Method for detecting malicious javascript
First Claim
Patent Images
1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:
- providing one or more virtual machines on a computing system comprising a processor configured by an operating system;
providing a communications link for each virtual machine to access hosts coupled to the Internet;
within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser emulator is enhanced by replacing standard Application Programming Interfaces (APIs), libraries, and functions in a resource from a source website with instrumented operations, wherein the instrumented operations check the number of invocations of any of the APIs, libraries, and functions against a threshold and take action upon reaching the threshold;
receiving a Uniform Resource Identifier (URI) for the source website for which content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name;
requesting by the browser a resource from said source website;
receiving said resource;
determining if shell code is contained within said resource from said source website;
determining if executable code is contained within said resource;
observing a behavior of the enhanced browser emulator as controlled by said executable code contained within the said resource and scoring said behaviors for hostile intent.
11 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.
-
Citations
20 Claims
-
1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:
-
providing one or more virtual machines on a computing system comprising a processor configured by an operating system; providing a communications link for each virtual machine to access hosts coupled to the Internet; within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser emulator is enhanced by replacing standard Application Programming Interfaces (APIs), libraries, and functions in a resource from a source website with instrumented operations, wherein the instrumented operations check the number of invocations of any of the APIs, libraries, and functions against a threshold and take action upon reaching the threshold; receiving a Uniform Resource Identifier (URI) for the source website for which content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name; requesting by the browser a resource from said source website; receiving said resource; determining if shell code is contained within said resource from said source website; determining if executable code is contained within said resource; observing a behavior of the enhanced browser emulator as controlled by said executable code contained within the said resource and scoring said behaviors for hostile intent. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification