Visible to the public A Machine Learning Approach to Malicious JavaScript Detection using Fixed Length Vector Representation

TitleA Machine Learning Approach to Malicious JavaScript Detection using Fixed Length Vector Representation
Publication TypeConference Paper
Year of Publication2018
AuthorsNdichu, S., Ozawa, S., Misu, T., Okada, K.
Conference Name2018 International Joint Conference on Neural Networks (IJCNN)
Keywordsauthoring languages, Browsers, classifier model, composability, Context modeling, cyberattacks, cybersecurity, D3M Dataset, defense, Doc2Vec, Doc2Vec features, drive-by-download attacks, Drive-by-Download Data, feature extraction, feature learning, features extraction, fixed length vector representation, invasive software, Java, JavaScript, learning (artificial intelligence), machine learning, malicious JavaScript detection, malicious JS code detection, malicious JS codes, Metrics, neural nets, neural network model, Neural networks, pattern classification, plugin software, Predictive models, pubcrawl, resilience, Resiliency, Support vector machines, Vectors, Web applications, Web site, Web sites, Zero day attacks, Zero-day attacks

To add more functionality and enhance usability of web applications, JavaScript (JS) is frequently used. Even with many advantages and usefulness of JS, an annoying fact is that many recent cyberattacks such as drive-by-download attacks exploit vulnerability of JS codes. In general, malicious JS codes are not easy to detect, because they sneakily exploit vulnerabilities of browsers and plugin software, and attack visitors of a web site unknowingly. To protect users from such threads, the development of an accurate detection system for malicious JS is soliciting. Conventional approaches often employ signature and heuristic-based methods, which are prone to suffer from zero-day attacks, i.e., causing many false negatives and/or false positives. For this problem, this paper adopts a machine-learning approach to feature learning called Doc2Vec, which is a neural network model that can learn context information of texts. The extracted features are given to a classifier model (e.g., SVM and neural networks) and it judges the maliciousness of a JS code. In the performance evaluation, we use the D3M Dataset (Drive-by-Download Data by Marionette) for malicious JS codes and JSUPACK for benign ones for both training and test purposes. We then compare the performance to other feature learning methods. Our experimental results show that the proposed Doc2Vec features provide better accuracy and fast classification in malicious JS code detection compared to conventional approaches.

Citation Keyndichu_machine_2018