1 / 13

Zozzle : Low-overhead Mostly Static JavaScript Malware Detection

Zozzle : Low-overhead Mostly Static JavaScript Malware Detection. Road Map. Background Architecture and Evaluation. Heap Spraying . Create NOP sled/ shellcode : Create the shellcode and precedes the shell code with a block of NOP sled. Spray the NOP sled/ shellcode :

ahanu
Download Presentation

Zozzle : Low-overhead Mostly Static JavaScript Malware Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

  2. Road Map • Background • Architecture and • Evaluation

  3. Heap Spraying • Create NOP sled/shellcode: • Create the shellcode and precedes the shell code with a block of NOP sled. • Spray the NOP sled/shellcode: • Allocate many copies of the NOP sled/shellcode in heap to increase the chance of success. • Trigger the vulnerability. • In order to redirect the program to Heap, where it is possible to hit the NOP sled and then shellcode.

  4. Malware Cloaking • Generally, two ways to check JavaScript Malware. • Signatures • Machine Learning All Need Source Code

  5. Architecture of Zozzle Samples Bayesian Classifier Bayesian Classifier Malicious Unknown JavaScript Benign

  6. De-obfuscated • An exploit must unpack itself to run. • That is, before an exploit is executed, it mush show its real source code. • Zozzle intercept calls to Compile function in JavaScript Engine. • eval() is called • New code is included in <iframe> tag • New code is included in <script> tag

  7. Feature Extraction • Flat Features VS Hierarchical Features • Flat Feature: Text from Source Code • 1-level Hierarchical Feature: <Context Info, Text> • n-level Hierarchical Feature: <Context Info…,Text> • Abstract Syntax Tree function f(){ shellcode… … } for(i=0; i<5000;i++){ … …Shellcode… ⋯}

  8. Feature Selection • Zozzle only selects those features that are most likely to be predictive. • Use χ2 to test correlation

  9. Classifier Training • ZOZZLE uses a naïve Bayesian classifier, for its simplicity and efficiency • How to calculate P(Fk|Li)? Open Questions Li = Benign or Malicious

  10. Feature & Throughput

  11. Feature Extraction Accuracy & Feature False Positive& False Negative

  12. Compare With Others

  13. Questions

More Related