Web page malicious code detection is a crucial aspect of Internet security. Current web page malicious codes detection work by checking for ȁC;signaturesȁD;, which attempt to capture (syntactic) characteristics of the known malicious codes. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malicious codewriters, which alter syntactic prosperities of the malicious code without affecting their execution behavior significantly. This paper takes the position that the key to webpage malicious code lies in their execution behavior. It proposes a script execution behavior feature based framework for analyzing propose of malicious codes and proving properties such as soundness and completeness of these malicious codes. Our approach analyses the script and confirms the script which contains malicious code by finding shell code, overflow behavior and hidden hyper link. As a concrete application of our approach,we show that the script execution behavior based webpage malicious code detector can detect many known malicious code but also the newest malicious code.
展开▼
