System and method for detecting malicious content
First Claim
1. A computer-implemented method for detecting malicious code in web content received from a web server, the method comprising:
- loading an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code;
extracting metadata from network protocol information associated with the web content;
extracting a dynamic part of the web content;
simulating, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content;
determining that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and
in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.
65 Citations
19 Claims
-
1. A computer-implemented method for detecting malicious code in web content received from a web server, the method comprising:
-
loading an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code; extracting metadata from network protocol information associated with the web content; extracting a dynamic part of the web content; simulating, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content; determining that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for detecting malicious code in web content comprising:
-
an extractor to extract metadata from network protocol information associated with the web content and to extract a dynamic part of the web content; and a sandbox engine in communication with the extractor, the sandbox engine to; load an application programming interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code, simulate the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content; and determine that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A tangible computer readable storage disc or storage device comprising instructions that, when executed, cause a machine to at least:
-
load an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code; extract metadata from network protocol information associated with the web content; extracting a dynamic part of web content received from a web server; simulate, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content; determine that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition. - View Dependent Claims (17, 18, 19)
-
Specification