Heap-spraying 攻擊主要是透過製作惡意的 JavaScript 與依賴瀏覽器或是已安裝的插件之漏洞所觸發而成。攻擊者經常使用混淆的技術來撰寫混淆惡意的 JavaScript 為了要逃過現有的偵測機制。在此篇論文中，我們將採用一個輕量型的 Sandbox 來解決混淆的問題且亦提出一個新穎的系統 ─ Heap Spraying Revelation，此系統是基於找出最小長度的序列以及其參數之分析。Heap Spraying Revelation 背後的設計概念是結合靜態與動態分析為了提升我們的精確度與效率。另一方面，最小長度的序列主要是針對 heap-spraying 的特色 ─ NOP-sled，其行為將產出大量的指令，因此我們就此特色進行捕捉及分析。我們的工作也提供了一個點子去找出最小長度的序列與其參數之分析方式。我們的實驗則是採用 SVM (Support Vector Machine) 作為一個分類器，而我們實驗的結果精確度亦達到 95.7 %。

The heap-spraying attacks through the composition of malicious JavaScript and depend on the exploited vulnerabilities of browser or plug-in of installed to trigger. The attackers commonly use obfuscated techniques to make obfuscated malicious JavaScript in order to evade mechanism of detection. In this paper, we adopt a lightweight sandbox to deal with obfuscated problems and also propose a novel system that is Heap Spraying Revelation based on minimal length sequence finding and argument analysis. The fundamental observations behind the design of Heap Spraying Revelation are that combine static analysis and dynamic analysis in order to raise the accuracy of detection and efficiency. On the other hand, the minimal length sequence focus on the characteristic of heap-spraying which is NOP-sled. The action of NOP-sled will create a lot of instructions. Hence, we capture this distinguishing feature for analysis. Our work also presents an idea to find out the minimal length sequences and analysis their argument. In our experiments, we use SVM (Support Vector Machine) to be a classifier and the accuracy of result up to 95.7 %.

[1] ENISA,http://www.enisa.europa.eu/.
[2] Jasob,http://www.jasob.com/.
[3] JS Obfuscator,http://javascriptobfuscator.com/.
[4] Mozilla Benign plain script available at : https://developer.mozilla.org/en-US/
docs/Web/JavaScript/Guide/.
[5] SpiderMonkey,https:// developer.mozilla.org/ en-US/ docs/ Mozilla/ Projects/ SpiderMonkey.
[6] Stunnix,http://www.stunnix.com/prod/jo/.
[7] WEKA,http://www.cs.waikato.ac.nz/ml/weka/.
[8] I. Al-Taharwa, C.-H. Mao, H.-K. Pao, K.-P. Wu, C. Faloutsos, H.-M. Lee, S.-M.Chen, and A. Jeng, “Obfuscated malicious javascript detection by causal relations finding,” in Advanced Communication Technology (ICACT), 2011 13th International Conference on, 2011, pp. 787–792.
[9] I. A. Al-Taharwa, H.-M. Lee, A. B. Jeng, K.-P. Wu, C.-H. Mao, T.-E. Wei, and S.M. Chen, “Redjsod: A readable javascript obfuscation detector using semantic-based analysis,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on, 2012, pp. 1370–1375.
[10] D. Canali, M. Cova, G. Vigna, and C. Kruegel, “Prophiler: a fast filter for the large-scale detection of malicious web pages,” in Proceedings of the 20th international conference on World wide web, 2011, pp. 197–206.
[11] K. Chellapilla and A. Maykov, “A taxonomy of javascript redirection spam,” in Proceedings of the 3rd international workshop on Adversarial information retrieval on the web, 2007, pp. 81–88.
[12] P. Chen, R. Wu, and B. Mao, “Jitsafe: a framework against just-in-time spraying attacks,” vol. 7, no. 4, 2013, pp. 283–292.
[13] M. Cherukuri, S. Mukkamala, and D. Shin, “Detection of shellcodes in drive-by attacks using kernel machines,” 2013, pp. 1–15.
[14] M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-by-
download attacks and malicious javascript code,” in Proceedings of the 19th international conference on World wide web, 2010, pp. 281–290.
[15] C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, “Zozzle: Low-overhead mostly static javascript malware detection,” in Proceedings of the Usenix Security Symposium, 2011.
[16] A. Dewald, T. Holz, and F. C. Freiling, “Adsandbox: sandboxing javascript to fight malicious websites,” in Proceedings of the 2010 ACM Symposium on Applied Computing, 2010, pp. 1859–1864.
[17] Y. Ding, T. Wei, T. Wang, Z. Liang, and W. Zou, “Heap taichi: exploiting memory allocation granularity in heap-spraying attacks,” in Proceedings of the 26th Annual Computer Security Applications Conference, 2010, pp. 327–336.
[18] M. Egele, E. Kirda, and C. Kruegel, “Mitigating drive-by download attacks: Challenges and open problems,” in iNetSec 2009–Open Research Problems in Network Security, 2009, pp. 52–62.
[19] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. X. Song, “Dynamic spyware
analysis.” in USENIX annual technical conference, 2007, pp. 233–246.
[20] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, “Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks,” in Detection of Intrusions and Malware, and Vulnerability Assessment, 2009, pp. 88–106.
[21] B. Feinstein, D. Peck, and I. SecureWorks, “Caffeine monkey: Automated collection, detection and analysis of malicious javascript,” Black Hat USA, vol. 2007,2007.
[22] Y. Fratantonio, C. Kruegel, and G. Vigna, “Shellzer: a tool for the dynamic analysis of malicious shellcode,” in Recent Advances in Intrusion Detection, 2011, pp.61–80.
[23] C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko,P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, et al., “Manufacturing compromise: the emergence of exploit-as-a-service,” in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 821–832.
[24] L. Invernizzi, S.-J. Lee, S. Miskovic, M. Mellia, R. Torres, C. Kruegel, S. Saha,and G. Vigna, “Nazca: Detecting malware distribution in large-scale networks,”2014.
[25] S. Kaplan, B. Livshits, B. Zorn, C. Siefert, and C. Curtsinger, “” nofus: Automatically detecting”+ string. fromcharcode (32)+” obfuscated”. tolowercase ()+”javascript code,” 2011.
[26] A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, “Escape from monkey island: Evading high-interaction honeyclients,” in Detection of Intrusions and Malware,and Vulnerability Assessment, 2011, pp. 124–143.
[27] A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna, “Re
volver: An automated approach to the detection of evasive web-based malware.”
in USENIX Security, 2013, pp. 637–652.
[28] B.-I. Kim, C.-T. Im, and H.-C. Jung, “Suspicious malicious web site detection with strength analysis of a javascript obfuscation,” International Journal of Advanced Science and Technology, vol. 26, pp. 19–32, 2011.
[29] E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer, “Behavior-based spyware detection.” in Usenix Security, vol. 6, 2006.
[30] K. R. Kishore, M. Mallesh, G. Jyostna, P. Eswari, and S. S. Sarma, “Browser js guard: Detects and defends against malicious javascript injection based drive by download attacks,” in Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the, 2014, pp. 92–100.
[31] V. L. Le, I. Welch, X. Gao, and P. Komisarczuk, “Anatomy of drive-by download attack,” in Proceedings of the Eleventh Australasian Information Security Conference-Volume 138, 2013, pp. 49–58.
[32] V. L. Le, I. Welch, X. Gao, and P. Komisarczuk, “Detecting heap-spray attacks in drive-by downloads: Giving attackers a hand,” in Local Computer Networks (LCN), 2013 IEEE 38th Conference on, 2013, pp. 300–303.
[33] L. Lu, V. Yegneswaran, P. Porras, and W. Lee, “Blade: an attack-agnostic approach for preventing drive-by malware infections,” in Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 440–450.
[34] A. Nappa, M. Z. Rafique, and J. Caballero, “Driving in the cloud: An analysis of drive-by download operations and abuse reporting,” in Detection of Intrusions and Malware, and Vulnerability Assessment, 2013, pp. 1–20.
[35] A. Nappa, M. Z. Rafique, and J. Caballero, “The malicia dataset: identification and analysis of drive-by download operations,” 2014, pp. 1–19.
[36] M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, “Comprehensive
shellcode detection using runtime heuristics,” in Proceedings of the 26th Annual Computer Security Applications Conference, 2010, pp. 287–296.
[37] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, N. Modadugu, et al., “The
ghost in the browser analysis of web-based malware,” in Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007, pp.4–4.
[38] K. Rieck, T. Krueger, and A. Dewald, “Cujo: efficient detection and prevention of drive-by-download attacks,” in Proceedings of the 26th Annual Computer Security Applications Conference, 2010, pp. 31–39.
[39] M. Roesch et al., “Snort: Lightweight intrusion detection for networks.” in LISA,vol. 99, 1999, pp. 229–238.
[40] B. Stone-Gross, M. Cova, C. Kruegel, and G. Vigna, “Peering through the
iframe,” in INFOCOM, 2011 Proceedings IEEE, 2011, pp. 411–415.
[41] J. A. Suykens and J. Vandewalle, “Least squares support vector machine classifiers,” vol. 9, no. 3, 1999, pp. 293–300.
[42] W. Xu, F. Zhang, and S. Zhu, “Jstill: mostly static detection of obfuscated malicious javascript code,” in Proceedings of the third ACM conference on Data and application security and privacy, 2013, pp. 117–128.
[43] J. Zhang, C. Seifert, J. W. Stokes, and W. Lee, “Arrow: Generating signatures to detect drive-by downloads,” in Proceedings of the 20th international conference on World wide web, 2011, pp. 187–196.