Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing JavaScript Malware Detection through Weighted Behavioral DFAs

Pedro Pereira, José Gonçalves, João Vitorino, Eva Maia, Isabel Praça

TL;DR

The paper tackles client-side JavaScript malware detection by modeling execution traces as weighted behavior sequences using a novel behavior DFA. It defines a Match Percentage via a BFS-based distance to the nearest final malicious state, with action weights highlighting high-risk behaviors and a formalization $ \text{Match Percentage} = \left( \frac{\text{Total Matched Behavior Weight}}{\text{Total Weight to Nearest Final State}} \right) \times 100 $. The contributions include a transparent, adaptable framework that supports exact and partial pattern recognition and can incorporate new attack sequences without full retraining. Evaluation on a real-world dataset of 1,058 sequences (10 malign, 288 partially malign, 760 benign) demonstrates effective detection of known attacks and meaningful partial matches, underscoring robustness and interpretability for practical threat monitoring.

Abstract

This work addresses JavaScript malware detection to enhance client-side web application security with a behavior-based system. The ability to detect malicious JavaScript execution sequences is a critical problem in modern web security as attack techniques become more sophisticated. This study introduces a new system for detecting JavaScript malware using a Deterministic Finite Automaton (DFA) along with a weighted-behavior system, which we call behavior DFA. This system captures malicious patterns and provides a dynamic mechanism to classify new sequences that exhibit partial similarity to known attacks, differentiating them between benign, partially malicious, and fully malicious behaviors. Experimental evaluation on a dataset of 1,058 sequences captured in a real-world environment demonstrates the capability of the system to detect and classify threats effectively, with the behavior DFA successfully identifying exact matches and partial similarities to known malicious behaviors. The results highlight the adaptability of the system in detecting emerging threats while maintaining transparency in decision making.

Enhancing JavaScript Malware Detection through Weighted Behavioral DFAs

TL;DR

The paper tackles client-side JavaScript malware detection by modeling execution traces as weighted behavior sequences using a novel behavior DFA. It defines a Match Percentage via a BFS-based distance to the nearest final malicious state, with action weights highlighting high-risk behaviors and a formalization . The contributions include a transparent, adaptable framework that supports exact and partial pattern recognition and can incorporate new attack sequences without full retraining. Evaluation on a real-world dataset of 1,058 sequences (10 malign, 288 partially malign, 760 benign) demonstrates effective detection of known attacks and meaningful partial matches, underscoring robustness and interpretability for practical threat monitoring.

Abstract

This work addresses JavaScript malware detection to enhance client-side web application security with a behavior-based system. The ability to detect malicious JavaScript execution sequences is a critical problem in modern web security as attack techniques become more sophisticated. This study introduces a new system for detecting JavaScript malware using a Deterministic Finite Automaton (DFA) along with a weighted-behavior system, which we call behavior DFA. This system captures malicious patterns and provides a dynamic mechanism to classify new sequences that exhibit partial similarity to known attacks, differentiating them between benign, partially malicious, and fully malicious behaviors. Experimental evaluation on a dataset of 1,058 sequences captured in a real-world environment demonstrates the capability of the system to detect and classify threats effectively, with the behavior DFA successfully identifying exact matches and partial similarities to known malicious behaviors. The results highlight the adaptability of the system in detecting emerging threats while maintaining transparency in decision making.

Paper Structure

This paper contains 5 sections, 2 equations, 1 figure.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Results and Evaluation
  5. Conclusion

Figures (1)

  • Figure 1: Behavior DFA example.