130 likes | 409 Views
Zozzle : Low-overhead Mostly Static JavaScript Malware Detection. Road Map. Background Architecture and Evaluation. Heap Spraying . Create NOP sled/ shellcode : Create the shellcode and precedes the shell code with a block of NOP sled. Spray the NOP sled/ shellcode :
E N D
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection
Road Map • Background • Architecture and • Evaluation
Heap Spraying • Create NOP sled/shellcode: • Create the shellcode and precedes the shell code with a block of NOP sled. • Spray the NOP sled/shellcode: • Allocate many copies of the NOP sled/shellcode in heap to increase the chance of success. • Trigger the vulnerability. • In order to redirect the program to Heap, where it is possible to hit the NOP sled and then shellcode.
Malware Cloaking • Generally, two ways to check JavaScript Malware. • Signatures • Machine Learning All Need Source Code
Architecture of Zozzle Samples Bayesian Classifier Bayesian Classifier Malicious Unknown JavaScript Benign
De-obfuscated • An exploit must unpack itself to run. • That is, before an exploit is executed, it mush show its real source code. • Zozzle intercept calls to Compile function in JavaScript Engine. • eval() is called • New code is included in <iframe> tag • New code is included in <script> tag
Feature Extraction • Flat Features VS Hierarchical Features • Flat Feature: Text from Source Code • 1-level Hierarchical Feature: <Context Info, Text> • n-level Hierarchical Feature: <Context Info…,Text> • Abstract Syntax Tree function f(){ shellcode… … } for(i=0; i<5000;i++){ … …Shellcode… ⋯}
Feature Selection • Zozzle only selects those features that are most likely to be predictive. • Use χ2 to test correlation
Classifier Training • ZOZZLE uses a naïve Bayesian classifier, for its simplicity and efficiency • How to calculate P(Fk|Li)? Open Questions Li = Benign or Malicious
Feature Extraction Accuracy & Feature False Positive& False Negative