摘要
随着Web前端代码压缩与混淆工具的快速发展,浏览器需要执行的代码的体积减小,可读性大幅下降,同时也为恶意代码的隐藏提供了便利。为了解决混淆JavaScript代码中恶意代码片段的检测问题,以及找到混淆前后代码中函数的对应关系,通过对JavaScript代码函数调用序列及函数调用的分析,研究基于函数调用序列和函数调用关系图的代码相似度,以及Google Closure Compiler的代码混淆方法。提出了一种基于函数调用信息的JavaScript混淆恶意代码检测方法。实验结果表明:上述方法可以有效检测出混淆前后JavaScript代码中函数的对应关系,对换名混淆具有鲁棒性,且检测复杂度低于通用的JavaScript反混淆工具。
With the development of code compression and obfuscation tools applied to web applications,the size and readability of code browsers need to execute have been decreased,which also provides more convenience for malicious code to hide.In order to solve the problem of detecting malicious code snippets in obfuscated JavaScript code,and find the correspondence of functions between obfuscated and original code,the function call-based detecting method was proposed.The extraction of function call information of JavaScript code was studied,including function call sequence and function call graph,and calculation of function call-based source code similarity.The results show that the method can effectively detect the correspondence of functions between obfuscated and original JavaScript code,and the complexity is lower than common clone detection or DE-obfuscation tools.
作者
王婷
牟永敏
张志华
崔展齐
WANG Ting;MU Yong-min;ZHANG Zhi-hua;CUI Zhan-qi(Beijing Key Laboratory of Internet Culture and Digital Dissemination Research,Beijing Information Science and Technology University,Beijing,100101)
出处
《计算机仿真》
北大核心
2021年第2期432-437,共6页
Computer Simulation
基金
北京市自然科学基金资助项目(Z160002)
网络文化与数字传播北京市重点实验室开放课题(5221835409)。
关键词
函数调用
代码混淆
恶意代码检测
代码相似度
Function call
Code obfuscation
Malicious code detection
Code similarity
