DETECTION OF CODE-BASED MALWARE
First Claim
1. A computer-implemented method comprising:
- extracting structural features from known malicious script and known benign script;
comparing structural features from unclassified script with the structural features from the known malicious script and the known benign script; and
classifying the unclassified script as malicious or benign based on the comparison of the structural features from the unclassified script with the structural features from the known malicious script and the known benign script.
2 Assignments
0 Petitions
Accused Products
Abstract
This document describes techniques for detection of code-based malware. According to some embodiments, the techniques utilize a collection of known malicious code and know benign code and determine which features of each type of code can be used to determine whether unclassified code is malicious or benign. The features can then be used to train a classifier (e.g., a Bayesian classifier) to characterize unclassified code as malicious or benign. In at least some embodiments, the techniques can be used as part of and/or in cooperation with a web browser to inspect web content (e.g., a web page) to determine if the content includes code-based malware.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
extracting structural features from known malicious script and known benign script; comparing structural features from unclassified script with the structural features from the known malicious script and the known benign script; and classifying the unclassified script as malicious or benign based on the comparison of the structural features from the unclassified script with the structural features from the known malicious script and the known benign script. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method comprising:
-
extracting a first set of features from known code; extracting a second set of features based on a determination of which features of the first set of features are predictive of a particular code classification; training a classifier using the second set of features; and classifying with the classifier unclassified code based at least in part on the second set of features. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method comprising:
-
building an abstract syntax tree (AST) using code contexts retrieved from one of a known malicious script or a known benign script; determining features of the known malicious script or the known benign script based on the structure and contents of the AST; matching features of an unclassified script to the features of the known malicious script or the known benign script; and classifying the unclassified script as malicious or benign based on the matching. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification