Detection system and method of suspicious malicious website using analysis of javascript obfuscation strength
Saved in:
| Title: | Detection system and method of suspicious malicious website using analysis of javascript obfuscation strength |
|---|---|
| Patent Number: | 8,756,685 |
| Publication Date: | June 17, 2014 |
| Appl. No: | 13/282911 |
| Application Filed: | October 27, 2011 |
| Abstract: | A detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, which includes: an entropy measuring processor of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring processor of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring processor of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming processor of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value. |
| Inventors: | Jeong, Hyun-Cheol (Seoul, KR); Ji, Seung-Goo (Seoul, KR); Lee, Tai Jin (Seoul, KR); Jeong, Jong-Il (Seoul, KR); Kang, Hong-Koo (Seoul, KR); Kim, Byung-Ik (Seoul, KR) |
| Assignees: | Korea Internet & Security Agency (KR) |
| Claim: | 1. A detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, comprising: an entropy measuring hardware processor of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring hardware processor of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring hardware processor of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming hardware processor of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value, wherein the frequency measuring processor comprises: a function frequency calculating unit of calculating a specific function use frequency of the JavaScript, such as eval, replace and fromCharCode; a mark frequency calculating unit of calculating an encoding mark use frequency of the JavaScript; a first symbol frequency calculating unit of calculating a % symbol use frequency inside an HTTP link of the JavaScript; and a second symbol frequency calculating unit of calculating a % symbol use frequency outside the HTTP link of the JavaScript. |
| Claim: | 2. The detection system as claimed in claim 1 , wherein the entropy measuring processor comprises: a first calculating unit of calculating a total entropy of the JavaScript; a second calculating unit of calculating a difference between the total entropy calculated by the first calculating unit and an average entropy; a third calculating unit of calculating the most frequent special character entropy of the JavaScript; a fourth calculating unit of calculating a special character entropy of a special character group of the JavaScript; a fifth calculating unit of calculating a special character entropy of the entire used character group of the JavaScript; a sixth calculating unit of calculating a difference between the special character entropy calculated by the fourth calculating unit and the special character entropy calculated by the fifth calculating unit; a seventh calculating unit of calculating a difference between the value obtained by the sixth calculating unit and a non-special character entropy; and an eighth calculating unit of calculating an average variable/function name entropy of the JavaScript. |
| Claim: | 3. The detection system as claimed in claim 1 , wherein the density measuring processor detects a single character string containing at least 200 characters. |
| Claim: | 4. The detection system as claimed in claim 1 , wherein the malicious website confirming processor comprises: a comparing unit of comparing the obfuscation strength, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with the threshold value; and a determining unit of determining the relevant website as a malicious obfuscation website, if the obfuscation strength value is smaller than the threshold value as the result of the comparing unit. |
| Claim: | 5. A detection method of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, comprising: measuring, at an entropy measuring processor, an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; measuring, at a frequency measuring processor, a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; measuring, at a density measuring processor, the maximum length of a single character string of the JavaScript; and determining, at a malicious website confirming processor, whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value, wherein, in the measuring of the specific function frequency, the encoding mark frequency and the % symbol frequency of the JavaScript, the frequency measuring processor calculates a specific function use frequency of the JavaScript, such as eval, replace and fromCharCode, an encoding mark use frequency of the JavaScript, a % symbol use frequency inside an HTTP link of the JavaScript, and a % symbol use frequency outside the HTTP link of the JavaScript. |
| Claim: | 6. The detection method as claimed in claim 5 , wherein, in the measuring of the entropy of the obfuscated JavaScript present in the website, the special character entropy and the variable/function name entropy, the entropy measuring processor calculates a total entropy of the JavaScript, a difference between the total entropy and an average entropy, the most frequent special character entropy of the JavaScript, a special character entropy of a special character group of the JavaScript, a special character entropy of the entire used character group of the JavaScript, a difference between the special character entropy and the special character entropy of the character group, a difference of a non-special character entropy, and an average variable/function name entropy of the JavaScript. |
| Claim: | 7. The detection method as claimed in claim 5 , wherein, in the measuring of the maximum length of the single character string of the JavaScript, the density measuring processor detects a single character string having the maximum length of at least 200 characters. |
| Claim: | 8. The detection method as claimed in claim 5 , wherein, in the determining whether the relevant website is malicious by comparing the obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value, the malicious website confirming processor compares the obfuscation strength, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with the threshold value and determines the relevant website as a malicious obfuscated website if the obfuscation strength value is smaller than the threshold value. |
| Current U.S. Class: | 726/22 |
| Patent References Cited: | 7562304 July 2009 Dixon et al. 7765481 July 2010 Dixon et al. 7822620 October 2010 Dixon et al. 8296664 October 2012 Dixon et al. 8321791 November 2012 Dixon et al. 8429545 April 2013 Dixon et al. 8438499 May 2013 Dixon et al. 8516590 August 2013 Ranadive et al. 8555391 October 2013 Demir et al. 8566726 October 2013 Dixon et al. 8683584 March 2014 Daswani et al. 2006/0253458 November 2006 Dixon et al. 2006/0253578 November 2006 Dixon et al. 2006/0253579 November 2006 Dixon et al. 2006/0253580 November 2006 Dixon et al. 2006/0253581 November 2006 Dixon et al. 2006/0253582 November 2006 Dixon et al. 2006/0253583 November 2006 Dixon et al. 2006/0253584 November 2006 Dixon et al. 2008/0109473 May 2008 Dixon et al. 2008/0114709 May 2008 Dixon et al. 2010/0042931 February 2010 Dixon et al. 2011/0030060 February 2011 Kejriwal 2011/0239300 September 2011 Klein et al. 2011/0289582 November 2011 Kejriwal et al. 2012/0174225 July 2012 Shyamsunder et al. |
| Other References: | Likarish et al.; Obfuscated malicious javascript detection using classification techniques; Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on; Date of Conference: Oct. 13-14, 2009; pp. 47-54; IEEE Xplore. cited by examiner Likarish et al.; Targeted web crawling for building malicious javascript collection; DSMM '09 Proceedings of the ACM first international workshop on Data-intensive software management and mining; 2009; pp. 23-26; ACM Digital Library. cited by examiner |
| Primary Examiner: | Holder, Bradley |
| Attorney, Agent or Firm: | Cantor Colburn LLP |
| Accession Number: | edspgr.08756685 |
| Database: | USPTO Patent Grants |
| Abstract: | A detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, which includes: an entropy measuring processor of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring processor of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring processor of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming processor of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value. |
|---|