System and method for detecting malicious content

US 8,881,278 B2
Filed: 06/10/2011
Issued: 11/04/2014
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious code in web content received from a web server, the method comprising:

loading an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code;

extracting metadata from network protocol information associated with the web content;

extracting a dynamic part of the web content;

simulating, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content;

determining that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and

in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.

65 Citations

View as Search Results

19 Claims

1. A computer-implemented method for detecting malicious code in web content received from a web server, the method comprising:
- loading an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code;
  
  extracting metadata from network protocol information associated with the web content;
  
  extracting a dynamic part of the web content;
  
  simulating, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content;
  
  determining that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and
  
  in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising fetching an external resource.
  - 3. The computer-implemented method of claim 2, wherein the external resource is at least one of a file written in JavaScript, Cascading Style Sheet (CSS) and HyperText Markup Language (HTML).
  - 4. The computer-implemented method of claim 1, wherein the API call of the dynamic part includes a request for a data change.
  - 5. The computer-implemented method of claim 1, further comprising, responsive to the API call of the dynamic part not triggering the API trap rule, transmitting the web content to a user device.
  - 6. The computer-implemented method of claim 1, further comprising, responsive to the API call of the dynamic part triggering the API trap rule, reporting detection of the malicious code.
  - 7. The computer-implemented method according to claim 1, wherein simulating a web browser in the sandbox comprises simulating a first portion of the dynamic part in a first sandbox when the first portion of the dynamic part is identified as a first type of content and simulating a second portion of the dynamic part in a second sandbox when the second portion is identified as a second type of content.
  - 8. The computer-implemented method of claim 1, wherein the simulator comprises a plurality of language-specific sandbox virtual environments.

9. A system for detecting malicious code in web content comprising:
- an extractor to extract metadata from network protocol information associated with the web content and to extract a dynamic part of the web content; and
  
  a sandbox engine in communication with the extractor, the sandbox engine to;
  
  load an application programming interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code,simulate the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content; and
  
  determine that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and
  
  in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein, responsive to the sandbox determining that the API call of the dynamic part does not trigger the API trap rule, the sandbox engine is to instruct a communication unit to transmit the web content to a user device.
  - 11. The system of claim 9, wherein, in response to the determining that the API call of the dynamic part triggers the API trap rule, the sandbox engine is to instruct a graphical user interface to report detection of malicious code to a user.
  - 12. The system of claim 9, further comprising a vulnerability definition generator to generate the vulnerability definition.
  - 13. The system of claim 9, further comprising a fetcher to fetch external resources.
  - 14. The system of claim 9, wherein the dynamic part comprises a request for a data change.
  - 15. The system of claim 9, wherein the sandbox engine is to generate a plurality of language-specific sandbox virtual environments.

16. A tangible computer readable storage disc or storage device comprising instructions that, when executed, cause a machine to at least:
- load an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code;
  
  extract metadata from network protocol information associated with the web content;
  
  extracting a dynamic part of web content received from a web server;
  
  simulate, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content;
  
  determine that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and
  
  in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.
- View Dependent Claims (17, 18, 19)
- - 17. The tangible computer readable storage disc or storage device of claim 16, wherein the instructions further cause the machine to fetch an external resource.
  - 18. The tangible computer readable storage disc or storage device of claim 16, wherein the instructions further cause the machine to, in response to the API call of the dynamic part triggering the API trap rule, reporting detection of the malicious code.
  - 19. The tangible computer readable storage disc or storage device of claim 16, wherein the instructions further cause the machine to, in response to the API call of the dynamic part not triggering the API trap rule, transmitting the web content to a user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Kaplan, Mark, Friger, Alexander, Novikov, Peter
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US13/158,106
Publication Number

US 20110307955A1
Time in Patent Office

1,243 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

System and method for detecting malicious content

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious content

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links