This repository contains the code for the code obfuscation detection using n-grams, entropy and string length.
For the implementation, we have used the javascript obfuscation code dataset present on Kaggle. Obfuscated-javascript-dataset: https://www.kaggle.com/fanbyprinciple/obfuscated-javascript-dataset
The dataset comprises of:
- Obfuscated javascript directory: This folder consists of javascript files (.js), where the syntax is utf-8 encoded so that the contextual understanding of the code is hidden.
- Non-obfuscated javascript directory: This folder consists of javascript files (.js) where the code is not encoded and it's straightforward to understand it so that the contextual understanding of the code is visible.
Our implementation, which aims at detecting malicious samples, is divided into several packages with distinct functionalities:
- js for the detection of valid JavaScript code;
- features for the extraction of specific features from inputs;
Detection of JavaScript samples respecting the grammar, detection of broken JavaScript, and files not written in JavaScript.
To use this tool: python3 <path-of-js/is_js.py> --help.
An AST-based analysis of JavaScript samples can be performed. This study is based on a frequency analysis of the n-grams present in the considered files.
- Detection of malicious JavaScript documents.
To use this tool:
- python <path-of-clustering/learner.py> --help;
- python <path-of-clustering/updater.py> --help;
- python <path-of-clustering/classifier.py> --help.