Detecting Malicious Javascript in PDF through Document Instrumentation

Liu, Daiping; Wang, Haining; Stavrou, Angelos

doi:10.1109/dsn.2014.92

Cited by 52 publications

(26 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our proposed system uses an LSTM neural model for the language model instead of the n-gram model proposed by Shah [33]. Other papers which investigate the detection of malicious JavaScript include [26], [32], [35], [38], [39].…”

Section: Related Workmentioning

confidence: 99%

ScriptNet: Neural Static Analysis for Malicious JavaScript Detection

Stokes

Agrawal

McDonald

et al. 2019

MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)

View full text Add to dashboard Cite

Malicious scripts are an important computer infection threat vector in the wild. For web-scale processing, static analysis offers substantial computing efficiencies. We propose the ScriptNet system for neural malicious JavaScript detection which is based on static analysis. We use the Convoluted Partitioning of Long Sequences (CPoLS) model, which processes Javascript files as byte sequences. Lower layers capture the sequential nature of these byte sequences while higher layers classify the resulting embedding as malicious or benign. Unlike previously proposed solutions, our model variants are trained in an end-to-end fashion allowing discriminative training even for the sequential processing layers. Evaluating this model on a large corpus of 212,408 JavaScript files indicates that the best performing CPoLS model offers a 97.20% true positive rate (TPR) for the first 60K byte subsequence at a false positive rate (FPR) of 0.50%. The best performing CPoLS model significantly outperform several baseline models.

show abstract

Section: Related Workmentioning

confidence: 99%

ScriptNet: Neural Static Analysis for Malicious JavaScript Detection

Stokes

Agrawal

McDonald

et al. 2019

MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)

View full text Add to dashboard Cite

show abstract

“…Of the documented malware, PDF-based attack is one of the major attacks because of the flexibility of PDFs in contrast to other document formats. Most malicious PDF documents embed binary or JavaScript codes triggering specific vulnerabilities and perform malicious actions, as described in [1]. Various studies have been conducted to detect such malicious PDFs.…”

Section: Introductionmentioning

confidence: 99%

“…In this work, we propose a novel approach using convolutional neural network (CNN) to tackle the malware detection. The contributions of this study can be summarized as follows: (1) we design a new CNN model well-suited to the malware detection on PDFs, (2) we demonstrate the performance of the proposed network by experiments using our manually labelled PDF dataset, and (3) we provide specific discussion about the experimental results.…”

Section: Introductionmentioning

confidence: 99%

Malware Detection on Byte Streams of PDF Files Using Convolutional Neural Networks

Jeong

Woo

Kang

2019

Security and Communication Networks

View full text Add to dashboard Cite

With increasing amount of data, the threat of malware keeps growing recently. The malicious actions embedded in nonexecutable documents especially (e.g., PDF files) can be more dangerous, because it is difficult to detect and most users are not aware of such type of malicious attacks. In this paper, we design a convolutional neural network to tackle the malware detection on the PDF files. We collect malicious and benign PDF files and manually label the byte sequences within the files. We intensively examine the structure of the input data and illustrate how we design the proposed network based on the characteristics of data. The proposed network is designed to interpret high-level patterns among collectable spatial clues, thereby predicting whether the given byte sequence has malicious actions or not. By experimental results, we demonstrate that the proposed network outperform several representative machine-learning models as well as other networks with different settings.

show abstract

“…By using these tokens PJScan tries to induce learning detection models that differentiate between benign and malicious PDF files. Liu et al [14] combined both static and dynamic analysis to detect potential infection attempts in the context of JavaScript execution. First, they extract a set of static features, and then they insert context monitoring code into a PDF document, a code that later cooperates with the runtime monitor used for the detection task.…”

Section: Related Workmentioning

confidence: 99%

“…The primary goal of the malicious JavaScript code inside a PDF file is to exploit a vulnerability in the PDF viewer in order to divert the normal execution flow to the embedded malicious JavaScript code. This can be achieved by performing a heap spraying 14 or buffer overflow attack implemented through JavaScript. Another malicious activity that can be carried out using JavaScript is downloading an executable file from the Internet which initiates an attack on the victim's machine once executed.…”

Section: Javascript Code Attacksmentioning

confidence: 99%

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

et al. 2016

View full text Add to dashboard Cite

Attackers increasingly take advantage of naive users who tend to treat non-executable files casually, as if they are benign. Such users often open non-executable files although they can conceal and perform malicious operations. Existing defensive solutions currently used by organizations prevent executable files from entering organizational networks via web browsers or email messages. Therefore, recent advanced persistent threat attacks tend to leverage non-executable files such as portable document format (PDF) documents which are used daily by organizations. Machine Learning (ML) methods have recently been applied to detect malicious PDF files, however these techniques lack an essential element-they cannot be efficiently updated daily. In this study we present an active learning (AL) based framework, specifically designed to efficiently assist anti-virus vendors focus their analytical efforts aimed at acquiring novel malicious content. This focus is accomplished by identifying and acquiring both new PDF files that are most likely malicious and informative benign PDF documents. These files are used for retraining and enhancing the knowledge stores of both the detection model and anti-virus. We propose two AL based methods: exploitation and combination. Our methods are evaluated and compared to existing AL method (SVM-margin) and to random sampling for 10 days, and results indicate that on the last day of the experiment, combination outperformed all of the other methods, enriching the signature repository of the anti-virus with almost seven times more new malicious PDF files, while each day improving the detection model's capabilities further. At the same time, it dramatically reduces security experts' efforts by 75 %. Despite this significant reduction, results also indicate that our framework better detects new malicious PDF files than leading anti-virus tools commonly used by organizations for protection against malicious PDF files.

show abstract

Detecting Malicious Javascript in PDF through Document Instrumentation

Cited by 52 publications

References 15 publications

ScriptNet: Neural Static Analysis for Malicious JavaScript Detection

ScriptNet: Neural Static Analysis for Malicious JavaScript Detection

Malware Detection on Byte Streams of PDF Files Using Convolutional Neural Networks

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

Contact Info

Product

Resources

About