Netinfo Security ›› 2019, Vol. 19 ›› Issue (4): 37-46.doi: 10.3969/j.issn.1671-1122.2019.04.005

Previous Articles     Next Articles

Automatic De-obfuscation-based Malicious Webpages Detection

Yitao NI1,2(), Yongjia CHEN1,2, Bogang LIN1,2   

  1. 1. College of Mathematics and Computer Science, Fuzhou University, Fuzhou Fujian 350116, China
    2. Key Lab of Information Security of Network Systems(Fuzhou University), Fujian Province, Fuzhou Fujian 350116, China
  • Received:2018-12-03 Online:2019-04-10 Published:2020-05-11

Abstract:

Browsing webpages is a popular way of using internet for many users. But malicious webpages can compromise users’ computer systems, steal the sensitive privacy data from users, and often result in users’ financial loss or making the compromised systems bots. So malicious webpages are becoming notorious threats of information security and computer systems. Moreover, malicious webpages often obfuscated their malicious codes to fuzz their signatures and make signature-based anti-virus engines cannot function effectively. This paper proposed an approach of automatic de-obfuscation based malicious webpage detection. Firstly, the proposed approach leverages taint analysis to automatically locate obfuscated code relevant of data and code. Next, based on the located data and code, it can change the obfuscated code into de-obfuscated code and replace these generated codes for the related obfuscated code in webpages. Finally, apply a well-known signature-based anti-virus engine to modified webpages for malicious code detection. This paper also conducted experiments to evaluate the proposed approach. The experimental results show that the approach can locate obfuscated code contained in webpages, de-obfuscate the obfuscated code successfully, and averagely enhances around 50 percent of malicious webpages detection ratio for 13 anti-virus engines deployed in VirusTotal website. Three of these anti-virus engines have increased detection rates by more than 80%.

Key words: malicious webpages, de-obfuscation, JavaScript, cyber security

CLC Number: