SYSTEM AND METHOD FOR DETECTING MALICIOUS SCRIPT

US 20110239294A1
Filed: 11/11/2010
Published: 09/29/2011
Est. Priority Date: 03/29/2010
Status: Active Grant

First Claim

Patent Images

1. A system for detecting a malicious script, comprising:

a script decomposition module for decomposing a web page into scripts;

a static analysis module for statically analyzing the decomposed scripts in the form of a document file;

a dynamic analysis module for dynamically executing and analyzing the decomposed scripts; and

a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a system and method for detecting a malicious script. The system includes a script decomposition module for decomposing a web page into scripts, a static analysis module for statically analyzing the decomposed scripts in the form of a document file, a dynamic analysis module for dynamically executing and analyzing the decomposed scripts, and a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts. The system and method can recognize a hidden dangerous hypertext markup language (HTML) tag irrespective of an obfuscation technique for hiding a malicious script in a web page and thus can cope with an unknown obfuscation technique.

Citations

16 Claims

1. A system for detecting a malicious script, comprising:
- a script decomposition module for decomposing a web page into scripts;
  
  a static analysis module for statically analyzing the decomposed scripts in the form of a document file;
  
  a dynamic analysis module for dynamically executing and analyzing the decomposed scripts; and
  
  a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising a redirection site analysis module for analyzing an Internet protocol (IP) address and domain information of a redirection site to detect a web page spreading malicious code.
  - 3. The system of claim 2, wherein the IP address analysis detects a web page spreading malicious code using geographic location information on the IP address, andthe domain information analysis detects a web page spreading malicious code using a degree of similarity between domain information included in the decomposed scripts and domain information on a website being visited.
  - 4. The system of claim 2, further comprising a whitelist comparison module for checking whether a whitelist signature known to be normal is included in a script determined to be malicious.
  - 5. The system of claim 1, wherein the dynamic analysis module executes the decomposed scripts and analyzes results of executing the scripts using a web browser.
  - 6. The system of claim 5, wherein the dynamic analysis module is a plug-in of the web browser, and obtains information on final results of executing the scripts in communication with a script execution element of the web browser.
  - 7. The system of claim 1, wherein the static analysis module counts a number of times that a signature of each dangerous hypertext markup language (HTML) tag is identical to content of each of the decomposed scripts, andthe dynamic analysis module counts a number of times that the content of each of the dynamically executed decomposed scripts is identical to the signature of the dangerous HTML tag.
  - 8. The system of claim 7, wherein the comparison module compares the number of times counted by the static analysis module and the number of times counted by the dynamic analysis module to determine whether obfuscated malicious code exists.

9. A method of detecting a malicious script, comprising:
- decomposing a web page into scripts;
  
  statically analyzing the decomposed scripts in the form of a document file;
  
  executing and dynamically analyzing the decomposed scripts; and
  
  comparing a static analysis result and a dynamic analysis result to determine whether the decomposed scripts are malicious scripts.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising analyzing an Internet protocol (IP) address and domain information of a site to which redirection is performed by a script determined to be malicious to detect a web page spreading malicious code.
  - 11. The method of claim 10, wherein analyzing an IP address includes detecting a web page spreading malicious code using geographic location information on the IP address, andanalyzing domain information includes detecting a web page spreading malicious code using a degree of similarity between domain information included in the decomposed scripts and domain information on a website being visited.
  - 12. The method of claim 10, further comprising checking whether a whitelist signature known to be normal is included in the script determined to be malicious.
  - 13. The method of claim 9, wherein dynamically analyzing the decomposed scripts includes executing the decomposed scripts and analyzing results of executing the scripts using a web browser.
  - 14. The method of claim 13, wherein dynamically analyzing the decomposed scripts is implemented by a plug-in of the web browser and further includes obtaining information on final results of executing the scripts in communication with a script execution element of the web browser.
  - 15. The method of claim 9, wherein statically analyzing the decomposed scripts includes counting a number of times that a signature of each dangerous hypertext markup language (HTML) tag is identical to content of each of the decomposed scripts, anddynamically analyzing the decomposed scripts includes counting a number of times that the content of each of the dynamically executed decomposed scripts is identical to the signature of the dangerous HTML tag.
  - 16. The method of claim 15, wherein determining whether the decomposed scripts are malicious scripts includes comparing the number of times counted by statically analyzing the decomposed scripts and the number of times counted by dynamically analyzing the decomposed scripts to determine whether obfuscated malicious code exists.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
KIM, Tae Ghyoon, CHOI, Young Han, CHOI, Seok Jin, LEE, Cheol Won

Granted Patent

US 9,032,516 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/563 by source code analysis

G06F 21/566 Dynamic detection, i.e. det...

SYSTEM AND METHOD FOR DETECTING MALICIOUS SCRIPT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING MALICIOUS SCRIPT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links