A new approach of clustering malicious JavaScript

In the recent years, many hostile websites have been using polymorphic JavaScript in order to conceal its code. The virtual execution is considered to be effective to process and detect such types of JavaScript. However, a challenge often encountered with that approach is the mandatory preparation of very detail-oriented environments that may also require specific user-driven events for the malicious JavaScript to execute properly as it was designed to. This paper proposes a hierarchical clustering algorithm based on tree edit distance to recognize and categorize hostile JavaScript. Firstly, the JavaScript´s abstract syntax tree is constructed to be structural analysis. Secondly, the similarity of two JavaScript is calculated by tree-matching algorithm based on tree edit distance. Finally, the hierarchical clustering of malicious JavaScript is determined by predefined threshold. Our promising results confirm the effectiveness of the approach.