METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE
First Claim
1. A method for detecting an attack on an application, comprising:
- comparing at least part of a document to a static detection model;
determining whether attacking code is included in the document based on the comparison of the document to the static detection model;
executing at least part of the document;
determining whether attacking code is included in the document based on the execution of the at least part of the document; and
if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
-
Citations
46 Claims
-
1. A method for detecting an attack on an application, comprising:
-
comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting an attack on an application, the method comprising:
-
comparing at least part of the document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting attack, comprising:
-
an interface in communication with a network; a memory; and a processor in communication with the memory and the interface;
wherein the processor;compares at least part of a document to a static detection model; determines whether attacking code is included in the document based on the comparison of the document to the static detection model; executes at least part of the document; determines whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reports the presence of an attack.
-
-
16. A method for inhibiting an attack on an application, comprising:
-
executing at least part of a document, wherein a load order of shared objects is controlled; detecting for an indication of a crash; and reporting the presence of an attack, based on the detection for an indication of a crash. - View Dependent Claims (17, 18, 19)
-
-
20. A method for detecting an attack on an application, comprising:
-
receiving a first document in a first format; converting the document to a second format to create a second document; converting the second document to the first format to create a third document; comparing the first document to the third document; determining whether attacking code is included in the first document based on the comparison; and if attacking code is determined to be included, reporting the presence of an attack. - View Dependent Claims (21, 22)
-
-
23. A method for detecting malicious code in electronic documents, the method comprising:
-
selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
-
31. A system for detecting malicious code in electronic documents, the system comprising:
at least one digital processing device that; selects a data segment in at least one portion of an electronic document; determines whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily alters the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determines whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
-
39. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious code in electronic documents, the method comprising:
-
selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
-
Specification