| In recent years, malwares, including worms, Trojans and botnets, always threat to Internet security. As the growing popularity of WEB2.0 and cloud computing, more and more applications provide WEB-based services, there have been trends of browser OS. Exploiting browser vulnerabilities and plug-in vulnerabilities has replaced exploiting vulnerabilities in operating systems and applications. Web malicious code has become the main way of attack and spreading of malware and an important part of the underground economy. Malicious web page is the page that contains malicious content which spreads virus, Trojan, etc. Included malicious content, which is always called web Trojan, essentially is not a Trojan. It's the malicious code spreading by webpage, generally written in JavaScript, VBScript or other scripting language, usually obfuscated in various ways to escape detection. By exploiting vulnerabilities in browsers or plug-ins, webpage malicious code can download and run malware, such as adware, Trojan, viruses, etc. Users could be attacked even when they visit a seemingly benign website since benign web page could have been injected with malicious code. Various tactics are used in order to evade detection by AV scanner, for example, encryption and polymorphism. Traditional detection system has a high false negative rate. Therefore, more and more attackers utilize Internet to spread malware. Detections techniques are usually classified into static detection (based on page content or URL), dynamic detection (based on browsing behavior), and a combination of both. Traditional static detection method is simple, but difficult to deal with code obfuscation, which lead to a high false negative rate and false positive rate. Therefore, many existing systems use the dynamic detection approach, that is, run scripts of a webpage in a real browser in a virtual machine environment, monitor the execution for malicious activity. While the system is quite accurate, the process is costly, requiring seconds for a single page without optimization, thus, is unable to be performed on a large set of web pages.In this paper, a light-weighted detection system was proposed. The system analyzes pages, extraction features, automatically derive detection models using machine-learning techniques. In addition, we use JavaScript virtual machine to make further analysis for the obfuscation code to make a complementary for static analysis, which detect the source code of a web page statically. As most of the analysis process only use the source of the page, without the need for execution and, therefore, consumes less resources and can be applied to large-scale web pages'detection, for example, integration with the search engine. We analyze the characteristic of a malicious webpage systematically and present important features for machine learning. In the end, we describe the system's design and implementation and demonstrate the effectiveness of the system by experimental results. |
PDF Full Text Request