System and method for detection of phishing scripts

US 9,497,218 B1
Filed: 03/07/2016
Issued: 11/15/2016
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detection of phishing scripts, the method comprising:

identifying, by a processor, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;

grouping, by processor, the identified script commands into a plurality of functional groups;

generating, by the processor, a bytecode for each functional group;

computing, by the processor, a hash sum of the generated bytecode;

determining, by the processor, a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts;

identifying, by the processor, at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold;

determining, by the processor, a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and

determining, by the processor, whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are exemplary aspects of systems and methods for detection of phishing scripts. An exemplary method comprises: generating a bytecode of a script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.

Citations

18 Claims

1. A method for detection of phishing scripts, the method comprising:
- identifying, by a processor, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
  
  grouping, by processor, the identified script commands into a plurality of functional groups;
  
  generating, by the processor, a bytecode for each functional group;
  
  computing, by the processor, a hash sum of the generated bytecode;
  
  determining, by the processor, a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts;
  
  identifying, by the processor, at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold;
  
  determining, by the processor, a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and
  
  determining, by the processor, whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the bytecode includes at least one opcode of the script.
  - 3. The method of claim 1, wherein generating a bytecode of the script further includes:
    - assigning, by the processor, a binary value to each functional group; and
      
      generating, by the processor, the bytecode from the binary values.
  - 4. The method of claim 1, wherein a hash sum includes a fuzzy hash.
  - 5. The method of claim 1, wherein searching for matching hash sums includes fuzzy searching.
  - 6. The method of claim 1, wherein determining a coefficient of compactness and a coefficient of trust of the identified group of hash sums, further includes:
    - determining an index of the identified group of hash sums, wherein the index indicates how much the coefficient of trust depends on the coefficient of compactness of the identified group of hash sums.

7. A system for detection of phishing scripts, the system comprising:
- a hardware processor configured to;
  
  identify, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
  
  group the identified script commands into a plurality of functional groups;
  
  generate a bytecode for each functional group;
  
  compute a hash sum of the generated bytecode;
  
  determine a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts;
  
  identify at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold;
  
  determine a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and
  
  determine whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the bytecode includes at least one opcode of the script.
  - 9. The system of claim 7, wherein generating a bytecode of the script further includes:
    - assign a binary value to each functional group; and
      
      generate the bytecode from the binary values.
  - 10. The system of claim 7, wherein a hash sum includes a fuzzy hash.
  - 11. The system of claim 7, wherein searching for matching hash sums includes fuzzy searching.
  - 12. The system of claim 7, wherein determining a coefficient of compactness and a coefficient of trust of the identified group of hash sums, further includes:
    - determining an index of the identified group of hash sums, wherein the index indicates how much the coefficient of trust depends on the coefficient of compactness of the identified group of hash sums.

13. A non-transitory computer readable medium storing computer executable instructions for detection of phishing scripts, including instructions for:
- identifying, in a script, commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
  
  grouping the identified script commands into a plurality of functional groups;
  
  generating a bytecode for each functional group;
  
  computing a hash sum of the generated bytecode;
  
  determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts;
  
  identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold;
  
  determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and
  
  determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable medium of claim 13, wherein the bytecode includes at least one opcode of the script.
  - 15. The non-transitory computer readable medium of claim 13, wherein generating a bytecode of the script further includes:
    - assigning, by the hardware processor, a binary value to each functional group; and
      
      generating, by the hardware processor, the bytecode from the binary values.
  - 16. The non-transitory computer readable medium of claim 13, wherein a hash sum includes a fuzzy hash.
  - 17. The non-transitory computer readable medium of claim 13, wherein searching for matching hash sums includes fuzzy searching.
  - 18. The non-transitory computer readable medium of claim 13, wherein determining a coefficient of compactness and a coefficient of trust of the identified group of hash sums, further includes:
    - determining an index of the identified group of hash sums, wherein the index indicates how much the coefficient of trust depends on the coefficient of compactness of the identified group of hash sums.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Vinogradov, Dmitry V., Davydov, Vasily A., Ivanov, Anton M., Gavrilchenko, Roman Y.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US15/062,715
Time in Patent Office

253 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/562 Static detection

H04L 63/1483 service impersonation, e.g....

System and method for detection of phishing scripts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of phishing scripts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links