5." Computer Science and Software Engineering (JCSSE), 2014 11th International Joint Conference on. IEEE, 2014,
  15. Xu, Wei, Fangfang Zhang, and Sencun Zhu. "JStill: Mostly static detection of obfuscated malicious javascript code." Proceedings of the third ACM conference on Data and application security and privacy. ACM, 2013, http://www.cse.psu.edu/-sxz16/papers/JStill.pdf
  16. Fan, Wenqing, Xue Lei, and Jing An. "Obfuscated Malicious Code Detection with Path Condition Analysis." Journal of Networks 9.5 (2014): 1208-1214, http://ojs.academypublisher.com/index.php/jnw/article/viewFile/jnw090512081214/9256
  17. Xu, Wei, Fangfang Zhang, and Sencun Zhu. "The power of obfuscation techniques in malicious JavaScript code: A measurement study." Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on. IEEE, 2012, http://www.cse.psu.edu/-sxz16/papers/malware.pdf
  18. Choi, YoungHan, et al. "Automatic detection for javascript obfuscation attacks in web pages through string pattern analysis." Future Generation Information Technology. Springer Berlin Heidelberg, http://www.sersc.org/journals/IJSIA/vol4_no2_2010/2.pdf 2009. 160-172
  19. A. Rajaraman and J. Ullman (2010). "Mining of Massive Datasets, Ch. 3.", http://www.langtoninfo.com/web_content/9781107015357_frontmatter.pdf