METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE
First Claim
Patent Images
1. A method for detecting a heap spray attack, comprising:
- receiving a script at an electronic device from a remote device via a network;
detecting a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device;
determining an amount of the data operable to be written to the memory by the write operation; and
preventing the data from being written to the memory if the amount of the data is greater than or equal to a threshold.
10 Assignments
0 Petitions
Accused Products
Abstract
A method and system for protecting against unknown malicious activities by detecting a heap spray attack on a electronic device are disclosed. A script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the amount of the data is greater than or equal to a threshold.
22 Citations
26 Claims
-
1. A method for detecting a heap spray attack, comprising:
-
receiving a script at an electronic device from a remote device via a network; detecting a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device; determining an amount of the data operable to be written to the memory by the write operation; and preventing the data from being written to the memory if the amount of the data is greater than or equal to a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An electronic device for detecting a heap spray attack, comprising:
-
a processor; a computer readable memory communicatively coupled to the processor; and processing instructions encoded in the computer readable memory, the processing instructions, when executed by the processor, operable to perform operations comprising; receiving a script from a remote device via a network; detecting a loop operation in the script that contains a write operation operable to write data to the computer readable memory; determining an amount of the data operable to be written to the computer readable memory; and preventing the data from being written to the computer readable memory if the amount of the data is greater than or equal to a threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium storing instructions for detecting a heap spray attack, the instructions, when executed by a processor, configured to:
-
receive a script at an electronic device from a remote device via a network; detect a loop operation in the script that contains a write operation operable to write data to a memory of the electronic device; determine an amount of the data operable to be written to the memory by the write operation; and prevent the data from being written to the memory if the amount of the data is greater than or equal to a threshold. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method for detecting a heap spray attack, comprising:
-
receiving a script at an electronic device from a remote device via a network; detecting a loop operation in the script that contains a write operation operable to write a string to a memory of the electronic device; determining a size of the string operable to be written to the memory by the write operation based on one iteration of the loop operation; determining an aggregate size of multiple copies of the string operable to be written to the memory by the write operation based on a total number of iterations of the loop operation; and preventing the string from being written to the memory if the size of the string is greater than or equal to a first threshold and the aggregate size of the multiple copies of the string is greater than or equal to a second threshold. - View Dependent Claims (23, 24, 25, 26)
-
Specification