Detection of malicious scripting language code in a network environment
First Claim
1. At least one non-transitory machine accessible storage medium having instructions stored thereon for detecting malicious code in a script, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event;
initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script;
detecting a function called by the compiled script;
executing the function and performing an evaluation of the function;
detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and
verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
11 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.
13 Citations
23 Claims
-
1. At least one non-transitory machine accessible storage medium having instructions stored thereon for detecting malicious code in a script, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform a method comprising:
-
evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script; detecting a function called by the compiled script; executing the function and performing an evaluation of the function; detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus for detecting malicious code in a script, the apparatus comprising:
-
one or more processors; and one or more memory elements including instructions stored therein, wherein the instructions are executable by at least one of the one or more processors to evaluate a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiate an execution of a compiled script resulting from a compilation of the script; detect a function called by the compiled script; execute the function and perform an evaluation of the function; detect an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verify, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event. - View Dependent Claims (18, 19, 20)
-
-
21. A method of detecting malicious code in a script, the method comprising:
-
evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script; detecting a function called by the compiled script; executing the function and performing an evaluation of the function; detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event. - View Dependent Claims (22, 23)
-
Specification