Monitoring for problems and detecting malware
First Claim
Patent Images
1. A system for detecting malware, comprising:
- a computer processor;
a detection engine executing on the computer processor and configured to;
emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node;
create a structure indicating relationships among the structural elements of the web page;
identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page;
modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element;
determine that the dynamic element is associated with malware;
determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; and
a quarantine engine configured to;
transmit a quarantine instruction based on the dynamic lineage and the signal.
4 Assignments
0 Petitions
Accused Products
Abstract
Detecting a suspicious element in a web page is disclosed. The page is analyzed, such as through static analysis and/or dynamic analysis techniques. A suspicious element in the page is detected. A report that includes a copy of at least a portion of the suspicious element is provided as output.
64 Citations
21 Claims
-
1. A system for detecting malware, comprising:
-
a computer processor; a detection engine executing on the computer processor and configured to; emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node; create a structure indicating relationships among the structural elements of the web page; identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page; modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element; determine that the dynamic element is associated with malware; determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; and a quarantine engine configured to; transmit a quarantine instruction based on the dynamic lineage and the signal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for detecting malware, comprising:
-
emulating presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node; creating a structure indicating relationships among the structural elements of the web page; identifying a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page; modifying the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element; determining that the dynamic element is associated with malware; determining a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; generating a signal indicating that the dynamic element is associated with malware; and transmitting a quarantine instruction based on the dynamic lineage and the signal. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable storage medium comprising a plurality of instructions for detecting malware, the plurality of instructions, when executed by at least one processor, comprising functionality to:
-
emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node; create a structure indicating relationships among the structural elements of the web page; identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page; modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element; determine that the dynamic element is associated with malware; determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; generate a signal indicating that the dynamic element is associated with malware; and transmit a quarantine instruction based on the dynamic lineage and the signal. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification