Efficient and effective realtime prediction of drive-by download attacks

Drive-by download attacks are common attack vector for compromising personal computers. While several alternatives to mitigate the threat have been proposed, approaches to realtime detection of drive-by download attacks has been predominantly limited to static and semi-dynamic analysis techniques. These techniques examine the original or deobfuscated JavaScript source code to assess the potential maliciousness of a webpage. However, static and semi-dynamic analysis techniques are vulnerable to commonly employed evasion techniques. Dynamic anomaly detection approaches are less susceptible to targeted evasion, but are used less often as a realtime solution on the individual systems because these techniques are typically resource intensive. This paper presents a novel approach to detect drive-by downloads in web browser environments using low resource dynamic analysis. By dynamically monitoring the bytecode stream generated by a web browser during rendering, the approach is able to detect previously unseen drive-by download attacks at runtime. The proposed method is effective, space efficient, and performs the analysis with low performance overhead, making the approach amenable to in-browser drive-by download detection on resource constrained devices, such as mobile phones.