JSGuard: Shellcode Detection in JavaScript

Gu, Boxuan; Zhang, Wenbin; Bai, Xin; Champion, Adam C.; Qin, Feng; Xuan, Dong

doi:10.1007/978-3-642-36883-7_8

Cited by 6 publications

(4 citation statements)

References 31 publications

(55 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In static detecting methods, input data are first disassembled and then screened via code level pattern analysis and matching. Patterns can be complicated signatures or simple heuristics that are obtained from studying known malicious codes [9]. Although static detecting method is fast, it could not detect the unknown ShellCode and detect the ShellCode's behavior in detail.…”

Section: Static and Dynamic Shellcode Detecting Methodsmentioning

confidence: 99%

See 1 more Smart Citation

A Combined Malicious Documents Detecting Method Based on Emulators

Gao

Jian

et al. 2014

AMM

View full text Add to dashboard Cite

ShellCode injections with malicious JavaScript code in documents are becoming more prevalent and dangerous. However, the existing methods have some limitations in detecting this kind of attacks. In this article, we explore the detections of malicious documents and propose an approach of detecting malicious documents that contains JavaScript ShellCode. In our approach, we provide an impact factor which represents the reliability of the document being malicious. We use both static detections and dynamic detections and then combine the results of the two different methods. Therefore, we can get an acceptable overhead and make the detection immune to obfuscation. We have implemented a proof-of-concept prototype of the detection system on a Linux platform. We also have evaluated the accuracy and the performance overhead on the test platform. The results show that the system reports very few faults with an acceptable overhead.

show abstract

Section: Static and Dynamic Shellcode Detecting Methodsmentioning

confidence: 99%

“…Dynamic detecting methods detect malicious ShellCode by using information generated during ShellCode execution [9]. In dynamic detecting methods, instructions are analyzed when the code actually executes, dynamic methods are immune to obfuscation attempts and self-modifying programs [10].…”

Section: Static and Dynamic Shellcode Detecting Methodsmentioning

confidence: 99%

A Combined Malicious Documents Detecting Method Based on Emulators

Gao

Jian

et al. 2014

AMM

View full text Add to dashboard Cite

show abstract

“…To de-obfuscate malicious JavaScript code, Gen et al [29] simplify the obfuscated JavaScript code by preserving the semantics of the observational equivalence. JSGuard [21] proposed a methodology to detect JavaScript shellcode that fully uses JavaScript code execution environment information with low false negative and false positive. Liu et al [28] propose a context-aware approach for detection and confinement of malicious JavaScript in PDF by inserting context monitoring code into a document.…”

Section: Related Workmentioning

confidence: 99%

“…In recent years, a number of techniques [17], [29], [22], [21], [26], [35], [18], [25], [16] have been proposed to detect malicious JavaScript code. Due to the dynamic features of the JavaScript language, static analysis [20], [27], [38], [18] can be easily evaded using obfuscation techniques [46].…”

Section: Introductionmentioning

confidence: 99%

JSForce: A Forced Execution Engine for Malicious JavaScript Detection

Cheng

Duan

et al. 2018

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

The drastic increase of JavaScript exploitation attacks has led to a strong interest in developing techniques to enable malicious JavaScript analysis. Existing analysis techniques fall into two general categories: static analysis and dynamic analysis. Static analysis tends to produce inaccurate results (both false positive and false negative) and is vulnerable to a wide series of obfuscation techniques. Thus, dynamic analysis is constantly gaining popularity for exposing the typical features of malicious JavaScript. However, existing dynamic analysis techniques possess limitations such as limited code coverage and incomplete environment setup, leaving a broad attack surface for evading the detection. To overcome these limitations, we present the design and implementation of a novel JavaScript forced execution engine named JSForce which drives an arbitrary JavaScript snippet to execute along different paths without any input or environment setup. We evaluate JSForce using 220,587 HTML and 23,509 PDF realworld samples. Experimental results show that by adopting our forced execution engine, the malicious JavaScript detection rate can be substantially boosted by 206.29% using same detection policy without any noticeable false positive increase. We also make JSForce publicly available as an online service and will release the source code to the security community upon the acceptance for publication.

show abstract

Semantics-Preserving Dissection of JavaScript Exploits via Dynamic JS-Binary Analysis

Prakash

Wang

et al. 2016

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

JSGuard: Shellcode Detection in JavaScript

Cited by 6 publications

References 31 publications

A Combined Malicious Documents Detecting Method Based on Emulators

A Combined Malicious Documents Detecting Method Based on Emulators

JSForce: A Forced Execution Engine for Malicious JavaScript Detection

Semantics-Preserving Dissection of JavaScript Exploits via Dynamic JS-Binary Analysis

Contact Info

Product

Resources

About