METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE

US 20120144486A1
Filed: 12/07/2010
Published: 06/07/2012
Est. Priority Date: 12/07/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a heap spray attack, comprising:

receiving a script at an electronic device from a remote device via a network;

detecting a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device;

determining an amount of the data operable to be written to the memory by the write operation; and

preventing the data from being written to the memory if the amount of the data is greater than or equal to a threshold.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting against unknown malicious activities by detecting a heap spray attack on a electronic device are disclosed. A script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the amount of the data is greater than or equal to a threshold.

22 Citations

View as Search Results

26 Claims

1. A method for detecting a heap spray attack, comprising:
- receiving a script at an electronic device from a remote device via a network;
  
  detecting a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device;
  
  determining an amount of the data operable to be written to the memory by the write operation; and
  
  preventing the data from being written to the memory if the amount of the data is greater than or equal to a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation; and
      
      the threshold is between approximately 750 kilobytes (KB) and approximately 1.5 megabytes (MB).
  - 3. The method of claim 1, wherein:
    - the amount of data comprises an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold is between approximately 70 megabytes (MB) and approximately 150 MB.
  - 4. The method of claim 1, further comprising allowing the script to be executed by an application if the amount of data is less than the threshold.
  - 5. The method of claim 1, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation and an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold comprises a first threshold and a second threshold.
  - 6. The method of claim 5, further comprising preventing the data from being written to the memory if:
    - the size of the data based on one iteration of the loop is greater than or equal to the first threshold; and
      
      the aggregate size of the multiple copies of the data based on the total number of iterations of the loop operation is greater than or equal to the second threshold.
  - 7. The method of claim 1, wherein the data comprises a string including a NOP code and a shellcode.

8. An electronic device for detecting a heap spray attack, comprising:
- a processor;
  
  a computer readable memory communicatively coupled to the processor; and
  
  processing instructions encoded in the computer readable memory, the processing instructions, when executed by the processor, operable to perform operations comprising;
  
  receiving a script from a remote device via a network;
  
  detecting a loop operation in the script that contains a write operation operable to write data to the computer readable memory;
  
  determining an amount of the data operable to be written to the computer readable memory; and
  
  preventing the data from being written to the computer readable memory if the amount of the data is greater than or equal to a threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The electronic device of claim 8, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation; and
      
      the threshold is between approximately 750 kilobytes (KB) and approximately 1.5 megabytes (MB).
  - 10. The electronic device of claim 8, wherein:
    - the amount of data comprises an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold is between approximately 70 megabytes (MB) and approximately 150 MB.
  - 11. The electronic device of claim 8, wherein the processing instructions are further operable to perform operations comprising allowing the script to be executed by an application if the amount of data is less than the threshold.
  - 12. The electronic device of claim 8, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation and an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold comprises a first threshold and a second threshold.
  - 13. The electronic device of claim 12, wherein the processing instructions are further operable to perform operations comprising preventing the data from being written to the memory if:
    - the size of the data based on one iteration of the loop is greater than or equal to the first threshold; and
      
      the aggregate size of the multiple copies of the data based on the total number of iterations of the loop operation is greater than or equal to the second threshold.
  - 14. The electronic device of claim 8, wherein the data comprises a string including a NOP code and a shellcode.

15. A non-transitory computer readable medium storing instructions for detecting a heap spray attack, the instructions, when executed by a processor, configured to:
- receive a script at an electronic device from a remote device via a network;
  
  detect a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device;
  
  determine an amount of the data operable to be written to the memory by the write operation; and
  
  prevent the data from being written to the memory if the amount of the data is greater than or equal to a threshold.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation; and
      
      the threshold is between approximately 750 kilobytes (KB) and approximately 1.5 megabytes (MB).
  - 17. The non-transitory computer readable medium of claim 15, wherein:
    - the amount of data comprises an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold is between approximately 70 megabytes (MB) and approximately 150 MB.
  - 18. The non-transitory computer readable medium of claim 15, wherein the instructions are further configured to allow the script to be executed by an application if the amount of data is less than the threshold.
  - 19. The non-transitory computer readable medium of claim 15, wherein:
    - the amount of data comprises a size of the data based on one iteration of the loop operation and an aggregate size of multiple copies of the data based on a total number of iterations of the loop operation; and
      
      the threshold comprises a first threshold and a second threshold.
  - 20. The non-transitory computer readable medium of claim 19, wherein the instructions are further configured to prevent the data from being written to the memory if:
    - the size of the data based on one iteration of the loop is greater than or equal to the first threshold; and
      
      the aggregate size of the multiple copies of the data based on the total number of iterations of the loop operation is greater than or equal to the second threshold.
  - 21. The non-transitory computer readable medium of claim 15, wherein the data comprises a string including a NOP code and a shellcode.

22. A method for detecting a heap spray attack, comprising:
- receiving a script at an electronic device from a remote device via a network;
  
  detecting a loop operation in the script that contains a write operation operable to write a string to a memory of the electronic device;
  
  determining a size of the string operable to be written to the memory by the write operation based on one iteration of the loop operation;
  
  determining an aggregate size of multiple copies of the string operable to be written to the memory by the write operation based on a total number of iterations of the loop operation; and
  
  preventing the string from being written to the memory if the size of the string is greater than or equal to a first threshold and the aggregate size of the multiple copies of the string is greater than or equal to a second threshold.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22, wherein:
    - the first threshold is between approximately 750 kilobytes (KB) and approximately 1.5 megabytes (MB); and
      
      the second threshold is between approximately 70 megabytes (MB) and approximately 150 MB.
  - 24. The method of claim 22, wherein the string comprises a NOP code and a shellcode.
  - 25. The method of claim 22, wherein the write operation comprises a concatenation operation.
  - 26. The method of claim 22, wherein the script is a JavaScript or a VBScript.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Navaraj, J. McEnroe Samuel, Kashyap, Rahul C.

Granted Patent

US 9,003,501 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/52   during program execution, e...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links