Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

JSForce: A Forced Execution Engine for Malicious JavaScript Detection

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_37,
        author={Xunchao Hu and Yao Cheng and Yue Duan and Andrew Henderson and Heng Yin},
        title={JSForce: A Forced Execution Engine for Malicious JavaScript Detection},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Malicious Javascript Forced execution},
        doi={10.1007/978-3-319-78813-5_37}
    }
    
  • Xunchao Hu
    Yao Cheng
    Yue Duan
    Andrew Henderson
    Heng Yin
    Year: 2018
    JSForce: A Forced Execution Engine for Malicious JavaScript Detection
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_37
Xunchao Hu1,*, Yao Cheng1,*, Yue Duan2,*, Andrew Henderson1,*, Heng Yin2,*
  • 1: Syracuse University
  • 2: University of California, Riverside
*Contact email: xhu31@syr.edu, ycheng@syr.edu, yduan005@ucr.edu, hendersa@icculus.org, heng@cs.ucr.edu

Abstract

The drastic increase of JavaScript exploitation attacks has led to a strong interest in developing techniques to analyze malicious JavaScript. Existing analysis techniques fall into two general categories: static analysis and dynamic analysis. Static analysis tends to produce inaccurate results (both false positive and false negative) and is vulnerable to a wide series of obfuscation techniques. Thus, dynamic analysis is constantly gaining popularity for exposing the typical features of malicious JavaScript. However, existing dynamic analysis techniques possess limitations such as limited code coverage and incomplete environment setup, leaving a broad attack surface for evading the detection. To overcome these limitations, we present the design and implementation of a novel JavaScript forced execution engine named which drives an arbitrary JavaScript snippet to execute along different paths without any input or environment setup. We evaluate using 220,587 HTML and 23,509 PDF real-world samples. Experimental results show that by adopting our forced execution engine, the malicious JavaScript detection rate can be substantially boosted by 206.29% using same detection policy without any noticeable false positive increase.