Browse > Article
http://dx.doi.org/10.9708/jksci.2019.24.05.027

A Discovery System of Malicious Javascript URLs hidden in Web Source Code Files  

Park, Hweerang (Air Force Operation Command)
Cho, Sang-Il (Air Force Cyber Operations Center)
Park, Jungkyu (Dept. of National Defense Science, Korea National Defense University)
Cho, Youngho (Dept. of National Defense Science, Korea National Defense University)
Abstract
One of serious security threats is a botnet-based attack. A botnet in general consists of numerous bots, which are computing devices with networking function, such as personal computers, smartphones, or tiny IoT sensor devices compromised by malicious codes or attackers. Such botnets can launch various serious cyber-attacks like DDoS attacks, propagating mal-wares, and spreading spam e-mails over the network. To establish a botnet, attackers usually inject malicious URLs into web source codes stealthily by using data hiding methods like Javascript obfuscation techniques to avoid being discovered by traditional security systems such as Firewall, IPS(Intrusion Prevention System) or IDS(Intrusion Detection System). Meanwhile, it is non-trivial work in practice for software developers to manually find such malicious URLs which are hidden in numerous web source codes stored in web servers. In this paper, we propose a security defense system to discover such suspicious, malicious URLs hidden in web source codes, and present experiment results that show its discovery performance. In particular, based on our experiment results, our proposed system discovered 100% of URLs hidden by Javascript encoding obfuscation within sample web source files.
Keywords
Hidden URL Discovery; Web Defacement Attack; Javascript Obfuscation; Network Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 G Davanzo, E Medvet and A Bartoli, "Anomaly detection technique for a web defacement monitoring service," Expert Systems with Applications(ESWA), Vol. 38, No. 10, pp.12521-12530, 2011.   DOI
2 S. Khattak, NR. Ramay, KR Khan, AA. Syed, and SA. Khayam, "A Taxonomy of Botnet Behavior, Detection, and Defense," IEEE Communications Survey & Tutorials, Vol. 16, No. 2, pp.898-924, Second Quarter 2014.   DOI
3 Porras, Phillip, Hassen Saidi, and Vinod Yegneswaran, "A multi-perspective analysis of the storm (peacomm) worm. Technical report, Computer Science Laboratory," SRI International, 2007.
4 D. Dagon, "Botnet Detection and Response - The network is the infection," Copperative Association for Internet Data Analysis DNS-OARC Workshop, July, Vol. 25, 2005.
5 D. Dagon et al, "A taxonomy of botnet structures," Twenty-Third Annual Computer Security Applications Conferenece ACSAC 2007, Vol. 36, pp. 325-339, 2007.
6 W Xu, F Zhang and S Zhu, "The Power of Obfuscation Techniques in Malicious Javascript Code: A Measurement Study," Proceedings of International Conference on Malicious and Unwanted Software, pp.9-16, Oct. 2012.
7 W Xu, F Zhang and S Zhu, "JStill : Mostly Static Detection of Obfuscated Malicious Javascript Code," Proceedings of the third ACM conference on Data and application security and privacy, pp.117-128, Feb. 2013.
8 Mavrommatis, Niels Provos Panayiotis, and Moheeb Abu Rajab Fabian Monrose. "All your iframes point to us," Proceedings of USENIX Security Symposium. pp.1-16. 2008.
9 C Curtsinger, B Livshits, BG Zorn and C Seifert, "Zozzle: Fast and Precise In-Browser Javascript Malware Detection," Proceedings of USENIX Security Symposium, pp.33-48, Aug. 2011.
10 ChromeDriver, http://chromedriver.chromium.org/home.
11 JW Ratcliff and DE Metzener, "Pattern matching : The gestalt approach," Dr. Dobb's Journal, 13(7) 1998.
12 N-gram, https://pypi.org/project/ngram.
13 Zohn-H, http://www.zone-h.org.
14 Pyhton, https://www.python.org.
15 Selenium Webdriver, https://www.seleniumhq.org/projects/webdriver.