System and method for detection of phishing scripts
First Claim
1. A method for detection of phishing scripts, the method comprising:
- identifying, by a processor, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
grouping, by processor, the identified script commands into a plurality of functional groups;
generating, by the processor, a bytecode for each functional group;
computing, by the processor, a hash sum of the generated bytecode;
determining, by the processor, a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts;
identifying, by the processor, at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold;
determining, by the processor, a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and
determining, by the processor, whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are exemplary aspects of systems and methods for detection of phishing scripts. An exemplary method comprises: generating a bytecode of a script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.
-
Citations
18 Claims
-
1. A method for detection of phishing scripts, the method comprising:
-
identifying, by a processor, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs; grouping, by processor, the identified script commands into a plurality of functional groups; generating, by the processor, a bytecode for each functional group; computing, by the processor, a hash sum of the generated bytecode; determining, by the processor, a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying, by the processor, at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining, by the processor, a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining, by the processor, whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detection of phishing scripts, the system comprising:
a hardware processor configured to; identify, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs; group the identified script commands into a plurality of functional groups; generate a bytecode for each functional group; compute a hash sum of the generated bytecode; determine a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identify at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determine a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determine whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A non-transitory computer readable medium storing computer executable instructions for detection of phishing scripts, including instructions for:
-
identifying, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs; grouping the identified script commands into a plurality of functional groups; generating a bytecode for each functional group; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification