Methods, media, and systems for detecting attack on a digital processing device
First Claim
1. A method for detecting malicious code in electronic documents, the method comprising:
- selecting, using a hardware processor, a data segment in at least one portion of an electronic document;
determining, using the hardware processor, whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program;
in response to determining that the selected data segment can be altered, transforming, using the hardware processor, the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document;
processing, using the hardware processor, the altered electronic document using the corresponding program;
determining, using the hardware processor, whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and
determining, using the hardware processor, that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
-
Citations
24 Claims
-
1. A method for detecting malicious code in electronic documents, the method comprising:
-
selecting, using a hardware processor, a data segment in at least one portion of an electronic document; determining, using the hardware processor, whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the selected data segment can be altered, transforming, using the hardware processor, the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; processing, using the hardware processor, the altered electronic document using the corresponding program; determining, using the hardware processor, whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and determining, using the hardware processor, that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for detecting malicious code in electronic documents, the system comprising:
at least one digital processing device that; selects a data segment in at least one portion of an electronic document; determines whether the selected data segment can be altered by changing values of the selected data segment without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the selected data segment can be altered, transforms the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document; determines whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and determines that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
17. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious code in electronic documents, the method comprising:
-
selecting a data segment in at least one portion of an electronic document; determining whether the selected data segment can be altered by changing values of the selected data segment to an arbitrary value without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the selected data segment can be altered, transforming the electronic document to an altered electronic document by arbitrarily altering the data segment in the at least one portion of the electronic document; processing the altered electronic document using the corresponding program; determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program; and determining that the selected data segment in the at least one portion of the electronic document contains malicious code, in response to determining that the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification