METHOD AND COMPUTER SYSTEM FOR DETERMINING A THREAT SCORE

US 20190311132A1
Filed: 07/04/2017
Published: 10/10/2019
Est. Priority Date: 07/04/2016
Status: Active Application

First Claim

Patent Images

1. A method for determining a threat score of an electronic document, the method comprising the steps of:

loading and rendering the electronic document in a document sandbox;

querying a list of all available navigation elements in the electronic document from the document sandbox;

controlling the document sandbox to simulate user interaction with the electronic document based on the queried list;

while loading and rendering the electronic document and while controlling the document sandbox to simulate user interaction with the electronic document, monitoring the document sandbox for events triggered by the electronic document and belonging to one of at least two predefined event classes;

recording each observed event together with a respective event class to which each observed event belongs; and

determining the threat score of the electronic document based on predefined numerical weights associated with each of the predefined event classes to which the recorded events belong.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a computer system are disclosed for determining a threat score of an electronic document comprising the steps of: loading and rendering the electronic document in a document sandbox, controlling the document sandbox to simulate user interaction with the electronic document, while loading and rendering the electronic document and while controlling the document sandbox to simulate user interaction with the electronic document, monitoring the document sandbox for events triggered by the electronic document and belonging to one of at least two predefined event classes, recording each observed event together with a respective event class to which each observed event belongs, and determining a threat score of the electronic document based on predefined numerical weights associated with each of the predefined event classes to which the recorded events belong.

12 Citations

View as Search Results

20 Claims

1. A method for determining a threat score of an electronic document, the method comprising the steps of:
- loading and rendering the electronic document in a document sandbox;
  
  querying a list of all available navigation elements in the electronic document from the document sandbox;
  
  controlling the document sandbox to simulate user interaction with the electronic document based on the queried list;
  
  while loading and rendering the electronic document and while controlling the document sandbox to simulate user interaction with the electronic document, monitoring the document sandbox for events triggered by the electronic document and belonging to one of at least two predefined event classes;
  
  recording each observed event together with a respective event class to which each observed event belongs; and
  
  determining the threat score of the electronic document based on predefined numerical weights associated with each of the predefined event classes to which the recorded events belong.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein a simulated user interaction comprises simulated mouse movements, simulated mouse clicks, and/or keyboard inputs.
  - 3. The method according to claim 1, wherein one or more of the at least two predefined event classes are network resource requests of the document sandbox.
  - 4. The method according to claim 3, wherein meta data and/or content of any network resource request of the document sandbox are analysed for one or more of the following network resource request classes, which are part of the at least two predefined event classes:
    - requests of resources from locations different from an origin of the electronic document;
      
      requests of resources from locations in different countries than the origin of the electronic document;
      
      requests of documents for which a threat score outside a predefined acceptable range has been determined earlier;
      
      requests of resources from locations matching a pattern defined on a location blacklist;
      
      requests transferring data tokens to locations matching a pattern defined on the location blacklist; and
      
      /orresources matching a predefined pattern of malicious content.
  - 5. The method according to claim 1, wherein one or more of the at least two predefined event classes are script function invocations inside the document sandbox.
  - 6. The method according to claim 5, wherein script functions invoked during script execution are analysed for one or more of the following function invocation classes, which are part of the at least two predefined event classes:
    - invocations of functions manipulating the rendered document without user interaction;
      
      invocations of functions triggering a download without user interaction; and
      
      /or invocations of functions listed on a function blacklist.
  - 7. The method according to claim 1, wherein one or more of the at least two predefined event classes are document changes.
  - 8. The method according to claim 7, wherein the document changes are analysed for one or more of the following document change classes, which are part of the at least two predefined event classes:
    - changes introducing hidden or invisible elements into the document; and
      
      /or changes introducing elements referring to resources from locations different from an origin of the electronic document.
  - 9. The method according to claim 1, further comprising storing the recorded events together with the respective event classes in an event database.
  - 10. The method according to claim 1, further comprising storing the determined threat score of the electronic document in a filter database (2).
  - 11. The method according to claim 1, further comprising comparing the determined threat score with one or more predefined ranges of threat scores, wherein each range is associated with a threat category.
  - 12. The method according to claim 11, further comprising filtering access to an electronic document by determining a threat category of an electronic document to be accessed and denying the access when the electronic document belongs to a predefined threat category.

13. A computer program product for determining a threat score of an electronic document, the computer program product comprising program parts, which when loaded onto a computer are configured to:
- load and render the electronic document in a document sandbox;
  
  query a list of all available navigation elements in the electronic document from the document sandbox;
  
  control the document sandbox to simulate user interaction with the electronic document based on the queried list;
  
  while loading and rendering the electronic document and while controlling the document sandbox to simulate user interaction with the electronic document, monitor the document sandbox for events triggered by the electronic document and belonging to one of at least two predefined event classes;
  
  record each observed event together with a respective event class to which each observed event belongs; and
  
  determine the threat score of the electronic document based on predefined numerical weights associated with each of the predefined event classes to which the recorded events belong.

14. A computer system for determining a threat score of an electronic document, the computer system comprising:
- a document sandbox module for loading and rendering an electronic document;
  
  an interaction simulation module connected to the document sandbox module and configured to query the document sandbox for a list of all available navigation elements in the electronic document (10) and to control the document sandbox module to simulate user interaction with the electronic document based on the queried list;
  
  a monitoring module connected to the document sandbox module and configured to monitor the document sandbox module for events belonging to one of at least two predefined event classes and to record each observed event together with a respective event class to which each observed event belongs; and
  
  a scoring module connected to the monitoring module and configured to determine a threat score based on predefined numerical weights associated with each of the predefined event classes to which the events recorded by the monitoring module belong.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer system of claim 14, wherein the user interaction simulated by the interaction simulation module comprises simulated mouse movements, simulated mouse clicks, and/or keyboard inputs.
  - 16. The computer system of claim 14, wherein one or more of the at least two predefined event classes are network resource requests of the document sandbox.
  - 17. The computer system of claim 14, wherein one or more of the at least two predefined event classes are script function invocations inside the document sandbox.
  - 18. The computer system of claim 14, wherein one or more of the at least two predefined event classes are document changes.
  - 19. The computer system of claim 18, wherein the document changes are analysed by the monitoring module for one or more of the following document change classes, which are part of the at least two predefined event classes:
    - changes introducing hidden or invisible elements into the document; and
      
      /orchanges introducing elements referring to resources from locations different from an origin of the electronic document.
  - 20. The computer system of claim 14, wherein the scoring module is further connected to a filter database and configured to store the determined threat score of the electronic document in the filter database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CYAN Security Group GmbH (cyan AG)
Original Assignee
CYAN Security Group GmbH (cyan AG)
Inventors
ARNOTH, Peter, CSERNA, Markus

Application Number

US16/315,086
Publication Number

US 20190311132A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6272   by registering files or doc...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

H04W 12/63   Location-dependent; Proximi...

METHOD AND COMPUTER SYSTEM FOR DETERMINING A THREAT SCORE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND COMPUTER SYSTEM FOR DETERMINING A THREAT SCORE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links