JSForce: A Forced Execution Engine for Malicious JavaScript Detection
JSForce: A Forced Execution Engine for Malicious JavaScript Detection
The drastic increase of JavaScript exploitation attacks has led to a strong interest in developing techniques to enable malicious JavaScript analysis. Existing analysis tech- niques fall into two general categories: static analysis and dynamic analysis. Static analysis tends to produce inaccurate results (both false positive and false negative) and is vulnerable to a wide series of obfuscation techniques. Thus, dynamic analysis is constantly gaining popularity for exposing the typical features of malicious JavaScript. However, existing dynamic analysis techniques possess limitations such as limited code coverage and incomplete environment setup, leaving a broad attack surface for evading the detection. To overcome these limitations, we present the design and implementation of a novel JavaScript forced execution engine named JSForce which drives an arbitrary JavaScript snippet to execute along different paths without any input or environment setup. We evaluate JSForce using 220,587 HTML and 23,509 PDF real- world samples. Experimental results show that by adopting our forced execution engine, the malicious JavaScript detection rate can be substantially boosted by 206.29% using same detection policy without any noticeable false positive increase. We also make JSForce publicly available as an online service and will release the source code to the security community upon the acceptance for publication.
15 pages,conference
- Singapore Management University Singapore
- University of California System United States
- University of California, San Francisco United States
- University of California, Riverside United States
- Syracuse University United States
FOS: Computer and information sciences, Computer Science - Cryptography and Security, Forced execution, Information Security, Malicious javascript, False positive and false negatives, Design and implementations, Detection rates, Dynamic analysis techniques, Execution engine, Analysis techniques, Cryptography and Security (cs.CR)
FOS: Computer and information sciences, Computer Science - Cryptography and Security, Forced execution, Information Security, Malicious javascript, False positive and false negatives, Design and implementations, Detection rates, Dynamic analysis techniques, Execution engine, Analysis techniques, Cryptography and Security (cs.CR)
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).13 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Top 10% influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Top 10% impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average
Citations provided by BIP!Popularity provided by BIP!