System and method for blocking execution of scripts

US 9,648,032 B2
Filed: 03/07/2016
Issued: 05/09/2017
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for blocking execution of malicious scripts, the method comprising:

intercepting, by a processor of a client, a script requested by the client from a server by providing, on the client, a driver configured to intercept network script requests by rerouting at least one transmission channel of the script from the client to the driver;

generating, by the processor, a bytecode of the intercepted script;

computing, by the processor, a hash sum of the generated bytecode;

determining, by the processor, a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database;

identifying, by the processor, a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity;

determining, by the processor, a coefficient of trust of the similar hash sum;

determining, by the processor, whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and

blocking, by the processor, the execution of the malicious script on the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Citations

15 Claims

1. A method for blocking execution of malicious scripts, the method comprising:
- intercepting, by a processor of a client, a script requested by the client from a server by providing, on the client, a driver configured to intercept network script requests by rerouting at least one transmission channel of the script from the client to the driver;
  
  generating, by the processor, a bytecode of the intercepted script;
  
  computing, by the processor, a hash sum of the generated bytecode;
  
  determining, by the processor, a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database;
  
  identifying, by the processor, a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity;
  
  determining, by the processor, a coefficient of trust of the similar hash sum;
  
  determining, by the processor, whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and
  
  blocking, by the processor, the execution of the malicious script on the client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the bytecode includes at least one opcode of the script.
  - 3. The method of claim 1, wherein generating a bytecode of the script includes:
    - identifying script commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
      
      grouping the identified script commands into a plurality of functional groups based on their identified functions;
      
      assigning a binary value to each functional group; and
      
      generating the bytecode from the binary values.
  - 4. The method of claim 1, wherein a hash sum includes a fuzzy hash.
  - 5. The method of claim 1, wherein searching for matching hash sums includes fuzzy searching.

6. A system for blocking execution of malicious scripts, the system comprising:
- a hardware processor of a client configured to;
  
  intercept a script requested by the client from a server by providing, on the client, a driver configured to intercept network script requests by rerouting at least one transmission channel of the script from the client to the driver;
  
  generate a bytecode of the intercepted script;
  
  compute a hash sum of the generated bytecode;
  
  determine a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database;
  
  identify a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity;
  
  determine a coefficient of trust of the similar hash sum;
  
  determine whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and
  
  block the execution of the malicious script on the client.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the bytecode includes at least one opcode of the script.
  - 8. The system of claim 6, wherein generating a bytecode of the script includes:
    - identify script commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
      
      group the identified script commands into a plurality of functional groups based on their identified functions;
      
      assign a binary value to each functional group; and
      
      generate the bytecode from the binary values.
  - 9. The system of claim 6, wherein a hash sum includes a fuzzy hash.
  - 10. The system of claim 6, wherein searching for matching hash sums includes fuzzy searching.

11. A non-transitory computer readable medium storing computer executable instructions for blocking execution of malicious scripts, including instructions for:
- intercepting a script requested by a client from a server by providing, on the client, a driver configured to intercept network script requests by rerouting at least one transmission channel of the script from the client to the driver;
  
  generating a bytecode of the intercepted script;
  
  computing a hash sum of the generated bytecode;
  
  determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database;
  
  identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity;
  
  determining a coefficient of trust of the similar hash sum;
  
  determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and
  
  blocking the execution of the malicious script on the client.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable medium of claim 11, wherein the bytecode includes at least one opcode of the script.
  - 13. The non-transitory computer readable medium of claim 11, wherein generating a bytecode of the script includes:
    - identifying script commands responsible for functions of writing of data to disk, working with objects of file system and execution of programs;
      
      grouping the identified script commands into a plurality of functional groups based on their identified functions;
      
      assigning a binary value to each functional group; and
      
      generating the bytecode from the binary values.
  - 14. The non-transitory computer readable medium of claim 11, wherein a hash sum includes a fuzzy hash.
  - 15. The non-transitory computer readable medium of claim 11, wherein searching for matching hash sums includes fuzzy searching.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Davydov, Vasily A., Ivanov, Anton M., Gavrilchenko, Roman Y., Vinogradov, Dmitry V.
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US15/062,455
Publication Number

US 20170093893A1
Time in Patent Office

428 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/563   by source code analysis

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for blocking execution of scripts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for blocking execution of scripts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links