In recent years, the leakage of personal information on the Internet and the increasing assaults on social infrastructure have become the main threats to cyber security [1]. In general, an attacker who wants to implement an attack on a network user must embed the attack code into the network site or let users download an attack program. The JavaScript language is mainly embedded on web pages and can be executed on the web, which is ubiquitous in Internet web pages and used in almost all websites. In addition, there are many other applications that use JavaScript (e.g., Portable Document Format (PDF) tables, Hypertext Markup Language (HTML) emails, etc.), which plays an important role in these applications. This strong dependence creates an opportunity for malicious attackers to invade the victim’s system. The main function of malicious JavaScript code is to discover vulnerabilities in Internet applications and use Cross Site Scripting (XSS) to attack user systems. Therefore, malicious attackers often insert malicious JavaScript code into web pages to attack users.

Besides malicious attackers, many web developers use obfuscation to process their JavaScript code to prevent unauthorized users from stealing their code. For many companies, these JavaScript codes are valuable assets [2]. Nowadays, there are many online free obfuscators available that can simply convert JavaScript code to equivalent obfuscated code. The popularity of free online obfuscators has made the use of JavaScript code obfuscation widely welcomed.

For JavaScript code obfuscation detection, literature [3] describes the necessity of detecting it and considers that obfuscation is the most salient feature of malicious JavaScript. When a JavaScript code is highly obfuscating, it can be considered suspicious. At the same time, code obfuscation brings the contradiction between hiding malicious code and protecting benign script, which leads to a decrease in the false alarm rate of malicious script detection and an increase in false alarms of benign obfuscation scripts. Therefore, the detection and classification of obfuscated JavaScript are necessary.

This paper proposes a method for detecting JavaScript code obfuscation based on Convolutional Neural Networks (CNNs). We used the character matrix feature method of Bigram to extract features of JavaScript code.A CNN model is applied to the JavaScript code obfuscation detection, overcoming the high requirement of the machine code learning and the low accuracy of the obfuscation feature extraction of JavaScript code.

JavaScript code obfuscation is a classification problem. Because of the superiority of machine learning and data mining in classification and recognition, many researchers have adopted this method to detect JavaScript code obfuscation. In literature [4], a large number of JavaScript obfuscation scripts are collected. By analyzing the basic principles and inherent nature of JavaScript code obfuscation, an N-gram based JavaScript code feature extraction method is proposed. Finally, the machine learning method KNN is used to extract the extracted features. The eigenvectors are learned, and intelligent identification of JavaScript code obfuscation is completed. In literature [5], the number of string variables in JavaScript scripts and the number of dynamic functions are used as features to detect JavaScript obfuscated scripts. One-class Support Vector Machine (SVM) algorithm is used to identify malicious JavaScript obfuscated scripts.

Literature [3] proposes a lightweight method to quickly filter obfuscated JavaScript. The specific operation is to mark the JavaScript text at the letter level and the information theory method and use the information theory method and the single classification SVM to detect the obfuscation. This new theory has a higher detection accuracy than other existing JavaScript code obfuscation detection models. Literature [6] analyzes the external static behavior and the internal dynamic behavior of obfuscated JavaScript code for the problem of confusing malicious JavaScript code that is hard to detect and difficult to undergo deobfuscation. Static analysis uses normal behavior data for training and Principal Component Analysis (PCA), Single Class SVM, and Nearest Neighbor (K-NN) algorithms to detect obfuscation.

In the current research results, although many researchers have used machine learning methods to identify JavaScript code obfuscation, most of these models are shallow machine learning models. Additionally, the accuracy of detection is not particularly high. Therefore, this paper proposes a JavaScript code obfuscation detection method based on CNNs. This method extracts the obfuscation feature of JavaScript code through Bigram’s character matrix feature extraction method, simplifies the feature extraction process, and uses CNNs to identify and classify JavaScript code obfuscation, which improves the accuracy of JavaScript code obfuscation detection.

To address the problems in the existing feature extraction methods such as low execution efficiency and complex feature extraction, this paper proposes a character matrix feature extraction method based on Bigram. According to Bigram, Markov transition probability matrix, and information gain, JavaScript code is processed at the character level and related features are extracted. There are two methods in feature extraction based on Bigram character: 1) Key Character Screening Algorithm and 2) Character Feature Matrix Extraction Algorithm.

Since JavaScript code is encoded in ASCII, whose values range from 0 to 255, we proposed a 256×256character feature matrix. However, the memory space occupied by the 256×256matrix far exceeds the expectation, and many characters do not appear in the code obfuscation at all. These ASCII characters are redundant and invalid, which cannot reflect the characteristics of the JavaScript code obfuscation. To reduce redundant features and lower storage space, we will filter key characters, where the value of each ASCII-encoded information gain is used to perform feature selection and remove redundant ASCII characters. Information gain techniques are widely used in the feature selection process.

1) Read and traverse JavaScript code obfuscation.

2) Calculate the information gain value for each character. In the process of feature selection, by calculating the entropy of the target, the method is mainly used to evaluate terms. The greater the information entropy, the more information the words contain, and the greater the role played by the subsequent predictions. The value of the information gain (IG) for each character is calculated using Equation (1).

Where C is a classification with two possible values: Normal and Obfuscated script, which are {C₁, C₂}, corresponding to the probability of each type respectively. Then, the entropy of C is calculated using Equation (2).

$H(C)=-\sum\limits_{i=0}^{2}{{{p}_{i}}{{\log }_{2}}({{p}_{i}})}$

Where ${{p}_{i}}$ denotes the probability of the corresponding C,t denotes the case of the positive sample, and $\bar{t}$ denotes the case of the negative sample.

3) Store the information gain value corresponding to the ASCII code in the corresponding array position, then sort the array from high to low, select the ASCII code with the highest information gain value, and delete the irrelevant ASCII code.

In JavaScript code obfuscation, some characters do not exist in normal files. Therefore, the Bigram slide window is used to extract the features of the JavaScript code obfuscation. The specific steps are as follows.

1) Read and traverse the JavaScript code.

2) Generate a 128×128matrix in the initialization, which is used to store the extracted JavaScript character feature vectors.

3) Let {X_n, n≥0} be a Markov chain with 128 states 0, 1, 2, ⋯,where X_n is the value of 128 ASCII common characters.

4) Perform a binary window slide on the JavaScript code to count the frequency of occurrence of each character and fill in the corresponding feature matrix. E.g., the coordinate 28, 29 represents the number of occurrences of ASCII value 28.

5) Perform a statistic to calculate the frequency of words at each position. Namely, calculate the sum of the values in each row and divide the sum to get the value of the corresponding position.

The basic idea of our method is: the data collected from JavaScript code obfuscation is preprocessed based on the characteristics of the Bigram character matrix. Then, the dataset is used as the input of the CNN, which realizes the detection of JavaScript code obfuscation by learning JavaScript character features.

In addition, since the CNN used is a supervised deep learning method, the collected JavaScript code should be tagged. Supervised learning algorithms analyse the training data and generate inference functions that can be used to map new instances. The optimal scenario will allow the algorithm to correctly determine class labels for invisible instances [10]. In the reverse propagation process of CNN, the gradient descent method is used to modify the weights and thresholds of the network and finally achieve the stability of the entire CNN. Therefore, the JavaScript obfuscation code in the sample set in this paper is defined as 1, which is also defined as a positive sample. The JavaScript normal code in the sample set is defined as 0, which is also defined as a negative sample.

Since CNN has a better learning effect on matrix eigenvectors, we decide to use a CNN to detect JavaScript code and determine whether the JavaScript code is obfuscated. The specific training steps for the model of obfuscated JavaScript code are as follows:

(1) Divide the selected JavaScript code obfuscation into a proper proportion of test sets and training sets; select all samples as training samples. Feature extraction is performed on the samples according to the feature extraction method in the previous section.

(2) Establish a CNN model which uses a simplified version of the vgg-16 model [11] to initialize the convolution kernel and the threshold. Then, select the appropriate activation function and set the appropriate learning rate, number of iterations, and objective function.

(3) Normalize the character matrix feature extracted by the JavaScript code, and then input the normalized data into the CNN to obtain the output result.

(4) Compare the output results with the actual tag values of the input samples. The deviation is calculated using the predefined objective function, and the weights and thresholds of each layer of the neural network model are updated in the backward propagation manner. The deviation in each layer is calculated from the previous layer. Finally, update the weights according to the stochastic gradient descent algorithm.

(5) Stop the training and enter Step (6) when the times of training reaches the predefined value or reaches an ideal training result. Return to Step (3) and continue training the model.

(6) Save the model after the CNN training is over, when the network structure parameters in the CNN tend to be stable. Use the JavaScript code obfuscation test set as input, and then evaluate the CNN detection performance based on the results.

To demonstrate the advantages of CNNs for shallow machine learning, our method will be compared with a JavaScript code obfuscation detection method based on SVM.

We use the common machine learning standard to evaluate the proposed method and select the precision rate P, recall rate R, and F-measure value F as experimental performance evaluation metrics, which can be calculated using Equation (3).

$P=\frac{TP}{TP+FP}$

$R=\frac{TP}{TP+FN}$

Where TP is the number of correctly classified JavaScript obfuscated codes, FP is the number of JavaScript normal codes predicted as JavaScript obfuscated codes, and FN is the number of JavaScript obfuscated codes predicted as JavaScript normal codes. Their specific meanings are shown in Table 1.

The dataset used in this paper has two main sources: the JavaScript code on jsDeliver and the code crawled on the Alexa Top 500 website.

jsDeliver: This site contains a large number of JavaScript databases from which non-obfuscated JavaScript code can be downloaded directly.

Alexa Top 500 [12]: This paper uses Python to write a crawler to obtain a more realistic JavaScript dataset. It uses the crawler to download the JavaScript code of the top 500 websites. The top five websites of Alexa top 500 are shown in Table 2.

Since file obfuscation and non-obfuscation in JavaScript code are unknown, datasets must be preprocessed to facilitate subsequent label processing of experimental data. We obtain 2000 non-obfuscated JavaScript code snippets by manual classification and selection. Then, an online JavaScript obfuscator [13-14] is used to obfuscate the JavaScript code snippets to obtain the corresponding dataset, which is composed of 400 obfuscated JavaScript code snippets and 1500 normal code snippets.

The datasets are classified as shown in Table 3.

The collected JavaScript code samples are divided as a ratio of 4:1, i.e. 320 JavaScript obfuscated codes and 1200 normal codes for model training, and the rest of the codes are used for model test. The training set is used to train the CNNs so that the CNNs learn the JavaScript code to obfuscate the hierarchical features. The testing set is used to evaluate the effectiveness of the CNN model for completing the training and detecting whether there is overfitting [15].

We use the Keras platform for implementation, which is a deep learning library implemented in Python language and can generate deep learning models based on TensorFlow, Theano, and CNTK backends. The experimental environment parameters are shown in Table 4.

Our method will be compared with a SVM-based JavaScript code obfuscation verification method [16], and we have made some minor adjustments on the simplified version of vgg-16, obtaining two CNN models. Each of these three models has its own advantages and disadvantages. It can be seen in Figure 1 that the precision, recall rate, and F-measure value of the two CNN models and SVM model are different when detecting JavaScript code.

In Figure 1, the precision, recall, and F-measure values of the SVM method are 98.2%, 91.0%, and 94.5%, respectively. The precision, recall, and F-measure values of the two models of the code obfuscation method based on the CNNs are 98.6%, 88.7%, and 93.5%; 94.9%, 92.5%, and 94.9%. It can be seen from the experimental data that the precision of the CNN model 1 is higher than that of the SVM model, but the recall rate and F-measure value are lower for the CNN model 1. Although the precision of the second model is slightly lower than that of the SVM model, it is slightly higher than that of the SVM in both the recall rate and F-measure value. Based on this, the CNN-based JavaScript code obfuscation detection method we proposed is practical and can improve the model’s requirements for features and enhance the accuracy.

We propose a method for detecting JavaScript code obfuscation based on CNNs, which uses the character matrix feature method of Bigram to extract features of JavaScript code and applies a CNN model to the JavaScript code obfuscation detection. Our method overcomes the high requirement of the machine code learning and enhances the low accuracy of the obfuscation feature extraction of JavaScript code. Simulation results show that our method can not only reduce the requirements for the features, but also effectively enhance the accuracy of the detection of JavaScript code obfuscation.

This work is supported by the Natural Science Foundation of China (No. 61502118, 61702450) and the Natural Science Foundation of Heilongjiang Province in China(No.F2016028, F2016009, and F2015029).