cispa_all_2936.pdf (1.36 MB)

HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

Download (1.36 MB)
conference contribution
posted on 2023-11-29, 18:10 authored by Aurore FassAurore Fass, Michael BackesMichael Backes, Ben StockBen Stock
In the malware field, learning-based systems have become popular to detect new malicious variants. Nevertheless, attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. In practice, the assumption of strong attackers is not realistic as it implies access to insider information. We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features, without needing any information about the system it is trying to evade. Our attack consists of changing the constructs of malicious JavaScript samples to reproduce a benign syntax. For this purpose, we automatically rewrite the Abstract Syntax Trees (ASTs) of malicious JavaScript inputs into existing benign ones. In particular, HideNoSeek uses malicious seeds and searches for isomorphic subgraphs between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by their malicious equivalents (same syntactic structure) and adjusts the benign data dependencies--without changing the AST--, so that the malicious semantics is kept. In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10,000 web pages. Also, we can produce on average 14 different malicious samples with the same AST as each Alexa top 10. Overall, a standard trained classifier has 99.98% false negatives with HideNoSeek inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable.


Preferred Citation

Aurore Fass, Michael Backes and Ben Stock. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. In: ACM Conference on Computer and Communications Security (CCS). 2019.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_2936, title = "HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs", author = "Fass, Aurore and Backes, Michael and Stock, Ben", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2019", }

Usage metrics


    No categories selected


    Ref. manager