Novel JavaScript malware detection based on fuzzy Petri nets

Abstract

Currently, JavaScript is a popular scripting language for building web pages. It allows website creators to run any program code they want when users are visiting their websites. Meanwhile, malicious JavaScript becomes one of the biggest threats in the cyber world. Researchers are now searching for a convenient and effective way to detect JavaScript malware. Consequently, this paper aims to propose a novel method of detecting the JavaScript malware by using a high-level fuzzy Petri net (HLFPN). First, the web pages are crawled to get JavaScript files. Second, those main features are extracted from JavaScript files. In total, six main features of the JavaScript, including longest word size, entropy, specific character, commenting style, function calls, and abstract syntax tree (AST) features are collected. Finally, an HLFPN model is used to determine whether the malicious code is available or not. The experimental results have fully demonstrated the effectiveness of our proposed approach.

Keywords

Fuzzy reasoning JavaScript malware detection high-level fuzzy Petri net cyber security

1 Introduction

JavaScript, HyperText Markup Language (HTML) and Cascading Style Sheets (CSS) are three core technologies in the World Wide Web (WWW) content production. JavaScript is a scripting language that can be learned easily. That is the reason why it is widely used on the Internet [1]. In the light of Microsoft’s recent security reports, the number of malicious JavaScript contents detected was the largest one in the first half of 2013 [2].

The traditional antivirus software often relies on the signature-based technique to detect malware. The signature-based approach is not precise anymore because it can neither resist obfuscation, nor be applied to the evolving variants of malware [3]. Recent malware is usually detected by machine learning or even deep learning, which was implemented in artificial neural network (ANN). Based on the previous research work in [24], ANN has some drawbacks including complicated structures, complex computation, more information storage needed, and so on.

However, this paper proposes a novel method of detecting the JavaScript malware by using a high-level fuzzy Petri net (HLFPN) model. It only needs simple computation, such as matrix multiplication and digital comparison operation. It also has some advantages including simple structures and less information storage needed. In the beginning, similar to other machine learning, it must collect some datasets and then extract their features. First, crawl JavaScript files from the Internet and extract the features of JavaScript code. Finally, use the HLFPN model to determine whether the code is malicious or not. Our research purposes are not only to use a simple reasoning algorithm to detect the malicious JavaScript, but also to have a high degree of precision and recall.

The remainder of this paper is organized as follows: In Section 2, we provide a literature review of the proposed JavaScript malware detection system, including definitions of JavaScript malware, JavaScript malware detection techniques, and HLFPN. In Section 3, we describe the framework of the proposed JavaScript malware detection system by using HLFPN. The experimental results and analysis are presented in Section 4. Finally, the conclusion and future work are remarked in Section 5.

2 Literature review

In Section 2, we first describe the definitions of JavaScript malware, and JavaScript malware detection techniques. Then, we describe some of the basic definitions of an HLFPN. We also make a decision by using a fuzzy reasoning algorithm.

2.1 JavaScript malware

Andra Zaharia [4] stated that JavaScript allows website creators to run any code they want when users visit their website. Therefore, when the code with bugs or the code is improperly implemented, it can create backdoors to the website vulnerable to attackers.

Since the online browsing is one of the most popular ways for users, cybercriminals are aiming at this case. Online attackers often redirect users to compromise websites. They can hack legitimate websites easily. According to Sophos, 82% of malicious sites hacked legitimate sites [5].

When one unintentionally browses an infected website, the malicious JavaScript files might be downloaded on one’s computer. The following are the definitions of an infected website:

Cybercriminals have injected malicious JavaScript code into the website and its database.

Attackers display the online advertisements/banners on the website by malicious JavaScript code.

Cyber attackers have loaded malware or malicious contents from remote servers.

2.1.1 Spreading javascript malware

According to Heimdal security blog [4], there are eight ways to spread malware in the current cyber attacks.

Injecting malicious JavaScript code into the legitimate websites:

It is used to redirect users to malware sites or to trigger malware infections to exploit servers.

Injecting malicious JavaScript code into an online advertising network:

It appears in the online banner ads and redirects users to the malicious websites.

Hidden iFrames:

It downloads JavaScript malware from the compromised websites and then the malware tries to infect the PC by executing code.

Compromising JavaScript code to trigger an infected download:

It is one of the most common scams on the Internet, such as fake antivirus products. These may compromise your irreversible system.

Drive-by download:

Infected JavaScript files are used to start malware infections.

Fake software pop-up messages:

Cybercrooks can be easily forgotten, and they look real and convincing.

Malicious JavaScript attachments:

These attachments are put through Windows programs. They may trigger the malicious infection outside the browser.

Browser plugins:

They may be infected or they may load the external content with malware from an external source.

2.2 JavaScript malware detection techniques

In this Sub-section, we discuss some recent approaches to detect malicious JavaScript code.

2.2.1 Signature-based technique

Yinxing Xue et al. [6] have stated that the signature-based techniques are usually adopted by antivirus software, which generate a hash value or fingerprint for a malicious sample. Although these approaches can provide a certain level of security for known malware, they fail to detect obfuscated variants with different hash values or fingerprints.

2.2.2 Pattern-based technique

YoungHan, et al. [7] have proposed a novel approach which can detect obfuscated strings in a malicious web page. They extracted three features for detecting obfuscated strings by analyzing malicious JavaScript patterns, namely, N-gram, Entropy, and Word Size. N-gram stores many bytes of each code used in strings. Entropy stores distribution of used bytecodes. Word size determines whether there is a very long string used. However, publishing new malicious scripts and maintaining a pattern-based system become a tedious task.

2.2.3 Machine learning

Machine learning [8] is a scientific discipline that encompasses various methods and related algorithms whose purpose is to learn from datasets. The traditional algorithms, such as K-Nearest Neighbor (KNN), Support Vector Machine (SVM), and Naive Bayes (NB), usually rely on feature engineering. A semi-manual task of determining properties of the datasets can be extracted and be fed to an algorithm as input. It can be learned from the algorithm to train a model. In other words, machine learning aims to find hidden rules behind available datasets by using various models. Once a model has been trained, it can be used to predict the unseen datasets.

(1) K-Nearest Neighbor

A classifier is the simplest classification algorithm [9]. It makes classification by measuring the distance between the feature values of different samples. If a sample belongs to a class in most of the k most similar samples (i.e. the nearest neighbors) in the feature space, and the sample also belongs to this class. But it has low accuracy in classification.

(2) Support Vector Machine

The classifier draws a hyperplane in the feature space in order to maximize the distance between all samples of benign and malicious classes [10]. Thus, it needs more complicated computation.

(3) Naive Bayes

The classifier uses Bayes’ theorem with strong assumptions of independence between features to predict whether the sample is benign or malicious. It uses a kernel function to estimate the distribution of numerical attributes rather than the normalized distributions [11]. But it is more case-sensitive.

2.3 High-level fuzzy Petri net

Dr. Carl Petri proposed Petri net theory in 1962. In his dissertation, “Kommunikation mit Automaten,” [Communication with Automata] [12]. He formulated the idea for a principle of communication between asynchronous components of a computer system. The Petri net is a graphical and mathematical modeling tool, which is concurrent, asynchronous, distributed, parallel, nondeterministic, and stochastic. It could be used to model and analyze diverse systems. [12] However, along with the advances of the information system, the descriptions of Petri nets are more and more complex. Therefore, scholars or researchers one after another conduct their researches with extended Petri net theory, such as colored Petri net [13], timed Petri net [14], fuzzy Petri net [15], high-level fuzzy Petri net [16] [17] [18] [19] [20] [21], and so on. This paper has followed the HLFPN model to make a decision on the malware detection.

(1) Definitions

The basic definitions and fuzzy reasoning approach are presented as follows:

Definition 1: The HLFPN is defined as an eight-tuple. HLFPN = (P, T, F, C, V, α, β, δ), where P = {p₁, p₂, p₃, . . . , p_k}

A finite set of places.

T = {t₁, t₂, t₃, . . . , t_k}

A finite set of transitions.

P∪ T ≠ ∅

F ⊆ (P × T) ∪ (T × P)

The flow relation, i.e. a finite set of arcs, each representing the fuzzy set (i.e. fuzzy term) of an antecedent or a consequent; where the positive arcs (i.e. THEN parts) are denoted by ⟶.

C = {X, Y, Z}

A finite set of linguistic variables, e.g. X, Y, and Z, where X={x₁, x₂_, x₃_, ... ,x_n}, Y={y₁, y₂_, y₃_, ... ,y_m}, and Z={z₁, z₂_, z₃_, ... ,z_q}.

V = {v₁, v₂v₃ … , v₄}

A finite set of fuzzy truth values known as the fuzzy relational matrix between the antecedent and the consequent of a fuzzy production rule.

α: P ⟶ C

An association function, mapping from places to linguistic variables, α(p_i) = c_i, i = 1, ... , L, where C = {c_i} is a set of linguistic variables in the knowledge base (KB), and L is the number of linguistic variables in the KB.

β: F ⟶ [0, 1]

An association function, mapping from the flow relations to the fuzzy truth values between zero and one.

δ: T ⟶ V

An association function, mapping from transitions to fuzzy relational matrices.

Definition 2 (Input and Output Functions): I (t) = {p ∈ P| (p, t) ∈ F}

A set of the input places of transition t.

I (p) = {t ∈ T| (t, p) ∈ F}

A set of the output places of transition p.

O (t) = {p ∈ P| (t, p) ∈ F}

A set of the input transitions of place t.

O (p) = {t ∈ T| (p, t) ∈ F}

A set of the output transitions of place p.

Definition 3 (Negation):

In the IF-THEN-ELSE rule, the ELSE part is denoted by a negation arc ∘ ⟶, and the fuzzy set in the antecedent (i.e., IF part) must be complemented and denoted by ¬, i.e. the negated fuzzy set = 1 – the fuzzy set in the antecedent.

Definition 4 (Membership Function):

Mem(p): P⟶[0,1], which assigns to each place a real value Mem(p) = DOM(α(p)), where DOM represents the degree of membership in the associated proposition, and data tokens are available in P.

Definition 5 (max-min Compositional Rule):

In HLFPN, ∀ transition t, V (t) = ^∧ (fuzzy sets in I(t)); and ∀ place p, V(p) = V (fuzzy sets in I(p)), where ^∧ denotes min operation and V denotes max operation. This rule is denoted by ∘.

Definition 6 (Input Place, Hidden Place, and Output Place):

In HLFPN, ∀ place p_i ∈ P, if ∀t_j∈ T, p_i∉ O(t_j), then p_i is called input place (IP); if ∀ t_j∈ T, p_i∉ I(t_j), then p_i is called output place (OP); else, p_i is called hidden place.

(2) Fuzzy Reasoning

In the fuzzy reasoning method presented in [21], fuzzy production rules are used. Mamdani’s fuzzy implication rule type [22] is applied throughout this paper. In general, a fuzzy production rule describes the fuzzy relationship between the antecedent and the consequent. Let R be a set of fuzzy production rules, where R = {R₁, R₂,..., R_n}. The general form of the ith fuzzy production rule R_i is shown as follows:

R_i: IF d_j(X is A), THEN d_k(Y is B); ELSE, d_w(Z is C) ... (V).

where “X is A”, “Y is B” and “Z is C” are propositions; X is called the input linguistic variable; Y and Z are called the output linguistic variables, respectively; A is called the input fuzzy set; B and C are called the output fuzzy sets, respectively; the fuzzy truth values of the propositions “X is A”, “Y is B” and “Z is C” are restricted to [0, 1]; “X is A” is the antecedent of fuzzy production rule R_i, “Y is B” and “Z is C” are the consequents of fuzzy production rule R_i. Let V denote the fuzzy relational matrix between the antecedent and the consequent of a fuzzy production rule.

Example 1:

Let us consider the fuzzy production rule R₁ shown as follows:

R₁: IF the temperature (X₁) is hot (A₁) AND the sky (X₂) is cloudy (A₂), THEN the humidity (Y) is high (B).

Based on the transformation procedure presented in [19], we can transform the above-referenced fuzzy production rule R₁ into the following first-order logic form:

$R_{1}^{'}$ : IF X₁ (A₁) AND X₂ (A₂), THEN Y (B).

Then, the HLFPN model is shown in Fig. 1.

Fig. 1

HLFPN for Example 1.

Assume that the fuzzy sets A₁, A₂ and B are shown as follows: $A_{1} = \frac{0.26}{a_{11}} + \frac{0.63}{a_{12}} + \frac{0.26}{a_{13}}$ $A_{2} = \frac{0.14}{a_{21}} + \frac{0.86}{a_{22}} + \frac{0.34}{a_{23}}$ $B = \frac{0.25}{b_{1}} + \frac{0.85}{b_{2}} + \frac{0.12}{b_{3}}$

By the cylindrical extension operations [23], we can obtain the fuzzy set A of antecedent, shown as follows: $A = A_{1} \times A_{2} = {(\begin{matrix} 0.26 & 0.63 & 0.26 \end{matrix})}^{T}$ $\land (\begin{matrix} 0.14 & 0.86 & 0.34 \end{matrix})$ $= | \begin{matrix} 0.14 & 0.26 & 0.26 \\ 0.14 & 0.63 & 0.34 \\ 0.14 & 0.26 & 0.26 \end{matrix} |$ where ^∧ denotes min opeation.

Then, the fuzzy relational matrices V₁(t₁), V₂(t₂) and V₃(t₃) between the antecedent and consequent of fuzzy production rule R₁ can be obtained, shown as follows: $V_{1} (t_{1}) = | \begin{matrix} 0.14 & 0.25 & 0.25 \\ 0.14 & 0.25 & 0.25 \\ 0.14 & 0.25 & 0.25 \end{matrix} | \in A \times B \times b_{1},$ $i . e . 0 . 25^{\land} each element in A .$ $V_{2} (t_{2}) = | \begin{matrix} 0.14 & 0.26 & 0.26 \\ 0.14 & 0.63 & 0.34 \\ 0.14 & 0.26 & 0.26 \end{matrix} | \in A \times B \times b_{2},$ $i . e . {0.85}_{\land} each element in A .$ $V_{3} (t_{3}) = | \begin{matrix} 0.12 & 0.12 & 0.12 \\ 0.12 & 0.12 & 0.12 \\ 0.12 & 0.12 & 0.12 \end{matrix} | \in A \times B \times b_{3},$ $i . e . {0.12}^{\land} each element in A .$

The most widely used fuzzy reasoning method is the max–min compositional inference ∘ [24]. Assume that the input fuzzy sets $A_{1}^{'}$ and $A_{2}^{'}$ are shown as follows: $A_{1}^{'} = \frac{0.14}{a_{11}} + \frac{0.83}{a_{12}} + \frac{0.26}{a_{13}}$ $A_{2}^{'} = \frac{0.23}{a_{21}} + \frac{0.88}{a_{22}} + \frac{0.35}{a_{23}}$

Then, we can get $A_{1}^{'} \circ V_{1} (t_{1}) = (\begin{matrix} 0.14 & 0.83 & 0.26 \end{matrix})$ $\circ V_{1} (t_{1}) = (\begin{matrix} 0.14 & 0.14 & 0.14 \end{matrix})$ $A_{1}^{'} \circ V_{2} (t_{1}) = (\begin{matrix} 0.14 & 0.83 & 0.26 \end{matrix})$ $\circ V_{2} (t_{1}) = (\begin{matrix} 0.13 & 0.63 & 0.34 \end{matrix})$ $A_{1}^{'} \circ V_{3} (t_{1}) = (\begin{matrix} 0.14 & 0.83 & 0.26 \end{matrix})$ $\circ V_{3} (t_{1}) = (\begin{matrix} 0.12 & 0.12 & 0.12 \end{matrix})$

Finally, we can obtain $B^{'} = (\begin{matrix} 0.23 & 0.88 & 0.35 \end{matrix}) \circ | \begin{matrix} 0.14 & 0.13 & 0.12 \\ 0.14 & 0.63 & 0.12 \\ 0.14 & 0.34 & 0.12 \end{matrix} |$ $= (\begin{matrix} 0.14 & 0.63 & 0.12 \end{matrix})$ $= \frac{0.14}{b_{1}} + \frac{0.63}{b_{2}} + \frac{0.12}{b_{3}}$

The above description is the fuzzy reasoning process of HLFPN.

(3) Fuzzy Reasoning Algorithm

In this Sub-section, we briefly evaluate fuzzy reasoning algorithm (FRA) from [5] to decide whether there exists or not a fuzzy relational matrix between the antecedent and the consequent of a fuzzy production rule.

INPUT: Mem(p), ∀p_i ∈ IP, where IP denotes a set of input places.

OUTPUT: Mem(p), ∀p_i ∈ OP, where OP denotes a set of output places.

PROCEDURE:

3 The proposed system

In this Section, the procedure of using HLFPN to successfully detect malicious and benign JavaScript code is introduced. As described in [25], the most malicious JavaScript is obfuscated and the obfuscated feature becomes much complicated. Our goal is to detect the malicious JavaScript with a high degree of precision and recall. There are three stages of the procedure, including data collection, feature extraction, and detection of the malicious JavaScript using HLFPN, as shown in Fig. 3.

Fig. 2

Procedure of fuzzy reasoning.

Fig. 3

Flowchart of JavaScript malware detection using HLFPN.

3.1 Data collection

We write a Python [26] program to download the web pages. Python is a popular programming language for developing a web crawler. After downloading the web pages, we use Beautiful Soup [27] which is a Python library to pull the JavaScript code out of HTML files.

(1) Benign JavaScript Collection

We use Alexa.top500 websites [28] as the initial seed to crawl a portion of the websites. We only download the textual content and ignore the visual and aural content.

(2) Malicious JavaScript Collection

Due to the short life of malicious scripts, it is complex to collect the malicious JavaScript samples. We download the JavaScript malware collection on GitHub [29], and collect the instances of malicious scripts from MalwareURL [30].

3.2 Feature selection

The importance of the features directly affects the accuracy of a classifier. Through the analysis of JavaScript and Drive-by-download attack [31], we extract 6 features of the JavaScript, including longest word size, entropy, specific character, commenting style, function calls, and abstract syntax tree (AST) features. From the above features we have stored a total of seven values, as shown in Table 1.

Table 1
Feature name and description list

Feature name Description

Longest Word Size (lw) Longest word size of JavaScript code.

Entropy (ent) The distribution of bytes (characters) which is calculated as follows:

$H = - \sum_{t = 1}^{N} (\frac{x_{i}}{T}) {log}_{10} (\frac{x_{i}}{T}) {\begin{matrix} X = {x_{i}, i = 0, 1, 2 . . . N} \\ T = \sum_{i = 1}^{N} x_{i} \end{matrix}$ (1)

Specific Character (sc) Occurrence frequency of bytecode (character) in the strings.

Commenting Style (cs) Usage frequency of comment styles.

Function Calls (fc) Usage frequency of function calls with security risks.

AST Depth (de) Large values of AST depth.

AST Width (wi) AST maximum width.

Feature name	Description
Longest Word Size (lw)	Longest word size of JavaScript code.
Entropy (ent)	The distribution of bytes (characters) which is calculated as follows:
	$H = - \sum_{t = 1}^{N} (\frac{x_{i}}{T}) {log}_{10} (\frac{x_{i}}{T}) {\begin{matrix} X = {x_{i}, i = 0, 1, 2 . . . N} \\ T = \sum_{i = 1}^{N} x_{i} \end{matrix}$ (1)
Specific Character (sc)	Occurrence frequency of bytecode (character) in the strings.
Commenting Style (cs)	Usage frequency of comment styles.
Function Calls (fc)	Usage frequency of function calls with security risks.
AST Depth (de)	Large values of AST depth.
AST Width (wi)	AST maximum width.

3.3 Membership function

In the decision method, seven features are used, namely, the longest word size of JavaScript code (lw), the uncertainty of JavaScript code (ent), occurrence frequency of specific characters (sc), usage frequency of comment styles (cs), usage frequency of function calls with security risks (fc), the maximum AST depth (de), and the maximum AST width (wi). In addition, the malicious decision is also divided into two parts, namely, “Benign” and “Malicious”.

The membership functions of High, Me dium, and Low, and malicious decision are based on Equation (2). In the analysis, the membership functions of input parameters are set between 0 and 1. Thus, the values of input parameters are converted into the values between 0 and 1 using Equations (3)–(5). $\begin{matrix} High = (\min, \max, \max + {(\max - \min)}^{2}) \\ Medium = (\min, \min + ((\max - \min) / 2), \max) \\ Low = (\min - (\max - \min)^{2}, \min, \max) \end{matrix}$ (2) $\begin{matrix} uH (x) = {\begin{matrix} 1, x \geq max + {(max - min)}^{2} \\ \frac{- 1}{{(max - min)}^{2}} (x - max + {(max - min)}^{2}), \\ max \leq x < max + {(max - min)}^{2} \\ \frac{1}{(max - min)} (x - min), min < x < max \\ 0, x \leq min \end{matrix} \end{matrix}$ (3) $\begin{matrix} uM (x) = {\begin{matrix} 0, x \geq max \\ \frac{- 1}{max - (min + ((max - min) / 2))} (x - max), \\ min + ((max - min) / 2) \leq x < max \\ \frac{1}{((max - min) / 2)} (x - min), min < x < min \\ + ((max - min) / 2) \\ 0, x \leq min \end{matrix} \end{matrix}$ (4) $\begin{matrix} uL (x) = {\begin{matrix} 0, x \geq max \\ \frac{- 1}{(max - min)} (x - max), min \leq x < max \\ \frac{1}{(max - min)^{2}} (x - min - (max - min)^{2}), \\ min - (max - min)^{2} < x < min \\ 1, x \leq min - (max - min)^{2} \end{matrix} \end{matrix}$ (5)

3.4 Fuzzy Reasoning and Building HLFPN

In the previous Sub-section, we have defined the fuzzy sets and their corresponding membership functions. Each input parameter is imported to the fuzzifier to get the membership degree of each set. According to the size of the input parameter, it is changed into an “IF... THEN... “ statement to build a rule base. The activity diagram is shown in Fig. 4.

Fig. 4

The activity diagram of fuzzy reasoning.

Assume that the input linguistic variables are lw, ent, sc, cs, fc, de, and wi with fuzzy terms: high (H), medium (M), and low (L). And assume that the decision (D) is an output linguistic variables: strong (S), indeterminate (I) and weak (W) The fuzzy production rules are defined as follows:

R₁: IF lw is H THEN D is S

R₂: IF lw is M THEN D is I

R₃: IF lw is L THEN D is W

R₄: IF ent is H THEN D is W

R₅: IF ent is M THEN D is I

R₆: IF ent is L THEN D is S

R₇: IF sc is H THEN D is S

R₈: IF sc is M THEN D is I

R₉: IF sc is L THEN D is W

R₁₀: IF cs is H THEN D is S

R₁₁: IF cs is M THEN D is I

R₁₂: IF cs is L THEN D is W

R₁₃: IF fc is H THEN D is S

R₁₄: IF fc is M THEN D is I

R₁₅: IF fc is L THEN D is W

R₁₆: IF de is H THEN D is S

R₁₇: IF de is M THEN D is I

R₁₈: IF de is L THEN D is W

R₁₉: IF wi is H THEN D is S

R₂₀: IF wi is M THEN D is I

R₂₁: IF wi is L THEN D is W

Then, the fuzzy production rules are transformed into the HLFPN model, as shown in Fig. 5; and the parameters are described in Table 2.

Fig. 5

HLFPN model representing 21 fuzzy production rules.

Table 2

Description of parameters

Name of parameter	Description of parameter
lw	Indicates the value of lw in input places P₁
ent	Indicates the value of ent in input places P₂
sc	Indicates the value of sc in input places P₃
cs	Indicates the value of cs in input places P₄
de	Indicates the value of de in input places P₅
wi	Indicates the value of wi in input places P₆
fc	Indicates the value of fc in input places P₇
D	Indicates a decision in an output place P₄
H, M, L	Indicates high, medium, and low fuzzy sets, respectively.
S, I, W	Indicates strong, indeterminate, and weak fuzzy sets, respectively.
V(t_i), i = 1, 2, 3 ... 21	Indicates the fuzzy relational matrix of lw, ent, sc, cs, fc, de, wi and detection status decision.
H’, M’, L’	Indicates high, medium, and low fuzzy sets of input values, respectively.

According to the proposed HLFPN model, the reasoning is done by using fuzzy technical indices and fuzzy production rules in the rule base. Based on the reasoning procedure, we use the standard operators for simple calculations. Finally, we use the weighted average defuzzification method to get the output and determine whether the JavaScript is benign or malicious.

4 Experimental results

In Section 4, we intend to verify the proposed system and demonstrate that the proposed JavaScript malware detection system is feasible. First, show an example to illustrate the HLFPN model for fuzzy reasoning. Then, crawl the datasets and apply our proposed approach. The experimental environment and performance analysis are also under discussion.

4.1 Experimental environment

We have collected benign and malicious datasets and put them into our system for detection. Python language was used. All our required LIBs were extended in the Python library [32].

Because this paper focuses on a novel malware detection approach, we only generate a simple user interface. The Python interface we used to perform the experiments is shown in Fig. 6.

Fig. 6

Python interface.

4.2 Experimental procedure

In this Sub-section, we present the experimental procedure of our approach as follows:

(1) Collect data and extract features

As we have stated in Section 3, we must firstly crawl the web pages to get JavaScript files and then extract the features of JavaScript code, and save it as a feature file (i.e. train(B).csv). The Comma-Separated Values (CSV) file stores the table datasets in plain text format. Each line of the file is a data record, and each record is separated by commas. It is shown in Fig. 7.

Fig. 7

The records of CSV file.

(2) Detect JavaScript malware by HLFPN

In this step, we conducted two experiments. The ratio of training datasets to testing datasets in the two experiments is both 6 to 4. In the beginning, we used the fixed number of datasets to train and test. The fixed number of datasets benign and malicious each is 32. Next, we used the datasets randomly.

(3) Measure the precision and recall

Experiment 1 directly gets the experimental results, and experiment 2 gets the average value in five times of experimental results.

4.3 Performance analysis

As tabulated in Table 3, we conducted two experiments and totally evaluated 5 tests. Each test contains a different number of benign and malicious datasets. After our approach was performed, we have obtained 308 Malicious and 261 Benign decision outputs.

Table 3
Information of datasets

Test No. of Malicious Datasets No. of Benign Datasets No. of Training Datasets No. of Malicious Testing Datasets No. of Benign Testing Datasets Malicious Datasets Benign Datasets

T1 32 32 39 14 11 14 11

T2 50 50 60 23 17 25 15

T3 50 10 36 21 3 21 3

T4 100 100 120 41 39 45 35

T5 500 500 600 194 206 203 197

Total 732 692 855 293 276 308 261

Test	No. of Malicious Datasets	No. of Benign Datasets	No. of Training Datasets	No. of Malicious Testing Datasets	No. of Benign Testing Datasets	Malicious Datasets	Benign Datasets
T1	32	32	39	14	11	14	11
T2	50	50	60	23	17	25	15
T3	50	10	36	21	3	21	3
T4	100	100	120	41	39	45	35
T5	500	500	600	194	206	203	197
Total	732	692	855	293	276	308	261

The experimental results are almost the same as the number of testing datasets, but in order to perform a fair and comparative evaluation, we compare other common classifiers by precision and recall which are the terminologies of confusion matrix [33]. Precision is the ratio of the number of correct detections to total number of correct and incorrect detections. Recall is the ratio of the number of correct detections to total number of detections in the testing datasets. The confusion matrix is shown in Fig. 8. And the formulas for precision and recall are shown in Equations (6)–(7). $Precision (P) : P = \frac{TP}{TP + FP} * 100 %$ (6) $Recall (R) : R = \frac{TP}{TP + FN} * 100 %$ (7)

Fig. 8

Confusion matrix.

Our approach has successfully detected the malicious code and benign code from the testing datasets. Table 4 presents the performance comparison between our approach and other common classifiers. And Table 5 presents the time complexity of our approach and other common classifiers.

Table 4

Comparative analysis of JavaScript malware detection results

Test	Precision (%)				Recall (%)
	KNN	SVM	NB	HLFPN	KNN	SVM	NB	HLFPN
T1	88	92	92	100^*	88	92	92	100^*
T2	92.2	93.2	90.4	94.8^*	91.8	93	87.8	94.6^*
T3	93.6	97.8^*	92.4	95.8	94.2	97.6^*	88.4	95.2
T4	94.8	96.8^*	91.4	94.8	94.6	96.4^*	90.6	94.4
T5	94	95.6^*	90.8	94	93.6	94^*	90.4	94^*
Average	92.52	92.6	91.4	94.87^*	92.44	92.5	89.84	94.8^*

Table 5

Time complexity of our approach and other common classifiers

	KNN	SVM	NB	HLFPN
Time complexity (s)	O(mn)	O(mn²)	O(mn)	O(3np)

Note: m = no. of the training datasets. n = dimensionality of the features. 3n = no. of transitions. p = no. of places.

Proof: To compute the time complexity for HLFPN, for each feature (e.g. lw), the number of transitions in the consequent is 3. So, for n features, the maximum number of transitions is 3n. And for p places, the maximum computation time is 3np. Therefore, the upper bound of the time complexity for HLFPN is O(3np), where p denotes the number of places, and 3n denotes the maximum number of transitions.

According to the performance analysis results in Table 4, we find that the average precision and recall of our approach can achieve 94.87% and 94.8%, respectively. Moreover, our approach can achieve the precision and the recall as high as 100% in T1. But when using a large scale datasets or datasets with a huge deviation, SVM will slightly perform better than ours. In this case, we can see that our approach is suitable for situations where the training datasets are smaller and the number of malicious and benign datasets are equivalent. However, from the time complexity in Table 5, we can see that our approach has the least time complexity when the number of training datasets is more than 24. So, the experimental results still indicate that our approach is feasible.

5 Conclusion

This paper has proposed a JavaScript malware detection system using an HLFPN model. To do this, we first need to crawl web pages to obtain JavaScript files and to extract malicious features from them. The features are used as the input to the HLFPN model to determine whether it is malicious or benign.

The contributions of this study are presented as follows:

We have successfully detected JavaScript malware by using simple reasoning algorithm and simple mathematics.

Our approach is not only quick to get started, but also fast to execute it.

The experimental results have shown that our approach is more acceptable for detecting JavaScript malicious code than other existing approaches.

However, the malicious techniques become so complicated that our approach cannot cover each one of them. We will keep on proceeding this work in the future, using an even better reasoning approach to detect and classify malware with high precision and recall. Furthermore, we will turn this approach into something truly practical in the future, such as webpage plugins or malware detection in antivirus software.

Footnotes

Acknowledgments

The authors are very grateful to the anonymous reviewers for their constructive comments which have improved the quality of this paper. Also, this work was supported by the Ministry of Science and Technology, Taiwan, under grant MOST 107- 2221- E-845- 002-MY3.

References

“JavaScript,” Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/JavaScript. [Accessed 28 Dec. 2017].

“Microsoft Security Intelligence Report, vol. 15,” Microsoft, January – June 2013. [Online]. Available: https://www.microsoft.com/en-us/download/details.aspx?id=40871. [Accessed 28 Dec. 2017].

“Antivirus software,” Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/Antivirus_software. [Accessed 28 Dec. 2017].

Zaharia

, “JavaScript malware – a growing trend explained for everyday users,” Heimdal Security, 29 Jun. 2016. [Online]. Available: https://heimdalsecurity.com/blog/javascript-malware-explained/. [Accessed 20 Apr. 2018].

Zorabedian

, “How malware works: Anatomy of a drive-by download web attack (Infographic),” Sophos, 26 Mar. 2014. [Online]. Available: https://news.sophos.com/en-us/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/. [Accessed 20 Apr. 2018].

Xue

, Wang

, Liu

, Xiao

, Sun

and Chandramohan

, “Detection and classification of malicious JavaScript via attack behavior modelling,” Procs. of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015), pp. 48–59, Jul. 2015.

Choi

Y.H.

, Kim

T.G.

, Choi

S.J.

and Lee

C.W.

, “Automatic detection for JavaScript obfuscation attacks in web pages through string pattern analysis,” International Conference on Future Generation Information Technology, pp. 160–172, 2009.

Sundhararajan

Mahalingam

, Gao

Xiao-Zhi

and Vahdat Nejad

Hamed

, “Artificial intelligent techniques and its applications,” Journal of Intelligent & Fuzzy Systems 34(02) (2018), 755–760.

Ben

, “KNN (K-Nearest Neighbor) algorithm,” CSDN, 25 Jul. 2017. [Online]. Available: https://blog.csdn.net/u012897374/article/details/76078387. [Accessed 28 May 2018].

10.

Vink

, “Implementing a support vector machine in scala,” 27 Nov. 2017. [Online]. Available: https://www.ritchievink.com/blog/2017/11/27/implementing-a-support-vector-machine-in-scala/. [Accessed 28 May 2018].

11.

Black

Paul

, Gordal

Iqbal

and Layton

Robert

, “A survey of similarities in banking malware behaviors,” Computers & Security, Available online: 9 Oct. 2017.

12.

Rao

Zhihong

, Niu

Weina

, Zhang

Xiao Song

and Li

Hongwei

, “Tor anonymous traffic identification based on gravitational clustering,” Peer-to-Peer Networking and Applications 11(3) (2018), 592–601.

13.

Robidoux

, Xu

, Xing

and Zhou

, Automated modeling of dynamic reliability block diagrams using colored Petri nets, IEEE Transactions on Systems, Man, Cybernetics-Part A: Systems and Humans 40(2) (2010), 337–351.

14.

Ogata

and Yano

, “Knowledge awareness map for computer-supported ubiquitous language-learning,” Procs. of the 2nd IEEE International Workshop on Wireless and Mobile Technologies in Education, pp. 19–25, Mar. 2004.

15.

Yuan

Guoqiang

, Tian

and Wang

Shuming

, “A VaR-based optimization model for crop production planning under imprecise uncertainty,” Journal of Intelligent & Fuzzy Systems 33(01) (2017), 1–14.

16.

Shen

V.R.L.

, Yang

C.Y.

, Wang

Y.Y.

and Lin

Y.H.

, Application of high-level fuzzy Petri nets to educational grading system, Experts Systems with Applications 39(17) (2012), 12935–12946.

17.

Stiborek

Jan

, Pevny

Tomas

and Rehak

Martin

, Probabilistic analysis of dynamic malware traces, Computers & Security 74 (2018), 221–239.

18.

Shen

Rong-Kuan

, Lin

Yi-Nan

, Tong-Ying Juang

Tony

, Shen

Victor R.L.

and Lim

Soo Yong

, Automatic detection of video shot boundary in social media using a hybrid approach of HLFPN and keypoint matching, IEEE Transactions on Computational Social Systems 5(1) (2018), 210–219.

19.

Shen

V.R.L.

, Lai

H.Y.

and Lai

A.F.

, The implementation of a smartphone-based fall detection system using a high-level fuzzy Petri net, Applied Soft Computing 26(1) (2015), 390–400.

20.

Shen

V.R.L.

, Knowledge representation using high-level fuzzy Petri nets, IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 36(6) (2006), 2120–2127.

21.

Shen

V.R.L.

, Reinforcement learning for high-level fuzzy Petri nets, IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics 33(2) (2003), 351–362.

22.

Wang

Xiaomin

, Liu

Ying

, Li

Piyu

and Liu

Jianbo

, Multi-granularity soft rough set and its application in multi-attribute decision making, Journal of Intelligent & Fuzzy Systems 33(04) (2017), 2033–2045.

23.

Shen

V.R.L.

, Correctness in hierarchical knowledge-based requirements, IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics 30(4) (2000), 625–631.

24.

Shen

V.R.L.

, Chang

Y.S.

and Juang

T.T.Y.

, Supervised and unsupervised learning by using Petri nets, IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 40(2) (2010), 363–375.

25.

Craioveanu

, Server-side script polymorphism: Techniques of analysis and defense, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 9–16, Oct. 2008.

26.

“Python,” Python Software Foundation, [Online]. Available: https://www.python.org/. [Accessed 5 Jun. 2017].

27.

“Beautiful Soup Documentation,” [Online]. Available: https://www.crummy.com/software/BeautifulSoup/bs4/doc/. [Accessed 15 Sep. 2017].

28.

“The top 500 sites on the web,” Alexa Internet, [Online]. Available: https://www.alexa.com/topsites. [Accessed 16 Mar. 2018].

29.

HynekPetrak, “GitHub javascript-malware-collection,” 8 May 2017. [Online]. Available: https://github.com/HynekPetrak/javascript-malware-collection. [Accessed 4 Apr. 2018].

30.

“Fighting malware and cyber criminality,” MalwareURL Team, [Online]. Available: https://www.malwareurl.com/. [Accessed 30 Mar. 2018].

31.

Wang

, Xue

, Liu

and Tan

T.H.

, JSDC: A hybrid approach for JavaScript malware detection and classification, Procs. of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS ’15), pp. 109–120, Apr. 2015.

32.

“The Python Standard Library,” Python Software Foundation, [Online]. Available: https://docs.python.org/3/library/. [Accessed 28 Mar. 2018].

33.

Iqbal

Salman

, Mat Kiah

Miss Laiha

, Dhaghighi

Babak

, Hussain

Muzammil

, Khan

Suleman

, Khurram Khan

Muhammad

and Raymond Choo

Kim-Kwang

, On cloud security attacks: A taxonomy and intrusion detection and prevention as a service, Journal of Network and Computer Applications 74 (2016), 98–120.