System and method for detecting malware in executable scripts according to its functionality
First Claim
1. A computer-implemented malware detection system for determining whether an executable script is malware according to functional variables and subroutines of the executable script, the malware detection system comprising:
- a malware signature store including at least one known malware script signature, wherein each malware signature in the malware signature store is a normalized signature of a known malware script;
a normalization module that obtains an executable script and generates a normalized signature for the executable script, wherein generating a normalized signature for the executable script comprises normalizing variables and subroutines from the executable script into normalized variables and subroutines conforming to a common format suitable for comparison with that at least one malware signature in the malware signature store, the normalizing comprising renaming variables and subroutines from the executable script according to a common naming convention; and
a comparison module, wherein the comparison module compares the normalized signature of the executable script to the at least one normalized malware signature in the malware signature store;
wherein the malware detection system is configured to;
determine whether the comparison found a complete match between the normalized signature for the executable script and the at least one normalize malware signature, and if so, reporting that the executable script is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.
37 Citations
14 Claims
-
1. A computer-implemented malware detection system for determining whether an executable script is malware according to functional variables and subroutines of the executable script, the malware detection system comprising:
-
a malware signature store including at least one known malware script signature, wherein each malware signature in the malware signature store is a normalized signature of a known malware script; a normalization module that obtains an executable script and generates a normalized signature for the executable script, wherein generating a normalized signature for the executable script comprises normalizing variables and subroutines from the executable script into normalized variables and subroutines conforming to a common format suitable for comparison with that at least one malware signature in the malware signature store, the normalizing comprising renaming variables and subroutines from the executable script according to a common naming convention; and a comparison module, wherein the comparison module compares the normalized signature of the executable script to the at least one normalized malware signature in the malware signature store; wherein the malware detection system is configured to; determine whether the comparison found a complete match between the normalized signature for the executable script and the at least one normalize malware signature, and if so, reporting that the executable script is malware. - View Dependent Claims (4, 5, 6)
-
-
2. A computer-implemented method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, the method comprising:
using one or more processors to perform the following computer-executable acts; obtaining an executable script; generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding variables and subroutines in the executable script in a common format suitable for comparison to normalized signatures of known malware, and wherein the normalized variables and subroutines comprise variables and subroutines from the executable script that are renamed according to a common naming convention; comparing the first normalized signature to at least one normalized signature of known malware; and determining, based on the previous comparison, whether the executable script is malware, comprising determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware. - View Dependent Claims (7, 8, 9)
-
3. A tangible computer-readable medium bearing computer executable instructions which, when executed on a computing device, carry out a method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, comprising:
-
obtaining an executable script; generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding functional variables and subroutines in the executable script in a common format suitable for comparison to normalized signatures of known malware, and wherein the normalized variables and subroutines comprise variables and subroutines from the executable script that are renamed according to a common naming convention; comparing the first normalized signature to at least one normalized signature of known malware scripts; and determining, based on the previous comparison, whether the executable script is malware, comprising determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware. - View Dependent Claims (10, 11, 12)
-
-
13. A computer-implemented method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, the method comprising:
using one or more processors to perform the following computer-executable acts; obtaining an executable script; generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding variables and subroutines in the executable script in a format suitable for comparison to normalized signatures of known malware; comparing the first normalized signature to at least one normalized signature of known malware; and determining, based on the previous comparison, whether the executable script is malware, comprising; determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware; and determining if the first normalized signature for the executable script is a partial match with a normalized signature of known malware, and if so; generating a second normalized malware signature for the executable script, the second normalized signature comprising variables and subroutines from the executable script normalized into a second common format suitable for comparison with second normalized malware signatures of known malware; and comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a complete match to a second normalized signature of known malware, and if so, reporting that the executable script is malware. - View Dependent Claims (14)
Specification