A Lightweight Dynamic Detection Method For Identifying Malicious Code For Web Pages

Drive-by downloads, also known as malware websites, has become a well-known concept by most internet users, while it was only an attacking technique knowing by some security specialists several years ago. This reflects the prevalence of this attacking technique and the attention from the information security industry. In order to monitor the website and to detect the malicious code in the pages, it’s required to adopt a proper detection method, to work out an effective detection solution and to implement an accurate efficient detection system.This paper analyzes the technique of drive-by downloads, and then compares the existing detection technique. Facing the critical performance problem of the existing dynamic detection solution of drive-by downloads, a new detection method is proposed, which combines the techniques and thoughts originally used in static detection into dynamic detection. It gains data from a non-UI web browser while loading the target web page, and then uses pattern matching to parse data and recognize the malicious characteristics. In this way, it gets rid of the fault of the traditional static detection plan, which has narrow applications and isn’t capable of recognizing flexibly formed malicious codes. Meanwhile, it is much more efficient than other dynamic detection plan and has less resources consumption.Firstly, this paper summarized the characteristics of a large number of malicious codes. It proposed corresponding pattern and logical implication regarding these characteristics, which is used to match and recognize malicious codes. In the implementation, it chooses HTMLUnit as the non-UI web browser. After gaining intermediate data of page loading, it uses regular expression for pattern matching or constructs a syntax tree to recognize the code’s logic. By integrating this module into the original mature detection system, the high efficiency and low consumption advantage of this module and the high accuracy advantage of the original heavy weight detection module are complementary. The efficiency of the newly integrated system is tens of times higher than that of the original system, while maintaining high accuracy.