信息网络安全 ›› 2019, Vol. 19 ›› Issue (4): 37-46.doi: 10.3969/j.issn.1671-1122.2019.04.005

• 技术研究 • 上一篇    下一篇

基于自动解混淆的恶意网页检测方法

倪一涛1,2(), 陈咏佳1,2, 林柏钢1,2   

  1. 1.福州大学数学与计算机科学学院,福建福州 350116
    2.网络系统信息安全福建省高校重点实验室,福建福州 350116
  • 收稿日期:2018-12-03 出版日期:2019-04-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:倪一涛(1969—),男,福建,讲师,博士,主要研究方向为恶意代码分析与网络安全;陈咏佳(1994—),女,福建,硕士研究生,主要研究方向为信息安全;林柏钢(1953—),男,福建,教授,主要研究方向为密码学与网络安全。

  • 基金资助:
    福建省自然科学基金 [2015J01247];福建省教育厅项目[JK2013002]

Automatic De-obfuscation-based Malicious Webpages Detection

Yitao NI1,2(), Yongjia CHEN1,2, Bogang LIN1,2   

  1. 1. College of Mathematics and Computer Science, Fuzhou University, Fuzhou Fujian 350116, China
    2. Key Lab of Information Security of Network Systems(Fuzhou University), Fujian Province, Fuzhou Fujian 350116, China
  • Received:2018-12-03 Online:2019-04-10 Published:2020-05-11

摘要:

网页是人们日常使用互联网的重要形式。包含恶意代码的网页会窃取用户个人隐私信息,甚至使上网设备受控成为僵尸网络的成员,严重威胁互联网用户的信息与系统安全。此外,恶意网页通常使用混淆方法对代码进行混淆,以此来隐藏恶意代码,模糊或消除恶意代码特征,从而导致现有基于特征的恶意网页检测方法不能有效地发挥作用。为此,文章提出一种基于自动解混淆的恶意网页检测方法。该方法首先利用污染分析将网页中经过混淆处理的代码还原,并将所得的还原代码添加到原网页中;然后,使用基于特征的方法检测该网页。实验结果表明,使用文章提出的自动解混淆方法对样本进行解混淆处理,VirusTotal网站上13个恶意网页检测引擎的检测率平均提高约50%,其中有3个引擎的检测率提高超过80%。

关键词: 恶意网页, 解混淆, JavaScript, 网络安全

Abstract:

Browsing webpages is a popular way of using internet for many users. But malicious webpages can compromise users’ computer systems, steal the sensitive privacy data from users, and often result in users’ financial loss or making the compromised systems bots. So malicious webpages are becoming notorious threats of information security and computer systems. Moreover, malicious webpages often obfuscated their malicious codes to fuzz their signatures and make signature-based anti-virus engines cannot function effectively. This paper proposed an approach of automatic de-obfuscation based malicious webpage detection. Firstly, the proposed approach leverages taint analysis to automatically locate obfuscated code relevant of data and code. Next, based on the located data and code, it can change the obfuscated code into de-obfuscated code and replace these generated codes for the related obfuscated code in webpages. Finally, apply a well-known signature-based anti-virus engine to modified webpages for malicious code detection. This paper also conducted experiments to evaluate the proposed approach. The experimental results show that the approach can locate obfuscated code contained in webpages, de-obfuscate the obfuscated code successfully, and averagely enhances around 50 percent of malicious webpages detection ratio for 13 anti-virus engines deployed in VirusTotal website. Three of these anti-virus engines have increased detection rates by more than 80%.

Key words: malicious webpages, de-obfuscation, JavaScript, cyber security

中图分类号: