Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection PowerPoint Presentation
Download Presentation
ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

304 Views Download Presentation
Download Presentation

ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection 20th USENIX Security Symposium (August, 2011)

  2. Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft Zozzle: Low-overhead Mostly Static JavaScript Malware Detection Microsoft Research Technical Report (November, 2010)

  3. Outline • Introduction • Observation on Offline Nozzle • Design • Experiment • Evaluation A Seminar at Advanced Defense Lab

  4. Introduction • In the last several years, we have seen mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks. • But many solutions are not lightweight enough to be integrated into a commercial browser. A Seminar at Advanced Defense Lab

  5. About Nozzle • The overhead of this runtime technique may be 10% or higher. • This paper is based on our experience using NOZZLE for offline. • Offline scanning is also not as effective against transient malware that appears and disappears frequently. A Seminar at Advanced Defense Lab

  6. About Zozzle • ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime. • Our focus in this paper is on creating a very low false positive, low overhead scanner. A Seminar at Advanced Defense Lab

  7. Observation on Offline Nozzle • Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways. • we investigated 169 malware samples. A Seminar at Advanced Defense Lab

  8. Distribution of Different Exploit Samples A Seminar at Advanced Defense Lab

  9. Transience of Detected Malicious URLs A Seminar at Advanced Defense Lab

  10. Javascripteval Unfolding A Seminar at Advanced Defense Lab

  11. Distribution of Context Counts A Seminar at Advanced Defense Lab

  12. Design A Seminar at Advanced Defense Lab

  13. Training Data Extraction and Labeling • We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript. • Detours [link] • jscript.dll [link] • Compile function (COlescript::Compile()) A Seminar at Advanced Defense Lab

  14. Feature Extraction • We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST). A Seminar at Advanced Defense Lab

  15. Feature Selection • χ2 test A Seminar at Advanced Defense Lab

  16. Classifier Training • Naϊve Bayesian classifier • Assume to be conditionally independent A Seminar at Advanced Defense Lab

  17. Naϊve Bayesian classifier • Complexity: linear time A Seminar at Advanced Defense Lab

  18. Fast Pattern Matching A Seminar at Advanced Defense Lab

  19. Fast Pattern Matching (cont.) A Seminar at Advanced Defense Lab

  20. Experiment • Malicious Samples • 919 deobfuscated malicious context • Benign Samples • Alexa top 50 URLs • 7,976 contexts A Seminar at Advanced Defense Lab

  21. Feature Selection • hand-picked vs. automatically selected A Seminar at Advanced Defense Lab

  22. Evaluation • HP xw4600 workstation • Intel Core2 Duo 3.16 GHz • 4 GB memory • Windows 7 64-bit Enterprise A Seminar at Advanced Defense Lab

  23. Effectiveness A Seminar at Advanced Defense Lab

  24. Training Set Size A Seminar at Advanced Defense Lab

  25. Feature Set Size A Seminar at Advanced Defense Lab

  26. Comparison with Other Techniques A Seminar at Advanced Defense Lab

  27. Performance: Context Size A Seminar at Advanced Defense Lab

  28. Performance: Feature Set A Seminar at Advanced Defense Lab

  29. Thank you A Seminar at Advanced Defense Lab

  30. Javascript Obfuscation A Seminar at Advanced Defense Lab

  31. I think these is the all… unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”) document.write(“alert(‘1’)”); eval(“alert(1)”); "H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"") “\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064” A Seminar at Advanced Defense Lab

  32. If I want to eval… • <script> • Fucntion("alert(‘1')")(); • setTimeout("alert(‘1')“; • execScript("alert(‘1')", "javascript"); • [].constructor.constructor('alert(1)')(); • window["eval"]("alert(‘1’)"); • </script> A Seminar at Advanced Defense Lab

  33. In the network, I find … • <script> • ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[]) • </script> A Seminar at Advanced Defense Lab

  34. The END A Seminar at Advanced Defense Lab