JSObfusDetector: A Binary PSO-based One-Class Classifier Ensemble to Detect Obfuscated JavaScript Code

Transcription

1 2015 International Symposium on Artificial Intelligence and Signal Processing (AISP) JSObfusDetector: A Binary PSO-based One-Class Classifier Ensemble to Detect Obfuscated JavaScript Code Mehran Jodavi, Mahdi Abadi, and Elham Parhizkar Department of Electrical and Computer Engineering Tarbiat Modares University Tehran, Iran {mehran.jodavi, abadi, e.parhizkar}@modares.ac.ir Abstract JavaScript code obfuscation has become a major technique used by malware writers to evade static analysis techniques. Over the past years, a number of dynamic analysis techniques have been proposed to detect obfuscated malicious JavaScript code at runtime. However, because of their runtime overheads, these techniques are slow and thus not widely used in practice. On the other hand, since a large quantity of benign JavaScript code is obfuscated to protect intellectual property, it is not effective to use the intrinsic features of obfuscated JavaScript code for static analysis purposes. Therefore, we are forced to distinguish between obfuscated and non-obfuscated JavaScript code so that we can devise an efficient and effective analysis technique to detect malicious JavaScript code. In this paper, we address this issue by presenting JSObfusDetector, a novel oneclass classifier ensemble to detect obfuscated JavaScript code. To construct the classifier ensemble, we apply a binary particle swarm optimization (PSO) algorithm, called ParticlePruner, on an initial ensemble of one-class SVM classifiers to find a subensemble whose members are both accurate and have diversity in their outputs. We evaluate JSObfusDetector using a dataset of obfuscated and non-obfuscated JavaScript code. The experimental results show that JSObfusDetector can achieve about 97% precision, 91% recall, and 94% F-measure. Keywords obfuscated JavaScript code; static analysis; classifier ensemble; one-class classifier; ensemble pruning; particle swarm optimization I. INTRODUCTION Generally, code obfuscation is the deliberate act of transforming readable code into equivalent obfuscated code that is more difficult to understand [1]. It is commonly used by software developers to protect the intellectual property of their code or by malware writers to evade signature-based detection systems. JavaScript is a dynamic scripting language, which means that the developers can generate JavaScript code at runtime. However, the dynamic nature of JavaScript is often misused by malware writers to create malicious code. Therefore, a number of static analysis techniques [2], [3] have been proposed to detect malicious JavaScript code. While being fast and effective, these techniques have limited success when dealing with obfuscated JavaScript code. Due to this limitation, a number of dynamic analysis techniques [4], [5] have been developed to detect obfuscated malicious JavaScript code at runtime. However, because of their runtime overheads, these techniques are slow and thus not widely used in practice. On the other hand, the mere presence of obfuscated JavaScript code does not indicate the presence of any malicious content. The reason is that there is plenty of benign JavaScript code that has been intentionally obfuscated to protect intellectual property. Moreover, there are a lot of free obfuscators available that simply transform JavaScript code into equivalent obfuscated one, making the use of obfuscation in benign and malicious JavaScript code more popular as ever. According to the above discussion, if we are given a piece of non-obfuscated JavaScript code, it is reasonable that we use lightweight static techniques to analyze it. On the other hand, for obfuscated JavaScript code, it is better to use dynamic analysis techniques. As a result, we need to distinguish between obfuscated and non-obfuscated JavaScript code so that we can devise an efficient and effective analysis technique to detect malicious JavaScript code. In this paper, we address this issue by presenting JSObfusDetector, a one-class classifier ensemble to determine whether or not a piece of JavaScript code has been obfuscated for any purpose, malicious or otherwise. JSObfusDetector aims to detect obfuscated JavaScript code based on major changes in its structural and lexical aspects. JSObfusDetector consists of two main steps: training and detection. In the training step, we use a set of non-obfuscated JavaScript code blocks to construct an initial ensemble of oneclass SVM classifiers. We then prune the classifier ensemble using a novel binary particle swarm optimization (PSO) algorithm to find a near-optimal sub-ensemble. The goal is to reduce the size of the initial ensemble by selecting only a subset of the one-class SVM classifiers that are both accurate and have diversity in their outputs. In the detection step, we combine the outputs of chosen one-class SVM classifiers in the sub-ensemble using the majority voting rule to classify given JavaScript code blocks as obfuscated or non-obfuscated. Our approach is motivated by the observation that the fusion of multiple one-class classifiers can improve the classification accuracy [6]. The rest of the paper is organized as follows. In Section II, /15/$ IEEE 322

2 we describe some of the common JavaScript obfuscation techniques. In Section III, we present JSObfusDetector and experimentally evaluate it in Section IV. Finally, we discuss related work in Section V and conclude the paper in Section VI. II. BACKGROUND In this section, we first describe some of the most popular JavaScript obfuscation techniques and then give a brief overview of the binary PSO algorithm. A. JavaScript Obfuscation Techniques Obfuscation techniques are heavily used in benign and malicious JavaScript code, with the aim of making JavaScript code more difficult to understand to protect intellectual property or evade signature-based detection. In the following subsections, we briefly discuss the major obfuscation techniques being used in wild [7]. 1) Data Obfuscation. JavaScript code may be obfuscated by splitting its strings into multiple variables or substrings and concatenating them later, perhaps by using the document.write or eval functions (see Fig. 1). var mystr = "document.write('my Code')"; eval(mystr); (a) original code Fig. 1. An example of data obfuscation. var yq = "de')"; var sq = "doc"; var sm = "ument"; var kw = "('My Co"; var mystr = sq + sm + ".write" + kw + yq; eval(mystr); (b) obfuscated code 2) Encoding Obfuscation. A general technique for JavaScript obfuscation is to convert characters into their ASCII, Unicode, or hexadecimal values. Fig. 2 shows a demonstration of using Unicode values to obfuscate the string "My Code". document.write("\u004d\u0079\u0020\u0043\u006f\u0064\u0065"); Fig. 2. An example of encoding obfuscation. 3) Randomization Obfuscation. Randomization obfuscation is as simple as randomly inserting or changing some elements of code without changing the semantics at all. Variable and whitespace randomization [8] are common techniques in this category. Fig. 3 gives an example of variable randomization. function myfunc(str) { document.write(str); } var mystr = "My Code"; myfunc(mystr); (a) original code Fig. 3. An example of randomization obfuscation. function msfrt23kjgty(zs12mnjy) { document.write(zs12mnjy); } var nbuqmazsuikh = "My Code"; msfrt23kjgty(nbuqmazsuikh); (b) obfuscated code B. Binary PSO Particle swarm optimization (PSO) [9] is a population based stochastic optimization inspired by social behavior of flocks of birds when they are searching for food. In PSO, the potential solutions, known as particles, fly through the problem space exploring for better regions. Each particle in the swarm has a current position, a velocity, and a personal best position. The performance of the particle positions is measured using a predefined fitness function, which is related to the problem to be solved. Let be the position of the particle at the iteration, its personal best position at this iteration, denoted by, is updated as 1 if 1, (1) otherwise, where is the fitness function to be maximized. The best personal best position in the swarm is known as the global best position and is denoted by. Note that, throughout the paper, we use boldface to distinguish vectors from scalars. For the binary PSO [10], the elements of and can only take the values 0 and 1. The particle updates its current velocity and position using the following equation: 1, 1 0 if sig 1, 1 otherwise, where 1 and 1 are the velocity and position updated for the th dimension, 1,2,,. Also,,, and are random values in the range [0,1]. In addition, and are the acceleration constants and sig is a sigmoid function between 0 and 1. Using the sigmoid function, the velocity is interpreted as a probability to change a bit from 0 to 1 or from 1 to 0 when updating the position of particles. III. JSOBFUSDETECTOR In this section, we present JSObfusDetector, a binary PSObased one-class classifier ensemble to distinguish between obfuscated and non-obfuscated JavaScript code. JSObfusDetector is motivated by the observation that the performance of an ensemble that is composed of many base classifiers could be better than any of the base classifiers [6]. It consists of two main steps: training and detection. In the training step, we build a profile of non-obfuscated JavaScript code. To do so, we take as input a set of non-obfuscated JavaScript code blocks and extract an abstract syntax tree (AST) for each block in the set. We then traverse the ASTs to generate a set of feature vectors that are subsequently used to construct an initial ensemble of one-class SVM classifiers. Each feature vector includes values for features describing structural and lexical aspects of a JavaScript code block. We then use a binary PSO algorithm, called ParticlePruner, to find a near-optimal sub-ensemble that achieves the maximum possible fitness function. The goal is to reduce the size of by selecting only a subset of the one-class SVM classifiers that are both accurate and have diversity in their outputs. In the detection step, we extract a feature vector from each new JavaScript code block and apply it to all one-class SVM classifiers in. We then combine the outputs of these classifiers using the majority voting rule to (2) (3) 323

3 determine whether it is obfuscated or not. In the following subsections, we describe in detail what features are extracted from JavaScript code blocks and how the initial one-class classifier ensemble is pruned. A. Structural and Lexical Features As previously mentioned, the three most popular JavaScript obfuscation techniques, in order of popularity, are data, encoding, and randomization obfuscation. The obfuscation techniques can be easily applied to any JavaScript code and only change its structural and lexical aspects. Considering these changes, we present the following features to detect obfuscated JavaScript code: 1) Number of String Definitions. In order to perform data obfuscation, we can split a string into multiple substrings and concatenate them later. Most obfuscated JavaScript code makes use of data obfuscation to invisible particular strings or makes use of it along with dangerous functions like eval to generate code at runtime, resulting in an increased number of string definitions. 2) Rate of String Operations. An important side effect of data and encoding obfuscation techniques is the overuse of string operations, tending to an unusually large number of string operations compared with other operations. The reason is that these techniques widely generate code from strings at runtime by calling string functions such as fromcharcode, charat, substring, and so on. 3) Maximum Length of Strings and Ratio of Long Strings. It is common for encoding obfuscation techniques to convert characters in a string into their ASCII or Unicode values, causing the length of the string to increase. 4) Number of Dynamic Code Evaluations. Dynamic code evaluation plays an important role in data and encoding obfuscation techniques. The goal is to evaluate a string as code at runtime. JavaScript supports dynamic code evaluation using functions such as eval and settimeout. 5) Minimum and Maximum Entropy of Strings. Encoding obfuscation techniques usually transform all characters of a string in order to avoid pattern-matching detection, causing changes in the probability distribution of characters. B. ParticlePruner Given an initial ensemble of one-class SVM classifiers, we apply ParticlePruner on it to reduce its size. In this algorithm, we first initialize a swarm of particles. The position of each particle is represented by a binary vector of length :,,,, (4) where is the total number of one-class SVM classifiers in. Actually, indicates a sub-ensemble of one-class SVM classifiers in. If 1, this means that the one-class SVM classifier is part of. Otherwise, it means that is not part of the sub-ensemble: 1. (5) We then iteratively perform the following steps until some termination condition (e.g., the maximum number of fitness evaluations) is reached: during each iteration, we update the personal best position of each particle using (1). Next, we determine the global best position from the entire swarm by selecting the best personal best position. Subsequently, we update the velocity 1 and the position 1 of each particle using (2) and (3). We use two measures to evaluate the overall fitness of the particle positions, namely and. Let be a particle position. and are calculated as the true negative rate and the non-pairwise diversity of, where is the sub-ensemble indicated by. Given a validation dataset of feature vectors generated from nonobfuscated JavaScript code blocks, we calculate as 1 l, (6) where is the number of feature vectors in and l is an indicator function whose value is 1 if the subensemble correctly classifies an input feature vector belonging to and 0 otherwise: l 1 Ω 2, 0 otherwise, where is the number of one-class SVM classifiers in, and Ω is an indicator function whose value is 1 if the oneclass SVM classifier classify an input feature vector as belonging to the non-obfuscated class and 0 otherwise: Ω 1, (8) 0 otherwise. Actually, we use the majority voting rule to combine the outputs of one-class SVM classifiers in. Subsequently, we calculate as 1, (9) 1 1 where is the average true negative rate of one-class SVM classifiers in : (7) 1, (10) where is the proportion of one-class SVM classifiers in that correctly classify a feature vector : 1 Ω. (11) In fact, is a non-pairwise diversity measure based on the Kappa inter-rater agreement [11]. If there is no variation in the values of for all feature vectors, then there is more diversity among the one-class SVM classifiers in. In this case, may be seen to assume its maximum value of 1. On the other hand, if the values of is 0 or 1 for all feature vectors, then there is no diversity 324

4 among the one-class SVM classifiers in and may be seen to assume its minimum value of 0. Finally, we calculate the fitness of as the weighted average of and : 1, (12) where 0,1 is a user-defined parameter. Note that to calculate and, we only need the information of the non-obfuscated class. IV. EXPERIMENTAL EVALUATION In this section, we experimentally evaluate the performance of JSObfusDetector using a dataset of obfuscated and nonobfuscated JavaScript code blocks. A. Experimental Setup The dataset used in our experiments was consisted of 400 obfuscated and 1500 non-obfuscated JavaScript code blocks. To create the dataset, we captured the main web pages of the Alexa top 1000 websites [12] and selected the JavaScript code blocks of these web pages that were not suspected of being obfuscated. Moreover, we collected a number of benign and malicious JavaScript code blocks and obfuscated them using free online JavaScript obfuscators, such as [13], [14], [15]. In addition, we enriched the resulting dataset with some obfuscated JavaScript code blocks from [16]. To extract the AST of each block in the dataset, we used Rhino [17], which is a JavaScript engine developed in Java and managed by the Mozilla Foundation as open source software. When generating feature vectors from the obtained ASTs, we considered a string as long if its length was greater than a certain threshold which was empirically set to 500. We divided our dataset into training, validation, and testing datasets. The training and validation datasets consisted of 900 and 300 non-obfuscated JavaScript code blocks and were respectively used for constructing and pruning an initial oneclass classifier ensemble. The remaining non-obfuscated JavaScript code blocks and all obfuscated ones were used for testing purposes. For the purpose of our experiments, we constructed an initial ensemble of multiple one-class SVM classifiers using bagging [18] and the random subspace method [19]. In bagging, we randomly sampled the training dataset times with replacement, resulting in different training datasets with sizes equal to the original training dataset. In random subspace method, we independently trained one-class SVM classifiers on feature subsets of size 5, randomly selected from the training datasets produced by bagging. To implement the one-class SVM classifiers, we used the LIBSVM package [20]. We performed 5-fold cross-validation with grid search to tune the oneclass SVM parameters. We pruned the initial ensemble using ParticlePruner. It has two main control parameters: the number of particles ( ) and the maximum number of iterations ( ). For all experiments, we set to 50 and to 500. All reported results are averages of 30 runs. B. Performance Measures To evaluate the performance of JSObfusDetector, we used the standard measures of precision ( ), recall ( ), and F- measure ( ):,, (13) 2, where is the number of correctly classified obfuscated JavaScript code blocks, is the number of incorrectly classified non-obfuscated JavaScript code blocks, and is the number of incorrectly classified obfuscated JavaScript code blocks. C. Experimental Results We performed several experiments to analyze how the initial ensemble size,, affects the precision, recall, and F- measure of JSObfusDetector. By the initial ensemble size, we mean the total number of one-class SVM classifiers in the initial ensemble. Table I shows the obtained results for different values of. The average ensemble size after pruning is denoted by. Clearly, with an increase in, all the performance measures increase. However, a higher value of results in a higher value of and thus incurs more computational cost in the detection step. From the table, we can make a trade-off between the classification performance and the pruned ensemble size by setting 40. TABLE I. EFFECT OF ON THE PRECISION, RECALL, AND F-MEASURE OF JSOBFUSDETECTOR Precision Recall F-measure Next, to evaluate the impact of ParticlePruner on the performance of JSObfusDetector, we implemented another variant of it, called GenPruner. It should be mentioned that GenPruner Precision Recall F-measure ParticlePruner GenPruner Fig. 4. Comparison of ParticlePruner and GenPruner in terms of precision, recall, and F-measure. 325

5 is similar to ParticlePruner, with this difference that it uses standard genetic algorithm (SGA) to prune the initial ensemble. On the basis of the results in Fig. 4, we find that ParticlePruner outperforms GenPruner in terms of precision, recall, and F- measure. Therefore, we conclude that ParticlePruner can better explore the ensemble space and find a near-optimal subensemble. After that, we designed some experiments to evaluate the impact of various features in our feature set on the classification performance of JSObfusDetector. For this purpose, we first obtained the ranking of the features using three common feature ranking measures, namely information gain (IG), chisquare (CS), and correlation (CR). We then evaluated the classification performance of JSObfusDetector for 7 nested subsets of features. The first subset contained the top ranked feature; the second subset contained the top two ranked features, and so on. The last subset contained all features. The results in Table II show that the length-based features (maximum length of strings and ratio of long strings) are highly ranked in all three feature ranking measures. The further analysis of our dataset showed that less than 9% of explicitly defined strings in nonobfuscated JavaScript code blocks were long, while this value was more than 40% for obfuscated JavaScript code blocks. However, as shown in Table III, these two features alone are not enough for achieving a high classification performance and so we need to consider all features together to achieve good performance. Finally, we performed an experiment to compare the classification performance of JSObfusDetector with that of the best individual one-class SVM classifier. The results are shown in Fig. 5. As we expect, JSObfusDetector achieves the better precision, recall, and F-measure. Therefore, we conclude that oneclass classifier ensembles can be considered as an effective tool to detect obfuscated JavaScript code. TABLE II. RANKING OF THE FEATURES USING THREE COMMON FEATURE RANKING MEASURES Feature IG CS CR Number of String Definitions Rate of String Operations Maximum Length of Strings Ratio of Long Strings Number of Dynamic Code Evaluations Minimum Entropy of Strings Maximum Entropy of Strings TABLE III. PRECISION, RECALL, AND F-MEASURE OF JSOBFUSDETECTOR FOR DIFFERENT SUBSETS OF FEATURES Feature Subset Precision Recall F-measure , ,, ,,, ,,,, ,,,,, ,,,,,, Precision Recall F-measure JSObfusDetector Best Classifier Fig. 5. Comparison of JSObfusDetector and the best individual one-class SVM classifier in terms of precision, recall, and F-measure. V. RELATED WORK Most related work in the literature assumes that obfuscated JavaScript code is also malicious. For example, Choi et al. [22] proposed a technique to detect obfuscated strings in malicious web pages. Cova et al. [23] presented an approach for detecting malicious JavaScript code that relies on dynamic analysis and anomaly detection. They defined three features to dynamically identify the operations performed during the deobfuscation step. Canali et al. [24] introduced Prophiler, a filtering system that uses static analysis to distinguish between benign and malicious web pages. Prophiler uses some features derived from the HTML contents, associated JavaScript code, and URL of each web page to build detection models. They considered obfuscated JavaScript code within their design of features. However, their features are inadequate to effectively detect all JavaScript obfuscation techniques developed by malware writers. Curtsinger et al. [2] proposed ZOZZLE, a mostly static detector that is able to examine a web page and decide if it contains a heap spraying JavaScript malware. While their analysis is entirely static, ZOZZLE has a runtime component to address the issue of JavaScript obfuscation. In order to deal with obfuscation, ZOZZLE has integrated with the web browser s JavaScript engine to collect and process JavaScript code that is created at runtime. Xu et al. [3] presented a function invocation based analysis technique that leverages the combination of static analysis and run-time inspection to detect obfuscated malicious JavaScript code. Their underlying assumption is that obfuscated malicious JavaScript code has to be deobfuscated before fulfilling its malicious intent, and in JavaScript, the deobfuscation process has to invoke certain functions. Based on this assumption, they identify the function invocations that can be potentially involved in obfuscated malicious JavaScript code. However, dynamic characteristics of JavaScript allow developers to manipulate basic techniques of code obfuscation in infinite ways and obfuscate their JavaScript code in various forms. Some researchers have considered JavaScript code obfuscation as a self-determining problem and tried to detect any piece of obfuscated JavaScript code. Kaplan et al. [21] presented NOFUS, a tool that automatically determines whether a piece of JavaScript code has been obfuscated for any purpose, malicious or otherwise. NOFUS follows its previous work, ZOZZLE 326

6 [2], which uses Bayesian classification of hierarchical features of the JavaScript AST to identify syntax elements. It has been shown that both ZOZZLE and NOFUS cannot be considered as a comprehensive solution for the mentioned problem [1], because they consider very specific categories of obfuscated JavaScript code. Taharwa et al. [1] presented JSOD, a static analysis solution to detect obfuscated JavaScript code. Although there exists some resemblance in manner between JSOD and NOFUS, but unlike NOFUS which extracts flat features from AST, JSOD retains contextual information to handle a general form of JavaScript obfuscation techniques, known as readable obfuscation. However, it can be considered as a supervised obfuscation detector in which a Bayesian classifier is trained using context-based features that are extracted from the AST of JavaScript code. Therefore, similar to other supervised detectors, JSOD cannot handle new JavaScript obfuscation techniques. We have previously shown that by using our structural and lexical features we can devise an efficient semi-supervised JavaScript obfuscation detector that only uses non-obfuscated pieces of JavaScript code for training. Therefore, as a matter of fact, our obfuscation detector is able to handle both known and unknown JavaScript obfuscation techniques. VI. CONCLUSIONS JavaScript code is often obfuscated by software developers and malware writers to make its understanding more difficult, and thus, to conceal its purpose. In this paper, we presented JSObfusDetector, a novel approach based on the idea of ensemble learning to detect obfuscated JavaScript code. At first, JSObfusDetector constructs an initial ensemble of one-class SVM classifiers and then applies a binary PSO algorithm, called ParticlePruner, on it to find a sub-ensemble whose members are both accurate and have diversity in their outputs. The results of our experiments on a dataset of obfuscated and nonobfuscated JavaScript code demonstrate that JSObfusDetector can achieve high precision and recall. Therefore, it can be considered as an effective tool to detect obfuscated JavaScript code. While most related work focuses on detecting obfuscated malicious JavaScript code, JSObfusDetector tries to distinguish between obfuscated and non-obfuscated JavaScript code so that we can devise an efficient and effective analysis technique to detect malicious JavaScript code. REFERENCES [1] I. A. AL-Taharwa, H.-M. Lee, A. B. Jeng, K.-P. Wu, C.-S. Ho, and S.- M. Chen, JSOD: JavaScript obfuscation detector, Security and Communication Networks, [2] C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, Zozzle: Lowoverhead mostly static JavaScript malware detection, in Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, [3] W. Xu, F. Zhang, and S. Zhu, JStill: Mostly static detection of obfuscated malicious JavaScript code, in Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA, [4] G. K. Jayasinghe, J. Shane Culpepper, and P. Bertok, Efficient and effective realtime prediction of drive-by download attacks, Journal of Network and Computer Applications, vol. 30, pp , [5] I. Corona, D. Maiorca, D. Ariu, and G. Giacinto, Lux0R: Detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references, in Proceedings of the 7th ACM Workshop on Artificial Intelligence and Security, Scottsdale, AZ, USA, [6] G. Giacinto, R. Perdisci, M. Del Rio, and F. Roli, Intrusion detection in computer networks by a modular ensemble of one-class classifiers, Information Fusion, vol. 9, no. 1, pp , [7] G. Lu and S. Debray, Automatic simplification of obfuscated JavaScript code: A semantics-based approach, in Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, Gaithersburg, MD, USA, [8] W. Xu, F. Zhang, and S. Zhu, The power of obfuscation techniques in malicious JavaScript code: A measurement study, in Proceedings of the th International Conference on Malicious and Unwanted Software, Fajardo, PR, USA, [9] R. Poli, J. Kennedy, and T. Blackwell, Particle swarm optimization, Swarm Intelligence, vol. 1, no. 1, pp , [10] J. Kennedy, and R. C. Eberhart, A discrete binary version of the particle swarm algorithm, in Proceedings of the 1997 IEEE International Conference on Systems, Man, and Cybernetics, Orlando, FL, USA, [11] L. I. Kuncheva and C. J. Whitaker, Measures of diversity in classifier ensembles and their relationship with the ensemble accuracy, Machine Learning, vol. 51, no. 2, pp , [12] Alexa Top Global Sites. Available from: [Accessed December 2014]. [13] Free Online JavaScript and HTML Obfuscator. Available from: [Accessed December 2014]. [14] Free JavaScript Obfuscator. Available from: obfuscator.com [Accessed December 2014]. [15] JavaScript Obfuscator/Encoder. Available from: jsobfuscate.com [Accessed December 2014]. [16] M. Mansoori, I. Welch, and Q. Fu, YALIH, yet another low interaction honeyclient, in Proceedings of the 12th Australasian Information Security Conference, Auckland, New Zealand, [17] Rhino - JavaScript Engine, Mozilla Developer Network. Available from: [Accessed December 2014]. [18] J. Quinlan, Bagging, boosting, and C4.5, in Proceedings of the 13th National Conference on Artificial Intelligence, Portland, OR, USA, [19] H. Tin Kam, The random subspace method for constructing decision forests, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 20, no. 8, pp , [20] C.-C. Chang and C.-J. Lin, LIBSVM: A library for support vector machines, ACM Transactions on Intelligent Systems and Technology, vol. 2, no. 3, [21] S. Kaplan, B. Livshits, B. Zorn, C. Seifert, and C. Curtsinger, "NOFUS: Automatically Detecting" + string.fromcharcode(32) + "ObFuSCateD".tolowercase() + "javascript code", Technical Report, Microsoft Research, [22] Y.-H. Choi, T.-G. Kim, and S.-J. Choi. Automatic detection for JavaScript obfuscation attacks in web pages through string pattern analysis, International Journal of Security and Its Applications, vol. 4, no. 2, pp , [23] M. Cova, C. Kruegel, and G. Vigna, Detection and analysis of driveby-download attacks and malicious JavaScript code, in Proceedings of the 19th International Conference on World Wide Web, Raleigh, NC, USA, [24] D. Canali, M. Cova, G. Vigna, and C. Kruegel, Prophiler: A fast filter for the large-scale detection of malicious web pages, in Proceedings of the 20th International Conference on World Wide Web, Hyderabad, India,