TY - GEN
T1 - A simple client-side defense against environment-dependent web-based malware
AU - Lu, Gen
AU - Chadha, Karan
AU - Debray, Saumya
PY - 2013
Y1 - 2013
N2 - Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment- dependent behavior discrepancy of various forms, including those seen in real malware.
AB - Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment- dependent behavior discrepancy of various forms, including those seen in real malware.
UR - http://www.scopus.com/inward/record.url?scp=84893723666&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84893723666&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2013.6703694
DO - 10.1109/MALWARE.2013.6703694
M3 - Conference contribution
SN - 9781479925339
T3 - Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
SP - 124
EP - 131
BT - Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software
PB - IEEE Computer Society
T2 - 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
Y2 - 22 October 2013 through 24 October 2013
ER -