PDF (portable document format) documents are widely used in information publishing, academic exchanges and daily business. Phishing attacks with malicious PDF documents have become an important means of APT (advanced persistent threat) organizations. Researchers have found that more than 90% of malicious PDF documents launch attacks by JavaScript code. The current detection models’ generalization is not enough to detect unknown malicious samples. This paper proposes a method for detecting malicious PDF documents based on benign samples. The method uses benign PDF documents as training data, and uses features at the semantic level of JavaScript code. The JavaScript keywords and usage methods frequently used in malicious PDF documents are taken as important features to improve the robustness of the model. Then, we use One-class SVM (support vector machine) machine learning algorithm to detect malicious PDF documents containing JavaScript code. Compared with the detection model trained with malicious PDF documents, the method proposed in this paper improves the generalization performance while maintaining a higher detection rate.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.