System and method for detecting malware in executable scripts according to its functionality
First Claim
1. A malware detection system for determining whether an executable script is malware according to its functionality, the malware detection system comprising:
- a malware signature store including at least one known malware script signature; and
a normalization module that obtains an executable script, and normalizes the executable script, thereby generating a script signature for the executable script;
and wherein the malware detection system compares the script signature for the executable script to the at least one script signature in the malware signature store to determine whether the executable script is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.
-
Citations
5 Claims
-
1. A malware detection system for determining whether an executable script is malware according to its functionality, the malware detection system comprising:
-
a malware signature store including at least one known malware script signature; and
a normalization module that obtains an executable script, and normalizes the executable script, thereby generating a script signature for the executable script;
and wherein the malware detection system compares the script signature for the executable script to the at least one script signature in the malware signature store to determine whether the executable script is malware. - View Dependent Claims (2)
-
-
3. A malware detection system for determining whether an executable script is malware according to its functionality, the malware detection system comprising:
-
a malware signature storage means including at least one known malware script signature;
a normalization means that obtains an executable script, and normalizes the executable script, thereby generating a script signature for the executable script, wherein a script signature comprises normalized functional contents of an executable script in a format that may be compared to the normalized functional contents of other executable scripts; and
a comparison means that compares the script signature for the executable script to the at least one script signature in the malware signature storage means;
wherein the malware detection system according to the comparison performed by the comparison means, determines whether the executable script is malware.
-
-
4. A method for determining whether a computer-executable script is a malware script, the method comprising:
-
obtaining an executable script;
normalizing the executable script thereby generating a first script signature, wherein a script signature comprises normalized functional contents of an executable script in a format that may be compared to the normalized functional contents of other executable scripts;
comparing the first script signature to at least one script signature of known malware scripts; and
determining, based on the previous comparison, whether the executable script is a malware script.
-
-
5. A computer-readable medium bearing computer-executable instructions which, when executed on a computing device, carry out the method comprising:
-
obtaining an executable script;
normalizing the executable script thereby generating a first script signature, wherein a script signature comprises normalized functional contents of an executable script in a format that may be compared to the normalized functional contents of other executable scripts;
comparing the first script signature to at least one script signature of known malware scripts; and
determining, based on the previous comparison, whether the executable script is a malware script.
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsMarinescu, Adrian M., Sandu, Catalin D.
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/22
-
CPC Class CodesG06F 21/562 Static detectionG06F 21/563 by source code analysisG06F 21/564 by virus signature recognition
