Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment Re:A false positive rate of less than one percent. (Score 1) 88

Actually, the false positive and negative rates, as well as their relationship with training parameters, are clearly described in the paper. Go read it.

Zozzle is a great first-pass filter for a heavy-weight detection tool. A false positive rate of 1% means that your browser will run some higher-overhead analysis (like Nozzle, which has a 10% performance hit) on one out of every 100 benign pages. Seems reasonable to me.

In practice the false positive rate is significantly less than 1%. With a small training set of 300 malicious samples, Zozzle has a false positive rate of 0.14%. In practice, a much larger training set can be constructed, further reducing the false positive rate.

Comment Read the tech report (Score 1) 88

Read it! It's not too hard to understand. There's a link on the cited story.

The selection from the article fails to mention that deobfuscation was a major component of this work. If your exploit runs, whether it's through eval, an iframe, or any other means, Zozzle will see it fully deobfuscated. This is accomplished by hooking the compile function of the JavaScript runtime and performing analysis immediately before compilation.

There is a detailed analysis of false positive and false negative rates in the tech report. By "high effectiveness," the article means "high accuracy." Zozzle correctly classifies over 99% of JavaScript samples in the evaluation set, and has a false positive rate well below 1%.

It would be hard to claim Zozzle is bloatware: the static analysis requires little more time than simply parsing the code. Again, detailed analysis of Zozzle's performance is in the tech report.

The fancy name: I'm glad you think it's "fancy." Zozzle is trained on heap sprays collected by a highly precise runtime detector called Nozzle. Zozzle = zero-day Nozzle. Plus, it's fun to say. As a side note, Zozzle can detect ANY type of JavaScript attack, not just the heap sprays provided as training data. These attacks share many characteristics with other exploits.

Malware writers will adapt: Yes, almost certainly. However, there are some things you can't remove from your code, like calls to the JavaScript runtime functions being exploited. This means a lot of known attacks are off the table and malware writers will need to identify new vulnerabilities to successfully attack Zozzle's users. Even then, these attacks will eventually be picked up by other detection tools, Zozzle will be trained on them, and the malware writers need to start over. This is all assuming these new attacks don't contain patterns Zozzle has already been trained on. Zozzle raises the bar for malware writers, and significantly reduces the effectiveness of copy-pasted attacks (which are the vast majority of attacks on the internet today).

Slashdot Top Deals

The universe is an island, surrounded by whatever it is that surrounds universes.

Working...