Detection of malicious scripting language code in a network environment

US 10,140,451 B2
Filed: 01/16/2014
Issued: 11/27/2018
Est. Priority Date: 01/16/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon for detecting malicious code in a script, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform a method comprising:

evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event;

initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script;

detecting a function called by the compiled script;

executing the function and performing an evaluation of the function;

detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and

verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.

13 Citations

23 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon for detecting malicious code in a script, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event;
  
  initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script;
  
  detecting a function called by the compiled script;
  
  executing the function and performing an evaluation of the function;
  
  detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and
  
  verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The at least one non-transitory machine accessible storage medium of claim 1, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - store first information associated with the compilation event in a compilation event queue; and
      
      store second information associated with the execution event in an execution event queue.
  - 3. The at least one non-transitory machine accessible storage medium of claim 2, wherein the compilation event queue and the execution event queue are integrated.
  - 4. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature indicates a threshold number of times the function is called.
  - 5. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature indicates a location of the execution event relative to another execution event detected during the execution of the compiled script.
  - 6. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature is configurable by a user.
  - 7. The at least one non-transitory machine accessible storage medium of claim 1, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - pass the parameter to the function, wherein the execution event is based on a predetermined threshold length of the parameter.
  - 8. The at least one non-transitory machine accessible storage medium of claim 1, wherein the function decodes data, and the execution event is based on a predetermined threshold length of a string resulting from the function.
  - 9. The at least one non-transitory machine accessible storage medium of claim 1, wherein the function concatenates data, and the execution event is based on a predetermined threshold length of a string resulting from concatenated data.
  - 10. The at least one non-transitory machine accessible storage medium of claim 1, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - prior to executing the function, pass control of the function to a function evaluation module based on detecting code hooked in the function; and
      
      pass control from the function evaluation module to the execution engine when the function finishes executing.
  - 11. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature is verified based, in part, on a distance between the execution event and one or more other execution events.
  - 12. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature is verified based, in part, on a weight assigned to the function, wherein the weight represents a relative importance of the function.
  - 13. The at least one non-transitory machine accessible storage medium of claim 1, wherein the function is one of one or more relevant functions called by the compiled script, wherein each relevant function is associated with respective code that causes control of the particular relevant function to be passed from the execution engine to a function evaluation module.
  - 14. The at least one non-transitory machine accessible storage medium of claim 1, wherein the correlation signature indicates both the compilation event and the execution event are malicious.
  - 15. The at least one non-transitory machine accessible storage medium of claim 1, wherein the compilation event indicates the script includes an evasion technique.
  - 16. The at least one non-transitory machine accessible storage medium of claim 1, wherein the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.

17. An apparatus for detecting malicious code in a script, the apparatus comprising:
- one or more processors; and
  
  one or more memory elements including instructions stored therein, wherein the instructions are executable by at least one of the one or more processors toevaluate a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event;
  
  initiate an execution of a compiled script resulting from a compilation of the script;
  
  detect a function called by the compiled script;
  
  execute the function and perform an evaluation of the function;
  
  detect an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and
  
  verify, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein the instructions are further executable by at least one of the processors to:
    - store first information associated with the compilation event in a compilation event queue; and
      
      store second information associated with the execution event in an execution event queue.
  - 19. The apparatus of claim 17, wherein the instructions are further executable by at least one of the one or more processors to:
    - pass the parameter to the function, wherein the execution event is based on a predetermined threshold length of the parameter.
  - 20. The apparatus of claim 17, wherein the compilation event indicates the script includes an evasion technique, and the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.

21. A method of detecting malicious code in a script, the method comprising:
- evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event;
  
  initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script;
  
  detecting a function called by the compiled script;
  
  executing the function and performing an evaluation of the function;
  
  detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and
  
  verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising:
    - storing first information associated with the compilation event in a compilation event queue; and
      
      storing second information associated with the execution event in an execution event queue.
  - 23. The method of claim 21, wherein the compilation event indicates the script includes an evasion technique, and the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Xu, Chong, Sun, Bing, Singh, Navtej, Lin, Yichong, Bu, Zheng
Primary Examiner(s)
Tsang, Henry

Application Number

US14/761,285
Publication Number

US 20150363598A1
Time in Patent Office

1,776 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

Detection of malicious scripting language code in a network environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Detection of malicious scripting language code in a network environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others