METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE

US 20100064369A1
Filed: 03/18/2009
Published: 03/11/2010
Est. Priority Date: 09/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an attack on an application, comprising:

comparing at least part of a document to a static detection model;

determining whether attacking code is included in the document based on the comparison of the document to the static detection model;

executing at least part of the document;

determining whether attacking code is included in the document based on the execution of the at least part of the document; and

if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.

Citations

46 Claims

1. A method for detecting an attack on an application, comprising:
- comparing at least part of a document to a static detection model;
  
  determining whether attacking code is included in the document based on the comparison of the document to the static detection model;
  
  executing at least part of the document;
  
  determining whether attacking code is included in the document based on the execution of the at least part of the document; and
  
  if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - updating the static detection model if attacking code is determined to be present based on the execution of the at least part of the document.
  - 3. The method of claim 1, wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises:
    - comparing behavior observed by the execution of the document to behavior observed by execution of at least one of known attacking documents and known benign documents.
  - 4. The method of claim 1, wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises comparing behavior observed by execution of the document to a dynamic detection model.
  - 5. The method of claim 4, further comprising:
    - creating at least part of the dynamic detection model by;
      
      executing at least one known malicious document in a first environment;
      
      executing the at least one known malicious document in a second environment;
      
      comparing behavior observed by execution in the first environment to behavior observed by execution in the second environment to determine any differences in behavior; and
      
      adding at least one difference in behavior to the dynamic detection model;
      
      wherein the document is executed in at least one of the first environment and second environment.
  - 6. The method of claim 1, further comprising:
    - parsing the document into sections and wherein the comparing the at least part of the document to the static detection model comprises;
      
      selecting at least one the sections; and
      
      comparing the at least one selected section to the static detection model.
  - 7. The method of claim 1, wherein the document is a word processing document, wherein the execution comprises opening the document in word processing software, wherein the document is embedded with at least one of an image, a table, and injected code, and wherein the document is executed in a protected environment.

8. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting an attack on an application, the method comprising:
- comparing at least part of the document to a static detection model;
  
  determining whether attacking code is included in the document based on the comparison of the document to the static detection model;
  
  executing at least part of the document;
  
  determining whether attacking code is included in the document based on the execution of the at least part of the document; and
  
  if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, the method further comprising:
    - updating the static detection model if attacking code is determined to be present based on the execution of the at least part of the document.
  - 10. The computer-readable medium of claim 8, wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises:
    - comparing behavior observed by the execution of the document to behavior observed by execution of at least one of known attacking documents and known benign documents.
  - 11. The computer-readable medium of claim 8, wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises comparing behavior observed by execution of the document to a dynamic detection model.
  - 12. The computer-readable medium of claim 11, the method further comprising:
    - creating at least part of the dynamic detection model by;
      
      executing at least one known malicious document in a first environment;
      
      executing the at least one known malicious document in a second environment;
      
      comparing behavior observed by execution in the first environment to behavior observed by execution in the second environment to determine any differences in behavior; and
      
      adding at least one difference in behavior to the dynamic detection model;
      
      wherein the document is executed in at least one of the first environment and second environment.
  - 13. The computer-readable medium of claim 8, the method further comprising:
    - parsing the document into sections and wherein the comparing the at least part of the document to the static detection model comprises;
      
      selecting at least one the sections; and
      
      comparing the at least one selected section to the static detection model.
  - 14. The computer-readable medium of claim 8, wherein the document is a word processing document, wherein the execution comprises opening the document in word processing software, wherein the document is embedded with at least one of an image, a table, and injected code, and wherein the document is executed in a protected environment.

15. A system for detecting attack, comprising:
- an interface in communication with a network;
  
  a memory; and
  
  a processor in communication with the memory and the interface;
  
  wherein the processor;
  
  compares at least part of a document to a static detection model;
  
  determines whether attacking code is included in the document based on the comparison of the document to the static detection model;
  
  executes at least part of the document;
  
  determines whether attacking code is included in the document based on the execution of the at least part of the document; and
  
  if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reports the presence of an attack.

16. A method for inhibiting an attack on an application, comprising:
- executing at least part of a document, wherein a load order of shared objects is controlled;
  
  detecting for an indication of a crash; and
  
  reporting the presence of an attack, based on the detection for an indication of a crash.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising:
    - detecting for a change to a file considered to be an indication of attack;
      
      detecting for a message considered to be an indication of attack; and
      
      reporting the presence of an attack, based on at least one of the detecting for a change to a file considered to be an indication of attack and the detecting for a message considered to be an indication of attack.
  - 18. The method of claim 17, wherein the document is executed in a first environment and further comprising executing the document in at least one additional environment;
    - wherein the detecting for a change to a file considered to be an indication of attack comprises;
      
      determining any differences between the file changed by the execution of the document in the first environment and the at least one additional environment;
      
      comparing the determined differences to known differences between the file changed by execution of at least one of known attacking documents and known benign documents in the first environment and the at least one additional environment.
  - 19. The method of claim 16, wherein the document is a word processing document, wherein the document is embedded with at least one of an image, a table, and injected code, and wherein the shared objects comprise dynamic-link-libraries.

20. A method for detecting an attack on an application, comprising:
- receiving a first document in a first format;
  
  converting the document to a second format to create a second document;
  
  converting the second document to the first format to create a third document;
  
  comparing the first document to the third document;
  
  determining whether attacking code is included in the first document based on the comparison; and
  
  if attacking code is determined to be included, reporting the presence of an attack.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein the comparing the first document to the third document comprises:
    - executing the first document and third document; and
      
      comparing any differences in behavior between the execution of the first document and the execution of the third document.
  - 22. The method of claim 20, wherein the first format is a word processing format and the second format is a portable document format.

23. A method for detecting malicious code in electronic documents, the method comprising:
- selecting a data segment in at least one portion of an electronic document;
  
  determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and
  
  determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The method of claim 23, wherein the electronic document is a word processing document.
  - 25. The method of claim 23, wherein the corresponding program is a word processing program.
  - 26. The method of claim 23, wherein the at least one portion of the electronic document is altered by changing values of the data segment in the at least one portion by a given value.
  - 27. The method of claim 23, wherein the at least one portion of the electronic document is altered by changing values of the data segment in the at least one portion by an arbitrarily selected displacement.
  - 28. The method of claim 23, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 29. The method of claim 23, wherein the altered electronic document is processed in a sandbox environment.
  - 30. The method of claim 23, further comprising disabling the malicious code in response to the produced error state.\

31. A system for detecting malicious code in electronic documents, the system comprising:
- at least one digital processing device that;
  
  selects a data segment in at least one portion of an electronic document;
  
  determines whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the arbitrarily selected data segment can be altered, arbitrarily alters the data segment in the at least one portion of the electronic document to produce an altered electronic document; and
  
  determines whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. The system of claim 31, wherein electronic document is a word processing document.
  - 33. The system of claim 31, wherein the corresponding program is a word processing program.
  - 34. The system of claim 31, wherein the at least one digital processing device is further configured to alter the at least one portion of the electronic document by changing values of the data segment in the at least one portion by a given value.
  - 35. The system of claim 31, wherein the at least one digital processing device is further configured to alter the at least one portion of the electronic document by an arbitrarily selected displacement.
  - 36. The system of claim 31, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 37. The system of claim 31, wherein the at least one digital processing device is further configured to process the altered electronic document in a sandbox environment.
  - 38. The system of claim 31, wherein the at least one digital processing device is further configured to disable the malicious code in response to the produced error state.

39. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious code in electronic documents, the method comprising:
- selecting a data segment in at least one portion of an electronic document;
  
  determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and
  
  determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. The computer-readable medium of claim 39, wherein the electronic document is a word processing document.
  - 41. The computer-readable medium of claim 39, wherein the corresponding program is a word processing program.
  - 42. The computer-readable medium of claim 39, wherein the at least one portion of the electronic document is altered by changing values of the data segment in the at least one portion by a given value.
  - 43. The computer-readable medium of claim 39, wherein the at least one portion of the electronic document is altered by changing values of the data segment in the at least one portion by an arbitrarily selected displacement.
  - 44. The computer-readable medium of claim 39, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 45. The computer-readable medium of claim 39, wherein the altered electronic document is processed in a sandbox environment.
  - 46. The computer-readable medium of claim 39, wherein the method further comprises disabling the malicious code in response to the produced error state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Keromylis, Angelos D., Androulaki, Elli, Li, Wei-Jen, Stolfo, Salvatore J.

Granted Patent

US 8,789,172 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links