Litcius/Paper detail

Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Marvin Moog, Markus Demmel, Michael Backes, Aurore Fass

202123 citationsDOIOpen Access PDF

Abstract

JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.

Topics & Concepts

JavaScriptComputer scienceObfuscationMalwareProgramming languageCode (set theory)Abstract syntax treeUnobtrusive JavaScriptRich Internet applicationClient-sideTransformation (genetics)Static program analysisStatic analysisArtificial intelligenceWorld Wide WebOperating systemComputer securityParsingSoftwareBiochemistrySoftware developmentSet (abstract data type)GeneChemistryAdvanced Malware Detection TechniquesSpam and Phishing DetectionSoftware Engineering Research
Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild | Litcius