APPARATUS AND METHOD FOR DETECTING OBFUSCATED MALICIOUS WEB PAGE

US 20100024033A1
Filed: 03/25/2009
Published: 01/28/2010
Est. Priority Date: 07/23/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting an obfuscated malicious web page, comprising:

an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page;

a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code;

a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code; and

a malicious code detector that detects a malicious code using the deobfuscated code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for detecting an obfuscated malicious web page are provided to find a malicious web page by deobfuscating an obfuscated malicious code. The apparatus includes an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page, a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code, a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code, and a malicious code detector that detects a malicious code using the deobfuscated code.

66 Citations

View as Search Results

13 Claims

1. An apparatus for detecting an obfuscated malicious web page, comprising:
- an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page;
  
  a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code;
  
  a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code; and
  
  a malicious code detector that detects a malicious code using the deobfuscated code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the malicious code detector detects the malicious code using a rule-based pattern matching method.
  - 3. The apparatus of claim 2, further comprising:
    - a malicious code pattern database that provides a malicious code pattern to be used for malicious code detection of the malicious code detector.
  - 4. The apparatus of claim 1, further comprising:
    - an obfuscated code rule database that provides a rule of an obfuscated code to the obfuscated code detector.
  - 5. The apparatus of claim 1, further comprising:
    - a web browser display controller that displays the detected malicious code on a web browser.
  - 6. The apparatus of claim 1, wherein the obfuscated code detector finds at least one of a case where an empty character is inserted, a case where a character string concatenation operator “
    - +”
      
      is used, a case where a special character is repeatedly used, a case where an alphanumeric code is repeatedly used, and a case where a pointer for a dangerous script function is designated.
  - 7. The apparatus of claim 1, further comprising:
    - a web page source extractor that extracts the source code of the web page.
  - 8. The apparatus of claim 1, wherein the malicious code detector, the obfuscated code detector, and the deobfuscation function inserter are included in an independent executable file and the deobfuscator is included in a module embedded into the executable file.

9. A method for detecting an obfuscated malicious web page, comprising:
- determining whether an obfuscated code is included in a source code of a web page;
  
  reconfiguring, when the obfuscated code is included, the source code by inserting a function for deobfuscating the obfuscated code into the source code; and
  
  deobfuscating the obfuscated code using the reconfigured source code and detecting a malicious code using the deobfuscated code.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, further comprising:
    - detecting the malicious code using the source code before determining whether the obfuscated code is included.
  - 11. The method of claim 9, further comprising:
    - displaying that the malicious code has been detected on a web browser when the malicious code has been detected.
  - 12. The method of claim 9, wherein the function for deobfuscating the obfuscated code is inserted before a dangerous script function using the obfuscated code.
  - 13. The method of claim 12, wherein the obfuscated code is deobfuscated by calling a deobfuscation module in the deobfuscation function before the dangerous script function is executed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nainfox Co., Ltd.
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
LEE, Do Hoon, KANG, Jung Min, PARK, Eung Ki, CHOI, Young Han

Granted Patent

US 8,424,090 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/563   by source code analysis

H04L 63/1466   Active attacks involving in...

APPARATUS AND METHOD FOR DETECTING OBFUSCATED MALICIOUS WEB PAGE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING OBFUSCATED MALICIOUS WEB PAGE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links