System and method for detecting malicious script
US-9032516-B2 · May 12, 2015 · US
Methods, media, and systems for detecting attack on a digital processing device
US2019311113A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019311113-A1 |
| Application number | US-201816215976-A |
| Country | US |
| Kind code | A1 |
| Filing date | Dec 11, 2018 |
| Priority date | Sep 18, 2006 |
| Publication date | Oct 10, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
First claim
Opening claim text (preview).
1 . (canceled) 2 . A method for detecting an attack on an application, comprising: performing, using a digital processing device, a static analysis by comparing at least part of a document to a first detection model; determining, using the digital processing device, whether attacking code is included in the document based on the comparison of the document to the first detection model; performing, using the digital processing device, a dynamic analysis by comparing behavior observed by execution of the document to a second detection model; determining, using the digital processing device, whether the attacking code is included in the document based on the comparison of the behavior observed by the execution of the document to the second detection model; and reporting, using the digital processing device, the presence of an attack based on the static analysis and the dynamic analysis. 3 . The method of claim 2 , further comprising updating the first detection model if attacking code is determined to be present based on the execution of the at least part of the document. 4 . The method of claim 2 , wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises comparing the behavior observed by the execution of the document to behavior observed by execution of at least one of known attacking documents and known benign documents. 5 . The method of claim 2 , wherein at least part of the second detection model is created by: executing at least one known malicious document in a first environment; executing the at least one known malicious document in a second environment; comparing the behavior observed by execution in the first environment to the behavior observed by execution in the second environment to determine any differences in behavior; and adding at least one difference in behavior to the second detection model, wherein the document is executed in at least one of the first environment and second environment. 6 . The method of claim 2 , further comprising parsing the document into sections and wherein the comparing the at least part of the document to the first detection model by selecting at least one the sections and comparing the at least one selected section to the first detection model. 7 . The method of claim 2 , wherein the document is a word processing document, wherein the execution comprises opening the document in a word processing application, wherein the document is embedded with at least one of an image, a table, and injected code, and wherein the document is executed in a protected environment. 8 . A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting an attack on an application, the method comprising: performing a static analysis by comparing at least part of a document to a first detection model; determining whether attacking code is included in the document based on the comparison of the document to the first detection model; performing a dynamic analysis by comparing behavior observed by execution of the document to a second detection model; determining whether the attacking code is included in the document based on the comparison of the behavior observed by the execution of the document to the second detection model; and reporting the presence of an attack based on the static analysis and the dynamic analysis. 9 . The non-transitory computer-readable medium of claim 8 , wherein the method further comprises updating the first detection model if attacking code is determined to be present based on the execution of the at least part of the document. 10 . The non-transitory computer-readable medium of claim 8 , wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises comparing the behavior observed by the execution of the document to behavior observed by execution of at least one of known attacking documents and known benign documents. 11 . The non-transitory computer-readable medium of claim 8 , wherein at least part of the second detection model is created by: executing at least one known malicious document in a first environment; executing the at least one known malicious document in a second environment; comparing the behavior observed by execution in the first environment to the behavior observed by execution in the second environment to determine any differences in behavior; and adding at least one difference in behavior to the second detection model, wherein the document is executed in at least one of the first environment and second environment. 12 . The non-transitory computer-readable medium of claim 8 , wherein the method further comprises parsing the document into sections and wherein the comparing the at least part of the document to the first detection model by selecting at least one the sections and comparing the at least one selected section to the first detection model. 13 . The non-transitory computer-readable medium of claim 8 , wherein the document is a word processing document, wherein the execution comprises opening the document in a word processing application, wherein the document is embedded with at least one of an image, a table, and injected code, and wherein the document is executed in a protected environment. 14 . A system for detecting attack, the system comprising: a memory; and a processor in communication with the memory, wherein the processor is configured to: perform a static analysis by comparing at least part of a document to a first detection model; determine whether attacking code is included in the document based on the comparison of the document to the first detection model; perform a dynamic analysis by comparing behavior observed by execution of the document to a second detection model; determine whether the attacking code is included in the document based on the comparison of the behavior observed by the execution of the document to the second detection model; and report the presence of an attack based on the static analysis and the dynamic analysis. 15 . The system of claim 14 , wherein the processor is further configured to update the first detection model if attacking code is determined to be present based on the execution of the at least part of the document. 16 . The system of claim 14 , wherein the determining whether attacking code is included in the document based on the execution of the at least part of the document comprises comparing the behavior observed by the execution of the document to behavior observed by execution of at least one of known attacking documents and known benign documents. 17 . The system of claim 14 , wherein at least part of the second detection model is created by: executing at least one known malicious document in a first environment; executing the at least one known malicious document in a second environment; comparing the behavior observed by execution in the first environment to the behavior observed by execution in the second environment to determine any differences in behavior; and adding at least one difference in behavior to the second detection model, wherein the document is executed in at least one of the first environment and second environment. 18 . The system of claim 14 , wherein the processor is further configured to parse the document into sections and wherein the comparing the at least part of the document to
Assignees
Inventors
Classifications
Static detection · CPC title
- G06F21/50Primary
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019311113A1 cover?
- Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in …
- Who is the assignee on this patent?
- Univ Columbia
- What technology area does this patent fall under?
- Primary CPC classification G06F21/50. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Oct 10 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).