METHOD AND SYSTEM FOR DETECTING MALICIOUS SCRIPT
First Claim
1. A method for detecting a malicious script, comprising:
- receiving a web script;
extracting a plurality of function names of the web script;
generating a plurality of distribution eigenvalues according to the function names;
inputting the distribution eigenvalues into a hidden markov model which defines a normal state and an abnormal state;
using the hidden markov model to calculate a first probability and a second probability according to the distribution eigenvalues, the first probability and the second probability corresponding to the normal state and the abnormal state, respectively; and
determining whether the web script is malicious according to the first probability and the second probability.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting a malicious script is provided. A plurality of distribution eigenvalues are generated according to a plurality of function names of a web script. After the distribution eigenvalues are inputted to a hidden markov model (HMM), probabilities respectively corresponding to a normal state and an abnormal state are calculated. Accordingly, whether the web script is malicious or not can be determined according to the probabilities. Even an attacker attempts to change the event order, insert a new event or replace an event with a new one to avoid detection, the method can still recognize the intent hidden in the web script by using the HMM for event modeling. As such, the method may be applied in detection of obfuscated malicious scripts.
54 Citations
10 Claims
-
1. A method for detecting a malicious script, comprising:
-
receiving a web script; extracting a plurality of function names of the web script; generating a plurality of distribution eigenvalues according to the function names; inputting the distribution eigenvalues into a hidden markov model which defines a normal state and an abnormal state; using the hidden markov model to calculate a first probability and a second probability according to the distribution eigenvalues, the first probability and the second probability corresponding to the normal state and the abnormal state, respectively; and determining whether the web script is malicious according to the first probability and the second probability. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for detecting a malicious script, comprising:
-
a web script collector for receiving a web script; a script function extractor for extracting a plurality of function names of the web script and generating a plurality of distribution eigenvalues according to the function names; and an abnormal state detector adapted to input the distribution eigenvalues into a hidden markov model so as to use the hidden markov model to calculate a first probability and a second probability according to the distribution eigenvalues to thereby determine whether the web script is malicious, wherein the hidden markov model defines a normal state and an abnormal state, and the first probability and the second probability correspond to the normal state and the abnormal state, respectively. - View Dependent Claims (7, 8, 9, 10)
-
Specification