Apparatus and method for detecting obfuscated malicious web page
First Claim
1. A method of detecting malicious code in a web page, the method comprising:
- extracting native source code from web page information;
searching the native source code for malicious code by attempting to match known malicious code patterns within the native source code;
detecting malicious code in the native source code when at least one of the known malicious code patterns matches within the native source code;
displaying a message that malicious code has been detected on a web browser when malicious code has been detected in the native source code;
searching for obfuscated code in the native source code, wherein the obfuscated code is selected from a group consisting of an empty character obfuscated code, a character string concatenation operation obfuscated code, a special character obfuscated code, a repeatedly used alphanumeric obfuscated code, and a pointer obfuscated code for a dangerous script function;
inserting a deobfuscation function in the native source code in front of the obfuscated code when the obfuscated code is found in the native source code;
using the deobfuscation function to deobfuscate the obfuscated code into unobfuscated code to make a deobfuscated source code from the native source code with the found obfuscated code;
searching the deobfuscated source code for malicious code by attempting to match known malicious code patterns within the deobfuscated source code;
detecting malicious code in the deobfuscated source code when at least one of the known malicious code patterns matches within the deobfuscated source code; and
displaying the message that malicious code has been detected on the web browser when malicious code has been detected in the deobfuscated source code.
2 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and method for detecting an obfuscated malicious web page are provided to find a malicious web page by deobfuscating an obfuscated malicious code. The apparatus includes an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page, a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code, a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code, and a malicious code detector that detects a malicious code using the deobfuscated code.
-
Citations
14 Claims
-
1. A method of detecting malicious code in a web page, the method comprising:
-
extracting native source code from web page information; searching the native source code for malicious code by attempting to match known malicious code patterns within the native source code; detecting malicious code in the native source code when at least one of the known malicious code patterns matches within the native source code; displaying a message that malicious code has been detected on a web browser when malicious code has been detected in the native source code; searching for obfuscated code in the native source code, wherein the obfuscated code is selected from a group consisting of an empty character obfuscated code, a character string concatenation operation obfuscated code, a special character obfuscated code, a repeatedly used alphanumeric obfuscated code, and a pointer obfuscated code for a dangerous script function; inserting a deobfuscation function in the native source code in front of the obfuscated code when the obfuscated code is found in the native source code; using the deobfuscation function to deobfuscate the obfuscated code into unobfuscated code to make a deobfuscated source code from the native source code with the found obfuscated code; searching the deobfuscated source code for malicious code by attempting to match known malicious code patterns within the deobfuscated source code; detecting malicious code in the deobfuscated source code when at least one of the known malicious code patterns matches within the deobfuscated source code; and displaying the message that malicious code has been detected on the web browser when malicious code has been detected in the deobfuscated source code. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable recording media having written thereon coded instructions for detecting malicious code in a web page, the non-transitory computer readable recording media comprising:
-
coded instructions for extracting native source code from web page information; coded instructions for searching the native source code for malicious code by attempting to match known malicious code patterns within the native source code; coded instructions for detecting malicious code in the native source code when at least one of the known malicious code patterns matches within the native source code; coded instructions for displaying a message that malicious code has been detected on a web browser when malicious code has been detected in the native source code; coded instructions for searching for obfuscated code in the native source code, wherein the obfuscated code is selected from a group consisting of an empty character obfuscated code, a character string concatenation operation obfuscated code, a special character obfuscated code, a repeatedly used alphanumeric obfuscated code, and a pointer obfuscated code for a dangerous script function; coded instructions for inserting a deobfuscation function in the native source code in front of the obfuscated code when the obfuscated code is found in the native source code; coded instructions for using the deobfuscation function to deobfuscate the obfuscated code into unobfuscated code to make a deobfuscated source code from the native source code with the found obfuscated code; coded instructions for searching the deobfuscated source code for malicious code by attempting to match known malicious code patterns within the deobfuscated source code; coded instructions for detecting malicious code in the deobfuscated source code when at least one of the known malicious code patterns matches within the deobfuscated source code; and coded instructions for displaying the message that malicious code has been detected on the web browser when the malicious code has been detected in the deobfuscated source code. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification