SYSTEMS AND METHODS FOR DETECTING MALICIOUS MOBILE WEBPAGES

US 20150067853A1
Filed: 03/18/2014
Published: 03/05/2015
Est. Priority Date: 08/27/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving a request to evaluate an electronic document, the request including location information associated with the electronic document;

responsive to receiving the request, determining an electronic document accessed based on the received location information;

responsive to determining the accessed electronic document, extracting one or more static mobile-specific features from the accessed electronic document, the static mobile-specific features including an indication of at least one of mobile-specific application programming interface (API) calls and mobile-specific files hosted at a domain associated with the accessed electronic document, anddetermining, by a processor and based on the extracted static mobile-specific features, a likelihood of the accessed electronic document being malicious.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed technology includes techniques for identifying malicious mobile electronic documents, e.g., webpages or emails, based on static document features. The static features may include mobile-specific features, such as mobile web API calls, hosted mobile-specific binaries, noscript content, or misleading URL tokens visible on a mobile-specific interface. The static features may instead or also include various JavaScript (JS) features, HTML features, and URL features detected in numbers outside ranges expected for desktop electronic documents. These features may be used with machine learning techniques to classify benign and malicious documents in real time.

69 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a request to evaluate an electronic document, the request including location information associated with the electronic document;
  
  responsive to receiving the request, determining an electronic document accessed based on the received location information;
  
  responsive to determining the accessed electronic document, extracting one or more static mobile-specific features from the accessed electronic document, the static mobile-specific features including an indication of at least one of mobile-specific application programming interface (API) calls and mobile-specific files hosted at a domain associated with the accessed electronic document, anddetermining, by a processor and based on the extracted static mobile-specific features, a likelihood of the accessed electronic document being malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, the static mobile-specific features including an indication of mobile-specific API calls based on at least one of “
    - tel;
      
      ”
      
      , “
      
      sms;
      
      ”
      
      , “
      
      smsto;
      
      ”
      
      , “
      
      mms;
      
      ”
      
      , “
      
      mmsto;
      
      ”
      
      , and “
      
      geolocation”
      
      .
  - 3. The method of claim 2, at least one of the mobile-specific API calls associated with one or more phone numbers, the method further comprising determining whether the one or more phone numbers is associated with malicious activity.
  - 4. The method of claim 3, the determining whether the one or more phone numbers is associated with malicious activity comprising checking the one or more phone numbers against a reputation database.
  - 5. The method of claim 1, the static mobile-specific features including an indication of mobile-specific files hosted at a domain associated with the electronic document, the method further comprising determining a number of mobile-specific files hosted at a domain associated with the electronic document.
  - 6. The method of claim 5, the mobile-specific files being mobile application binaries.
  - 7. The method of claim 5, the mobile-specific files including at least one of an APK and an IPA file.
  - 8. The method of claim 1, the method further comprising adding, based on the likelihood of the accessed webpage being malicious, the URL to a blacklist or whitelist.
  - 9. The method of claim 1, the determining the likelihood further based on comparing the extracted static mobile-specific features to a model for identifying malicious mobile electronic documents, the model based on a dataset representing static mobile-specific features extracted from a collection of mobile-specific electronic documents, each mobile-specific electronic document from the collection having a known indication of maliciousness.

10. A non-transitory computer-readable medium that stores instructions that, when executed by at least one processor, causes the at least one processor to perform a method comprising:
- receiving, from a client computer, a request to evaluate a webpage, the request including URL and browser information;
  
  responsive to receiving the request, determining a webpage accessed based on the received URL and browser information;
  
  responsive to determining that the accessed webpage is a mobile webpage, extracting one or more static mobile-specific features from the accessed webpage, the static mobile-specific features including an indication of at least one of misleading words located within a predetermined number of characters of a beginning of the URL and an indication of noscript content associated with the webpage;
  
  determining, by the at least one processor and based on the extracted static mobile-specific features, a likelihood of the accessed webpage being malicious; and
  
  sending, to the client computer, an indication of the likelihood of the accessed webpage being malicious.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, the static mobile-specific features including an indication of noscript content, the method further comprising determining a number of noscript tags in a code of the accessed webpage.
  - 12. The system of claim 10, the static mobile-specific features including an indication of misleading words located within a predetermined number of characters of a beginning of the URL, the method further comprising determining a number of misleading words within the predetermined number of characters of the beginning of the URL.
  - 13. The system of claim 12, the predetermined number of characters based on a display resolution of a mobile computing device.
  - 14. The method of claim 10, the URL and browser information received from a browser extension associated with a browser running at the client computer.
  - 15. The method of claim 10, the method performed substantially in real-time.

16. A system comprising:
- at least one memory operatively coupled to at least one processor and configured for storing data and instructions that, when executed by the at least one processor, cause the system to;
  
  receive, from a browser, a request for a webpage, the request including URL information;
  
  responsive to receiving the request, determine that a webpage accessed based on the URL information is a mobile webpage;
  
  responsive to determining that the accessed webpage is a mobile webpage, extract one or more static mobile-specific features from the accessed webpage, the static mobile-specific features including an indication of at least one of;
  
  mobile-specific application programming interface (API) calls,mobile-specific files hosted at a domain associated with the accessed webpage,misleading words located within a predetermined number of characters of a beginning of the URL, andnoscript content associated with the accessed webpage; and
  
  determine, by the at least one processor and based on the extracted static mobile-specific features, the accessed webpage is malicious.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, the data and instructions further causing the system to prevent, based on the determining the mobile webpage to be malicious, rendering, by the at least one processor, of the mobile webpage.
  - 18. The system of claim 16, the request for the webpage intercepted by a browser extension, the data and instructions further causing the system to prevent, by the browser extension and based on the determining the mobile webpage to be malicious, the browser from rendering the mobile webpage.
  - 19. The system of claim 16, the determining that the webpage accessed based on the URL information is the mobile webpage comprising examining one or more of a top-level domain, subdomain, and URL path prefix of the accessed webpage.
  - 20. The system of claim 16, the memory further configured for storing a model for identifying malicious mobile webpages, the model based on a dataset representing static mobile-specific features extracted from a collection of mobile-specific webpages, each mobile-specific webpage having a known indication of maliciousness, wherein the determining is further based on the model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgia Tech Research Corporation (University System of Georgia)
Original Assignee
Georgia Tech Research Corporation (University System of Georgia)
Inventors
Amrutkar, Chaitrali, Traynor, Patrick Gerard, Kim, Young Seuk

Application Number

US14/218,760
Publication Number

US 20150067853A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

SYSTEMS AND METHODS FOR DETECTING MALICIOUS MOBILE WEBPAGES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING MALICIOUS MOBILE WEBPAGES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links