Web-based malware tend to be environmentdependent, which poses a significant challenge on defending web-based attacks, because the malicious code-which may be exposed and activated only under specific environmental conditions such as the version of the browser-may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will

more »

... the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment-dependent behavior discrepancy of various forms, including those seen in real malware.