Detection of Malicious Web Pages Using System Calls Sequences

  • Gerardo Canfora
  • Eric Medvet
  • Francesco Mercaldo
  • Corrado Aaron Visaggio
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8708)


Web sites are often used for diffusing malware; an increasingly number of attacks are performed by delivering malicious code in web pages: drive-by download, malvertisement, rogueware, phishing are just the most common examples. In this scenario, JavaScript plays an important role, as it allows to insert code into the web page that will be executed on the client machine, letting the attacker to perform a plethora of actions which are necessary to successfully accomplish an attack. Existing techniques for detecting malicious JavaScript suffer from some limitations like: the capability of recognizing only known attacks, being tailored only to specific attacks, or being ineffective when appropriate evasion techniques are implemented by attackers. In this paper we propose to use system calls to detect malicious JavaScript. The main advantage is that capturing the system calls allows a description of the attack at a very high level of abstraction. On the one hand, this limits the evasion techniques which could succeed, and, on the other hand, produces a very high detection accuracy (96%), as experimentation demonstrated.


System Call Malicious Code Relative Occurrence Clone Detection Feature Selection Procedure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
  3. 3.
    Eshete, B.: Effective analysis, characterization, and detection of malicious web pages. In: Proceedings of the 22nd International Conference on World Wide Web Companion, pp. 355–360. International World Wide Web Conferences Steering Committee (2013)Google Scholar
  4. 4.
  5. 5.
  6. 6.
    Canfora, G., Iannaccone, A.N., Visaggio, C.A.: Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. Journal of Computer Virology and Hacking Techniques, 11–27 (2013)Google Scholar
  7. 7.
    Dewald, A., Holz, T., Freiling, F.C.: Adsandbox: Sandboxing javascript to fight malicious websites. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1859–1864. ACM (2010)Google Scholar
  8. 8.
    Seifert, C., Welch, I., Komisarczuk, P.: Identification of malicious web pages with static heuristics. In: Australasian Telecommunication Networks and Applications Conference, ATNAC 2008, pp. 91–96. IEEE (2008)Google Scholar
  9. 9.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)Google Scholar
  10. 10.
    Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. In: Proceedings of the 2nd USENIX Conference on Web Application Development, p. 11. USENIX Association (2011)Google Scholar
  11. 11.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious urls. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1245–1254. ACM (2009)Google Scholar
  12. 12.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Identifying suspicious urls: an application of large-scale online learning. In: Proceedings of the 26th Annual International Conference on Machine Learning, pp. 681–688. ACM (2009)Google Scholar
  13. 13.
    Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 447–462. IEEE (2011)Google Scholar
  14. 14.
    Sorio, E., Bartoli, A., Medvet, E.: Detection of hidden fraudulent urls within trusted sites using lexical features. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 242–247. IEEE (2013)Google Scholar
  15. 15.
    Kim, B.-I., Im, C.-T., Jung, H.-C.: Suspicious malicious web site detection with strength analysis of a javascript obfuscation. International Journal of Advanced Science & Technology 26 (2011)Google Scholar
  16. 16.
    Ikinci, A., Holz, T., Freiling, F.: Monkey-spider: Detecting malicious websites with low-interaction honeyclients, sicherheit (2008)Google Scholar
  17. 17.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 443–457. IEEE (2012)Google Scholar
  18. 18.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the 19th International Conference on World Wide Web, pp. 281–290. ACM (2010)Google Scholar
  19. 19.
    Moshchuk, A., Bragin, T., Deville, D., Gribble, S.D., Levy, H.M.: Spyproxy: Execution-based detection of malicious web content. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, vol. 3, pp. 1–16. USENIX Association (2007)Google Scholar
  20. 20.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 31–39 (2010)Google Scholar
  21. 21.
    Qassrawi, M.T., Zhang, H.: Detecting malicious web servers with honeyclients. Journal of Networks 6(1) (2011)Google Scholar
  22. 22.
    The honeynet project (2011),
  23. 23.
    Mitre honeyclient project (2011),
  24. 24.
    Capture-hpc client honeypot / honeyclient (2011),
  25. 25.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys. In: Proceedings of the 2006 Network and Distributed System Security Symposium, pp. 35–49 (2006)Google Scholar
  26. 26.
    Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static javascript malware detection. In: Proceedings of the Usenix Security Symposium (2011)Google Scholar
  27. 27.
    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: An automated approach to the detection of evasive web-based malware. In: USENIX Security Symposium (2013)Google Scholar
  28. 28.
    Pate, J.R., Tairas, R., Kraft, N.A.: Clone evolution: a systematic review. Journal of Software: Evolution and Process 25(3), 261–283 (2013)Google Scholar
  29. 29.
    Roy, C.K., Cordy, J.R.: A survey on software clone detection research. School of Computing TR 2007-541, Queen’s University (2007)Google Scholar
  30. 30.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp. 8–11. Citeseer (2009)Google Scholar
  31. 31.
    Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 309–320. ACM (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Gerardo Canfora
    • 1
  • Eric Medvet
    • 2
  • Francesco Mercaldo
    • 1
  • Corrado Aaron Visaggio
    • 1
  1. 1.Dept. of EngineeringUniversity of SannioBeneventoItaly
  2. 2.Dept. of Engineering and ArchitectureUniversity of TriesteItaly

Personalised recommendations