Early detection of malicious behavior in JavaScript code

Kristof Schütt, Marius Kloft, Alexander Bikadorov, Konrad Rieck
2012 Proceedings of the 5th ACM workshop on Security and artificial intelligence - AISec '12  
Malicious JavaScript code is widely used for exploiting vulnerabilities in web browsers and infecting users with malicious software. Static detection methods fail to protect from this threat, as they are unable to cope with the complexity and dynamics of interpreted code. In contrast, the dynamic analysis of JavaScript code at run-time has proven to be effective in identifying malicious behavior. During the execution of the code, however, damage may already take place and thus an early
more » ... is critical for effective protection. In this paper, we introduce EarlyBird: a detection method optimized for early identification of malicious behavior in JavaScript code. The method uses machine learning techniques for jointly optimizing the accuracy and the time of detection. In an evaluation with hundreds of real attacks, EarlyBird precisely identifies malicious behavior while limiting the amount of malicious code that is executed by a factor of 2 (43%) on average.
doi:10.1145/2381896.2381901 dblp:conf/ccs/SchuttKBR12 fatcat:f57fi52xjbdq3etywpv3gap7iq