1 / 34

ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. 20 th  USENIX Security Symposium (August, 2011). Charles Curtsinger UMass at Amherst

yetty
Télécharger la présentation

ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection 20th USENIX Security Symposium (August, 2011)

  2. Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft Zozzle: Low-overhead Mostly Static JavaScript Malware Detection Microsoft Research Technical Report (November, 2010)

  3. Outline • Introduction • Observation on Offline Nozzle • Design • Experiment • Evaluation A Seminar at Advanced Defense Lab

  4. Introduction • In the last several years, we have seen mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks. • But many solutions are not lightweight enough to be integrated into a commercial browser. A Seminar at Advanced Defense Lab

  5. About Nozzle • The overhead of this runtime technique may be 10% or higher. • This paper is based on our experience using NOZZLE for offline. • Offline scanning is also not as effective against transient malware that appears and disappears frequently. A Seminar at Advanced Defense Lab

  6. About Zozzle • ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime. • Our focus in this paper is on creating a very low false positive, low overhead scanner. A Seminar at Advanced Defense Lab

  7. Observation on Offline Nozzle • Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways. • we investigated 169 malware samples. A Seminar at Advanced Defense Lab

  8. Distribution of Different Exploit Samples A Seminar at Advanced Defense Lab

  9. Transience of Detected Malicious URLs A Seminar at Advanced Defense Lab

  10. Javascripteval Unfolding A Seminar at Advanced Defense Lab

  11. Distribution of Context Counts A Seminar at Advanced Defense Lab

  12. Design A Seminar at Advanced Defense Lab

  13. Training Data Extraction and Labeling • We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript. • Detours [link] • jscript.dll [link] • Compile function (COlescript::Compile()) A Seminar at Advanced Defense Lab

  14. Feature Extraction • We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST). A Seminar at Advanced Defense Lab

  15. Feature Selection • χ2 test A Seminar at Advanced Defense Lab

  16. Classifier Training • Naϊve Bayesian classifier • Assume to be conditionally independent A Seminar at Advanced Defense Lab

  17. Naϊve Bayesian classifier • Complexity: linear time A Seminar at Advanced Defense Lab

  18. Fast Pattern Matching A Seminar at Advanced Defense Lab

  19. Fast Pattern Matching (cont.) A Seminar at Advanced Defense Lab

  20. Experiment • Malicious Samples • 919 deobfuscated malicious context • Benign Samples • Alexa top 50 URLs • 7,976 contexts A Seminar at Advanced Defense Lab

  21. Feature Selection • hand-picked vs. automatically selected A Seminar at Advanced Defense Lab

  22. Evaluation • HP xw4600 workstation • Intel Core2 Duo 3.16 GHz • 4 GB memory • Windows 7 64-bit Enterprise A Seminar at Advanced Defense Lab

  23. Effectiveness A Seminar at Advanced Defense Lab

  24. Training Set Size A Seminar at Advanced Defense Lab

  25. Feature Set Size A Seminar at Advanced Defense Lab

  26. Comparison with Other Techniques A Seminar at Advanced Defense Lab

  27. Performance: Context Size A Seminar at Advanced Defense Lab

  28. Performance: Feature Set A Seminar at Advanced Defense Lab

  29. Thank you A Seminar at Advanced Defense Lab

  30. Javascript Obfuscation A Seminar at Advanced Defense Lab

  31. I think these is the all… unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”) document.write(“alert(‘1’)”); eval(“alert(1)”); "H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"") “\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064” A Seminar at Advanced Defense Lab

  32. If I want to eval… • <script> • Fucntion("alert(‘1')")(); • setTimeout("alert(‘1')“; • execScript("alert(‘1')", "javascript"); • [].constructor.constructor('alert(1)')(); • window["eval"]("alert(‘1’)"); • </script> A Seminar at Advanced Defense Lab

  33. In the network, I find … • <script> • ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[]) • </script> A Seminar at Advanced Defense Lab

  34. The END A Seminar at Advanced Defense Lab

More Related