Enhancing JavaScript Malware Detection through Weighted Behavioral DFAs

TL;DR

This paper presents a novel behavior-based detection system using weighted DFAs to identify and classify JavaScript malware by analyzing execution sequences, improving detection of both known and emerging threats.

Contribution

Introduces a behavior DFA system that captures malicious patterns and classifies JavaScript behaviors based on similarity to known attacks, enhancing malware detection capabilities.

Findings

Effective detection of exact and partial malicious behaviors

High accuracy in classifying benign, partially malicious, and malicious sequences

Demonstrated adaptability to emerging threats in real-world data

Abstract

This work addresses JavaScript malware detection to enhance client-side web application security with a behavior-based system. The ability to detect malicious JavaScript execution sequences is a critical problem in modern web security as attack techniques become more sophisticated. This study introduces a new system for detecting JavaScript malware using a Deterministic Finite Automaton (DFA) along with a weighted-behavior system, which we call behavior DFA. This system captures malicious patterns and provides a dynamic mechanism to classify new sequences that exhibit partial similarity to known attacks, differentiating them between benign, partially malicious, and fully malicious behaviors. Experimental evaluation on a dataset of 1,058 sequences captured in a real-world environment demonstrates the capability of the system to detect and classify threats effectively, with the behavior DFA successfully identifying exact matches and partial similarities to known malicious behaviors. The results highlight the adaptability of the system in detecting emerging threats while maintaining transparency in decision making.