자바 스크립트는 정적인 HTML 문서에 동적인 기능을 제공하기 위해 자주 사용되는 언어이며, 최근에 HTML5 표준이 발표됨으로써 더욱더 관심 받고 있다. 이렇게 자바 스크립트의 중요도가 커짐에 따라, 자바 스크립트를 사용하는 공격( DDos 공격, 개인 정보 유출 등 )이 더욱 더 위협적으로 다가오고 있다. 이 악성 자바 스크립트는 흔적을 남기지 않기 때문에, 자바 스크립트 코드만으로 악성유무를 판단해야 하며, 실제 악성 행위가 브라우저에서 자바 스크립트가 실행될 때 발생되기 때문에, 실시간으로 그 행위를 분석해야만 한다. 이러한 이유로 본 논문은 위 요구사항을 만족하는 분석 엔진을 소개하려 한다. 이 분석 엔진은 시그니쳐 기반의 정적 분석으로 스크립트 코드의 악성을 탐지하고, 행위 기반의 동적 분석으로 스크립트의 행위를 분석하여 악성을 판별하는 실시간 분석 기술이다.
자바 스크립트는 정적인 HTML 문서에 동적인 기능을 제공하기 위해 자주 사용되는 언어이며, 최근에 HTML5 표준이 발표됨으로써 더욱더 관심 받고 있다. 이렇게 자바 스크립트의 중요도가 커짐에 따라, 자바 스크립트를 사용하는 공격( DDos 공격, 개인 정보 유출 등 )이 더욱 더 위협적으로 다가오고 있다. 이 악성 자바 스크립트는 흔적을 남기지 않기 때문에, 자바 스크립트 코드만으로 악성유무를 판단해야 하며, 실제 악성 행위가 브라우저에서 자바 스크립트가 실행될 때 발생되기 때문에, 실시간으로 그 행위를 분석해야만 한다. 이러한 이유로 본 논문은 위 요구사항을 만족하는 분석 엔진을 소개하려 한다. 이 분석 엔진은 시그니쳐 기반의 정적 분석으로 스크립트 코드의 악성을 탐지하고, 행위 기반의 동적 분석으로 스크립트의 행위를 분석하여 악성을 판별하는 실시간 분석 기술이다.
JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not ...
JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not create a trail, whether the JavaScript code is malicious or not must be decided. The real attack action is completed while the browser runs the JavaScript code. For these reasons, there is a need for a real-time classification and determination technique for malicious JavaScript. This paper proposes the Analysis Engine for detecting malicious JavaScript by adopting the requirements above. The analysis engine performs static analysis using signature-based detection and dynamic analysis using behavior-based detection. Static analysis can detect malicious JavaScript code, whereas dynamic analysis can detect the action of the JavaScript code.
JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not create a trail, whether the JavaScript code is malicious or not must be decided. The real attack action is completed while the browser runs the JavaScript code. For these reasons, there is a need for a real-time classification and determination technique for malicious JavaScript. This paper proposes the Analysis Engine for detecting malicious JavaScript by adopting the requirements above. The analysis engine performs static analysis using signature-based detection and dynamic analysis using behavior-based detection. Static analysis can detect malicious JavaScript code, whereas dynamic analysis can detect the action of the JavaScript code.
* AI 자동 식별 결과로 적합하지 않은 문장이 있을 수 있으니, 이용에 유의하시기 바랍니다.
제안 방법
The direction for future studies is to develop functions to detect totally new malicious scripts using the call trace signature, which is an important detection element of the dynamic analysis, and to advance the technology to cope with the vulnerabilities of HTML5 better. Moreover, the signature distribution and management function will be improved further for commercialization.
It provides two methods. The first method is to switch the key API generating the malicious behavior with the script code in the malicious domain of the original script code with an API without any functionality. For example, the part that calls the “send” function -- which is the key API generating the traffic in the XHR Dos attack script -- may be switched with a meaningless function called “sanitizing”.
This paper proposes an Analysis Engine that supplements the aforesaid weaknesses and consolidates the strengths.
이론/모형
SimHash is a similarity analysis algorithm using LSH (Locality Sensitive Hash). Unlike the general function used in mathematics, LSH[19] maximizes the collision probability.
참고문헌 (19)
Lu, Gen, and Saumya Debray. "Automatic simplification of obfuscated JavaScript code: A semantics-based approach." Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on. IEEE, 2012, http://www.cs.arizona.edu/-genlu/pub/js-deobf-web.pdf.
Lee, Jusuk, Kyoochang Jeong, and Heejo Lee. "Detecting metamorphic malwares using code graphs." Proceedings of the 2010 ACM symposium on applied computing. ACM, 2010, http://ccs.korea.ac.kr/pds/SAC10.pdf
Saxena, Prateek, et al. "FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications." NDSS. 2010, http://www.andrew.cmu.edu/user/ppoosank/papers/FLAX.pdf
Xie, Yichen, and Alex Aiken. "Static Detection of Security Vulnerabilities in Scripting Languages." USENIX Security. Vol. 6. 2006, https://www.usenix.org/legacy/event/sec06/tech/full_papers/xie/xie_html/
Chowdhary, Mahak, Shrutika Suri, and Mansi Bhutani. "Comparative Study of Intrusion Detection System." (2014), http://www.ijcseonline.org/pub_paper/IJCSE-00229.pdf
Newsome, James, Brad Karp, and Dawn Song. "Polygraph: Automatically generating signatures for polymorphic worms." Security and Privacy, 2005 IEEE Symposiumon. IEEE, 2005, https://cse.sc.edu//-huangct/CSCE715F10/715presentation10.pdf
Charikar, Moses S. "Similarity estimation techniques from rounding algorithms." Proceedings of the thiry-fourth annual ACM symposium on Theory of computing. ACM, 2002, http://www.cs.princeton.edu/courses/archive/spring04/cos598B/bib/CharikarEstim.pdf
Hamming, Richard W. "Error detecting and error correcting codes." Bell System technical journal 29.2 (1950): 147-160, http://www.lee.eng.uerj.br/-gil/redesII/hamming.pdf
Linn, Cullen, and Saumya Debray. "Obfuscation of executable code to improve resistance to static disassembly." Proceedings of the 10th ACM conference on Computer and communications security. ACM, 2003, https://www.cs.arizona.edu/solar/papers/CCS2003.pdf
Dong, Guowei, et al. "Detecting cross site scripting vulnerabilities introduced by HTML5." Computer Science and Software Engineering (JCSSE), 2014 11th International Joint Conference on. IEEE, 2014,
Xu, Wei, Fangfang Zhang, and Sencun Zhu. "JStill: Mostly static detection of obfuscated malicious javascript code." Proceedings of the third ACM conference on Data and application security and privacy. ACM, 2013, http://www.cse.psu.edu/-sxz16/papers/JStill.pdf
Fan, Wenqing, Xue Lei, and Jing An. "Obfuscated Malicious Code Detection with Path Condition Analysis." Journal of Networks 9.5 (2014): 1208-1214, http://ojs.academypublisher.com/index.php/jnw/article/viewFile/jnw090512081214/9256
Xu, Wei, Fangfang Zhang, and Sencun Zhu. "The power of obfuscation techniques in malicious JavaScript code: A measurement study." Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on. IEEE, 2012, http://www.cse.psu.edu/-sxz16/papers/malware.pdf
Choi, YoungHan, et al. "Automatic detection for javascript obfuscation attacks in web pages through string pattern analysis." Future Generation Information Technology. Springer Berlin Heidelberg, http://www.sersc.org/journals/IJSIA/vol4_no2_2010/2.pdf 2009. 160-172
A. Rajaraman and J. Ullman (2010). "Mining of Massive Datasets, Ch. 3.", http://www.langtoninfo.com/web_content/9781107015357_frontmatter.pdf
※ AI-Helper는 부적절한 답변을 할 수 있습니다.