Low-Latency Detection of Scripting-Language-Based Exploits
First Claim
1. A method for protecting client computers, comprising:
- receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient;
gathering scripting-language-data from the webpage data;
normalizing the scripting-language-data so as to generate normalized data;
emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions;
determining whether to prevent the data from reaching the intended recipient by analyzing inspection-data collected from the inspection points.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for protecting client computers are described. One method includes receiving webpage data at a proxy from a webpage before the data reaches an intended recipient; gathering scripting-language-data from the webpage data; normalizing the scripting-language-data so as to generate normalized data; emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions, and determining whether to block the data from the intended recipient by analyzing inspection-data collected from the inspection points.
48 Citations
16 Claims
-
1. A method for protecting client computers, comprising:
-
receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient; gathering scripting-language-data from the webpage data; normalizing the scripting-language-data so as to generate normalized data; emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions; determining whether to prevent the data from reaching the intended recipient by analyzing inspection-data collected from the inspection points. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for protecting client computers;
- comprising;
an initial filter that gathers scripting-language-data from webpage data; an interpretation component that obtains inspection-data from the scripting-language-data by emulating execution of the scripting-language-data; a shellcode module that disassembles one or more strings that are generated during the emulated execution of the scripting language data so as to generate disassembled code and pseudo-executes at least a portion of the disassembled code to determine whether to block the scripting language data from reaching an intended recipient based upon pseudo-execution-data; and an analysis component that assesses the inspection data to determine whether to block the scripting language data from reaching the intended recipient. - View Dependent Claims (11, 12, 13, 14, 15)
- comprising;
-
16. A method for protecting client computers, comprising:
-
receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient; gathering scripting-language-data from the webpage data; prompting the scripting-language-data to unpack into one or more strings; disassembling ones of the one or more strings that are suspected of including shell code; determining, without pseudo-executing, whether string indicates that scripting-language-data should be blocked; pseudo-executing the disassembled suspect string if the string can not be determined to be safe.
-
Specification