Methods, media, and systems for detecting attack on a digital processing device

US 8,789,172 B2
Filed: 03/18/2009
Issued: 07/22/2014
Est. Priority Date: 09/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious code in electronic documents, the method comprising:

selecting, using a hardware processor, a data segment in at least one portion of an electronic document;

determining, using the hardware processor, whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program;

in response to determining that the selected data segment can be altered, transforming, using the hardware processor, the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document;

processing, using the hardware processor, the altered electronic document using the corresponding program;

determining, using the hardware processor, whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and

determining, using the hardware processor, that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.

Citations

24 Claims

1. A method for detecting malicious code in electronic documents, the method comprising:
- selecting, using a hardware processor, a data segment in at least one portion of an electronic document;
  
  determining, using the hardware processor, whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the selected data segment can be altered, transforming, using the hardware processor, the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document;
  
  processing, using the hardware processor, the altered electronic document using the corresponding program;
  
  determining, using the hardware processor, whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and
  
  determining, using the hardware processor, that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the electronic document is a word processing document.
  - 3. The method of claim 1, wherein the corresponding program is a word processing program.
  - 4. The method of claim 1, wherein the at least one portion of the electronic document is altered by changing the values of the data segment in the at least one portion by a given value.
  - 5. The method of claim 1, wherein the at least one portion of the electronic document is altered by changing the values of the data segment in the at least one portion by an arbitrarily selected displacement.
  - 6. The method of claim 1, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 7. The method of claim 1, wherein the altered electronic document is processed in a sandbox environment.
  - 8. The method of claim 1, further comprising disabling the malicious code in response to the produced error state.

9. A system for detecting malicious code in electronic documents, the system comprising:
- at least one digital processing device that;
  
  selects a data segment in at least one portion of an electronic document;
  
  determines whether the selected data segment can be altered by changing values of the selected data segment without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the selected data segment can be altered, transforms the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document;
  
  determines whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and
  
  determines that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein electronic document is a word processing document.
  - 11. The system of claim 9, wherein the corresponding program is a word processing program.
  - 12. The system of claim 9, wherein the at least one digital processing device is further configured to alter the at least one portion of the electronic document by changing the values of the data segment in the at least one portion by a given value.
  - 13. The system of claim 9, wherein the at least one digital processing device is further configured to alter the at least one portion of the electronic document by changing the values of the data segment by an arbitrarily selected displacement.
  - 14. The system of claim 9, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 15. The system of claim 9, wherein the at least one digital processing device is further configured to process the altered electronic document in a sandbox environment.
  - 16. The system of claim 9, wherein the at least one digital processing device is further configured to disable the malicious code in response to the produced error state.

17. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious code in electronic documents, the method comprising:
- selecting a data segment in at least one portion of an electronic document;
  
  determining whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program;
  
  in response to determining that the selected data segment can be altered, transforming the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document;
  
  processing the altered electronic document using the corresponding program;
  
  determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and
  
  determining that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the electronic document is a word processing document.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the corresponding program is a word processing program.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the at least one portion of the electronic document is altered by changing the values of the data segment in the at least one portion by a given value.
  - 21. The non-transitory computer-readable medium of claim 17, wherein the at least one portion of the electronic document is altered by changing the values of the data segment in the at least one portion by an arbitrarily selected displacement.
  - 22. The non-transitory computer-readable medium of claim 17, wherein the error is at least one of:
    - a crash of the corresponding program and a recognizable error state.
  - 23. The non-transitory computer-readable medium of claim 17, wherein the altered electronic document is processed in a sandbox environment.
  - 24. The non-transitory computer-readable medium of claim 17, wherein the method further comprises disabling the malicious code in response to the produced error state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Li, Wei-Jen, Keromylis, Angelos D., Androulaki, Elli
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US12/406,814
Publication Number

US 20100064369A1
Time in Patent Office

1,952 Days
Field of Search

726 22- 27, 713/188, 713/150, 714/16, 714/19, 380/280, 705/59
US Class Current

726/22
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

Methods, media, and systems for detecting attack on a digital processing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, media, and systems for detecting attack on a digital processing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links