华中科技大学学报(自然科学版)2016,Vol.44Issue(3):6-11,6.DOI:10.13245/j.hust.160302
面向 drive-by-download 攻击的检测方法
Anomaly detection approach for drive-by-download attacks
摘要
Abstract
In order to deal with the difficulties of detecting drive-by-download attacks from obfuscated malicious JavaScript code,the method for analyzing obfuscated malicious JavaScript code and detecting drive-by-download attacks was proposed,which was based on the combination of static analysis and dynamic analysis.The prototype anomaly detection system with normal data only in training phrase was designed.In static analysis,three algorithms,namely,principal component analysis (PCA),K-nearest neighbor (K-NN)and one-class support vector machine (SVM)were used to detect obfuscated JavaScript code.In dynamic analysis,the variable initial values and the variable final values were ex-tracted from obfuscated JavaScript code to construct nine features for detecting drive-by-download at-tacks.7.046 3×104 JavaScript-based pages in a real computing environment were collected.Extensive experimental results show that the method is able to detect drive-by-download attacks effectively.In particular,PCA achieves a detection rate as 99.0% with a false positive as 0.1% for detecting obfus-cated drive-by-download attacks.关键词
异常检测/混淆/Web 安全/动态分析/JavaScript 恶意代码/drive-by-download 攻击Key words
anomaly detection/obfuscation/Web security/dynamic analysis/malicious JavaScript code/drive-by-download attacks分类
信息技术与安全科学引用本文复制引用
马洪亮,王伟,韩臻..面向 drive-by-download 攻击的检测方法[J].华中科技大学学报(自然科学版),2016,44(3):6-11,6.基金项目
教育部高校创新团队项目(IRT201206);教育部高等学校博士学科点专项科研基金资助项目(20120009110007,20120009120010);中央高校基本科研业务费专项资金资助项目(2015JBM025);教育部留学回国人员科研启动基金资助项目(K14C300020);上海市信息安全综合管理技术研究重点实验室资助项目. ()