Malicious Web Pages Detection Based on Abnormal Visibility Recognition

In recent years, Web sites have already become the attackers' main target. When attackers embed malicious code in the Web pages, they generally change the display mode of the corresponding HTML tags to make the display effect of malicious code invisible or almost invisible to the browser users. In this paper, the concept of abnormal visibility is proposed to describe the display feature setting of malicious code embedded. According to the concept, a malicious code detection method based on abnormal visibility recognition is designed and a prototype system is implemented. Compared to traditional methods and systems, the method has higher efficiency and less maintenance cost. Besides, a special-purpose JavaScript interpreter is implemented to get the execution output of browser-end scripts that are often used to generate malicious code dynamically by attackers. Experiments show that this system can detect most of the malicious Web pages efficiently and at the same time locate the malicious code in the source code accurately.