CISPA
Browse
cispa_all_2966.pdf (7.6 MB)

JStap: A Static Pre-Filter for Malicious JavaScript Detection

Download (7.6 MB)
conference contribution
posted on 2023-11-29, 18:11 authored by Aurore FassAurore Fass, Michael BackesMichael Backes, Ben StockBen Stock
Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. Due to the large volume of such malicious scripts, detection systems rely on static analyses to quickly process the vast majority of samples. These static approaches are not infallible though and lead to misclassifications. Also, they lack semantic information to go beyond purely syntactic approaches. In this paper, we propose JStap, a modular static JavaScript detection system, which extends the detection capability of existing lexical and AST-based pipelines by also leveraging control and data flow information. Our detector is composed of ten modules, including five different ways of abstracting code, with differing levels of context and semantic information, and two ways of extracting features. Based on the frequency of these specific patterns, we train a random forest classifier for each module. In practice, JStap outperforms existing systems, which we reimplemented and tested on our dataset totaling over 270,000 samples. To improve the detection, we also combine the predictions of several modules. A first layer of unanimous voting classifies 93% of our dataset with an accuracy of 99.73%, while a second layer--based on an alternative modules' combination--labels another 6.5% of our initial dataset with an accuracy over 99%. This way, JStap can be used as a precise pre-filter, meaning that it would only need to forward less than 1% of samples to additional analyses. For reproducibility and direct deployability of our modules, we make our system publicly available (https://github.com/Aurore54F/JStap).

History

Preferred Citation

Aurore Fass, Michael Backes and Ben Stock. JStap: A Static Pre-Filter for Malicious JavaScript Detection. In: Annual Computer Security Applications Conference (ACSAC). 2019.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

Annual Computer Security Applications Conference (ACSAC)

Legacy Posted Date

2019-08-23

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2966, title = "JStap: A Static Pre-Filter for Malicious JavaScript Detection", author = "Fass, Aurore and Backes, Michael and Stock, Ben", booktitle="{Annual Computer Security Applications Conference (ACSAC)}", year="2019", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC