Drive-by Disclosure: A Large-Scale Detector of Drive-by Downloads Based on Latent Behavior Prediction

Drive-by downloads continue to be the basis for many kinds of large-scale web attacks. The detection of Drive-by downloads and heap spraying attacks has been receiving serious research attention. The appearance of complex obfuscation patterns make the two primary challenges preventing the development of large-scale, real-time detectors of drive-by downloads become contradictory. On one hand, fabrication of disguised transformations (massively and heavily obfuscated scripts) thwarts capabilities of static analysis. On the other hand, dynamic analysis incurs excessive overhead along with other limitations. To ameliorate this situation, we propose Drive-by Disclosure, a novel complementary solution to bridge the gap between dynamic and static approaches. Driveby Disclosure leverages availability of AST representation to predict script's latent behaviors statically. This approach facilitates distinction between scripting practices of drive-by downloads and disguised transformations. Subsequently, in order to reliably detect drive-by downloads, dynamic analysis will only be applied to the scripts that are identified as disguised. Compared to the state-of-the-art solutions, Driveby Disclosure minimizes analysis overhead of JSAND to less than 24%. Also, it improves JSAND's detection rate by more than 29 absolute percentage points. Further, the combination of JSAND and Drive-by Disclosure attains two times better accuracy than Cujo.