SYSTEM AND METHOD FOR DETECTING MALICIOUS CONTENT

US 20110307955A1
Filed: 06/10/2011
Published: 12/15/2011
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious code in web content, the method comprising:

generating vulnerability definitions;

translating vulnerability definitions into a trap rule;

receiving web content;

parsing web content into static language;

translating static language into one or more application programming interface (API) calls; and

determining whether any of the one or more API calls triggers the trap rule.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.

Citations

20 Claims

1. A computer-implemented method for detecting malicious code in web content, the method comprising:
- generating vulnerability definitions;
  
  translating vulnerability definitions into a trap rule;
  
  receiving web content;
  
  parsing web content into static language;
  
  translating static language into one or more application programming interface (API) calls; and
  
  determining whether any of the one or more API calls triggers the trap rule.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, further comprising responsive to the one or more API calls not triggering the trap rule, transmitting the web content to a user device.
  - 3. The computer-implemented method of claim 1, further comprising responsive to the one or more API calls triggering the trap rule, reporting detection of malicious code.

4. A computer-implemented method for detecting malicious code in web content, the method comprising:
- loading vulnerability definitions and a trap rule for intercepting malicious code;
  
  receiving web content from a web server, the web content including at least one dynamic part;
  
  extracting metadata from a network protocol and the dynamic part of the web content;
  
  executing the dynamic part of the web content; and
  
  determining whether the dynamic part triggers the trap rule.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The computer-implemented method of claim 4, further comprising fetching external resources.
  - 6. The computer-implemented method of claim 5, wherein the external resource is at least one of a file written in JavaScript, Cascading Style Sheet (CSS) and HyperText Markup Language (HTML).
  - 7. The computer-implemented method of claim 4, wherein the dynamic part includes an application programming interface (API) call.
  - 8. The computer-implemented method of claim 4, wherein the dynamic part includes a request for a data change.
  - 9. The computer-implemented method of claim 4, further comprising responsive to the dynamic part not triggering the trap rule, transmitting the web content to a user device.
  - 10. The computer-implemented method of claim 4, further comprising responsive to the dynamic part triggering the trap rule, reporting detection of the malicious code.

11. A system for detecting malicious code in web content comprising:
- a controller for receiving information and routing the information to an appropriate module within the system;
  
  a vulnerability definition generator coupled to the controller, the vulnerability definition generator for generating vulnerability definitions;
  
  a parser coupled to the controller, the parser for receiving web content and parsing the web content into static language; and
  
  a translation engine coupled to the parser, the translation engine for receiving the vulnerability definitions, translating the vulnerability definitions into a trap rule, receiving the static language from the parser, translating the static language into one or more API calls and determining whether any of the application programming interface (API) calls trigger the trap rule.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein responsive to the translation engine determining that none of the API calls trigger the trap rule, the controller instructs a communication unit to transmit the web content to a user device.
  - 13. The system of claim 11, wherein responsive to the translation engine determining that at least one of the API calls triggers the trap rule, the controller instructs a graphical user interface to report detection of malicious code to a user.
  - 14. The system of claim 11, wherein the parser comprises sub-parsers for each type of code language used to create the web content.

15. A system for detecting malicious code in web content comprising:
- a controller for receiving information and routing the information to an appropriate module within the system, the controller also receiving web content that includes a dynamic part;
  
  an extractor coupled to the controller for extracting metadata from a network protocol and for extracting the dynamic part of the web content; and
  
  a sandbox coupled to the controller and the extractor for loading vulnerability definitions and a trap rule for intercepting malicious code, for executing the dynamic part of the web content, for evaluating vulnerability definitions and for determining whether the dynamic part triggers the trap rule.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein responsive to the sandbox determining that the dynamic part does not trigger the trap rule, the controller instructs a communication unit to transmit the web content to a user device.
  - 17. The system of claim 15, wherein responsive to the sandbox determining that the dynamic part triggers the trap rule, the controller instructs a graphical user interface to report detection of malicious code to a user.
  - 18. The system of claim 15, further comprising a vulnerability definition generator coupled to the controller and the sandbox, the vulnerability definition generator for generating vulnerability definitions.
  - 19. The system of claim 15, further comprising a fetcher for fetching external resources.
  - 20. The system of claim 15, wherein the dynamic part is at least one of an application programming interface (API) call and a request for a data change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
M86 Security Incorporated (Singapore Telecommunications Limited)
Inventors
Kaplan, Mark, Friger, Alexander, Novikov, Peter

Granted Patent

US 8,881,278 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

SYSTEM AND METHOD FOR DETECTING MALICIOUS CONTENT

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING MALICIOUS CONTENT

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links