TransAST: A Machine Translation-Based Approach for Obfuscated Malicious JavaScript Detection

Abstract

As an essential part of the website, JavaScript greatly enriches its functions. At the same time, JavaScript has become the most common attack payload on malicious websites. Although researchers are constantly proposing methods to detect malicious JavaScript, the emergence of obfuscation technology makes it difficult for previous approaches to detect disguised malicious JavaScript effectively. To solve this problem, we find that there are fixed templates for generating obfuscated code, which makes the original and obfuscated script have a mapping relationship in their structure. The structure information of the code is critical for malicious detection. Therefore, this paper proposes TransAST, a novel static detection method for obfuscated malicious JavaScript. Our approach's key is restoring the obfuscated JavaScript structure information by training the machine translation model. The experiment shows it can achieve 91.35% accuracy and 94.57% recall in the public dataset, which is 5.5% and 10.94% higher than the existing optimal method.