MOJI: Character-level convolutional neural networks for Malicious Obfuscated JavaScript Inspection

Abstract

JavaScript malware is one of the major threats to web security. A big challenge in detecting such malicious JavaScript is obfuscation, which transforms a program code into a harder-to-understand representation while preserving its original functionality. Many malicious JavaScript detection methods perform code abstraction and prior feature extraction to uncover the functionality hidden by obfuscation. However, such preprocessing steps significantly limit the detectors’ efficiency in practical situations. This paper presents Malicious Obfuscated JavaScript Inspector (MOJI), a novel method for malicious JavaScript detection, which requires no code abstraction or prior feature extraction. Instead, our detector directly accepts a sequence of characters in JavaScript code as an input and outputs its maliciousness score. Specifically, we design a character-level convolutional neural network consisting mainly of several 1D convolutional layers and fully connected layers. We evaluate the proposed method on a dataset composed of 24,000 JavaScript codes and show that our method outperforms existing malicious JavaScript detectors in terms of both detection performance and running time. We also provide an analysis of the effect of additional obfuscation on the same dataset. Our results indicate that MOJI is far more robust to obfuscation than the existing methods and commercial antivirus software.