[특허]System and method for detecting malicious script

System and method for detecting malicious script 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-011/00 G06F-021/56
출원번호	US-0944100 (2010-11-11)
등록번호	US-9032516 (2015-05-12)
우선권정보	KR-10-2010-0027703 (2010-03-29)
발명자 / 주소	Kim, Tae Ghyoon Choi, Young Han Choi, Seok Jin Lee, Cheol Won
출원인 / 주소	Electronics and Telecommunications Research Institute
대리인 / 주소	LRK Patent Law Firm
인용정보	피인용 횟수 : 3 인용 특허 : 11

초록 ▼

Provided are a system and method for detecting a malicious script. The system includes a script decomposition module for decomposing a web page into scripts, a static analysis module for statically analyzing the decomposed scripts in the form of a document file, a dynamic analysis module for dynamically executing and analyzing the decomposed scripts, and a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts. The system and method can recognize a hidden dangerous hypertext markup language (HTML) tag irrespective of an obfuscation technique for hiding a malicious script in a web page and thus can cope with an unknown obfuscation technique.

대표청구항 ▼

1. A system for detecting a malicious script, comprising: a computer processor executing instructions for performing steps of:downloading a web page to a web browser;decomposing the downloaded web page into scripts, extracting the scripts from the web page, generating a hypertext markup language (HTML) document for each of the extracted scripts and storing each of the generated HTML documents;performing a static analysis on each of the HTML documents by opening each HTML document with a text editor and counting the number of times that a signature of each dangerous HTML tag included in a dangerous HTML tag database is identical to text patterns of each of the scripts corresponding to the HTML documents;performing a dynamic analysis that dynamically executes each of the HTML documents through the web browser and uses a plug-in which operates in a memory area of the web browser to analyze each of the scripts corresponding to the HTML documents in a completed script execution state by accessing results of the executed HTML documents using a function provided by the web browser and counting the number of times that the content of each of the results of the dynamically executed HTML documents is identical to each signature included in the dangerous HTML tag database; andperforming a comparison for each of the scripts of the web page that compares the number of times counted by the static analysis with the number of times counted by the dynamic analysis, wherein a script of the scripts from the web page is determined as a malicious script when the number of times counted by the static analysis and the number of times counted by the dynamic analysis are different. 2. The system of claim 1, further comprising a step of analyzing an Internet protocol (IP) address and domain information of a redirection site to detect a web page spreading malicious code. 3. The system of claim 2, wherein the IP address analysis detects the web page spreading malicious code using geographic location information on the IP address, and the domain information analysis detects the web page spreading malicious code using a degree of similarity between domain information included in the decomposed scripts and domain information on a website being visited. 4. The system of claim 2, further comprising a step of checking whether a whitelist signature known to be normal is included in a script determined to be malicious, and filtering the script determined to be malicious as a normal script when the whitelist signature is included in the script. 5. The system of claim 1, wherein the dynamic analysis obtains information on final results of executing the HTML documents in communication with a script execution element of the web browser. 6. A method of detecting a malicious script, comprising: downloading a web page to a web browser;decomposing the downloaded web page into scripts, extracting the scripts from the web page, generating a hypertext markup language (HTML) document for each of the extracted scripts and storing each of the generated HTML documents;statically analyzing each of the HTML documents by opening each HTML document with a text editor and counting the number of times that a signature of each dangerous HTML tag included in a dangerous HTML tag database is identical to text patterns of each of the scripts corresponding to the HTML documents;executing each of the HTML documents through the web browser and using a plug-in which operates in a memory of the web browser to analyze the scripts corresponding to the HTML documents in a completed script execution state by accessing results of the executed HTML documents using a function provided by the web browser and counting the number of times that content of each of the results of the dynamically executed HTML documents is identical to each signature included in the dangerous HTML tag database; andcomparing, for each of the scripts of the web page, the number of times counted by the static analysis with the number of times counted by the dynamic analysis, wherein a script of the scripts from the web page is determined as a malicious script when the number of times counted by the static analysis and the number of times counted by the dynamic analysis are different. 7. The method of claim 6, further comprising analyzing an Internet protocol (IP) address and domain information of a site to which redirection is performed by a script determined to be malicious to detect a web page spreading malicious code. 8. The method of claim 7, wherein analyzing the IP address includes detecting the web page spreading malicious code using geographic location information on the IP address, and analyzing domain information includes detecting the web page spreading malicious code using a degree of similarity between domain information included in the content of each of the dynamically executed HTML documents and domain information on a website being visited. 9. The method of claim 7, further comprising checking whether a whitelist signature known to be normal is included in the script determined to be malicious and filtering the script determined to be malicious as a normal script when the whitelist signature is included in the script. 10. The method of claim 6, wherein dynamically analyzing the HTML documents further includes obtaining information on final results of executing the HTML documents scripts in communication with a script execution element of the web browser.

이 특허에 인용된 특허 (11)

Kim, Won-Jip; Ryu, Yeon-Sik; Son, So-Ra, Apparatus and method of securing network.
상세보기
Lou, Vic, Application behavior based malware detection.
상세보기
Kalinichenko, Michael, Application of nested behavioral rules for anti-malware processing.
상세보기
Oliver, Jonathan James; Chen, Hsin-Yi; Chen, Guan-Liang; Hsu, Cheng Hsin, Detecting indicators of misleading content in markup language coded documents using the formatting of the document.
상세보기
Dixon, Christopher John; Pinckney, Thomas, Indicating website reputations during website manipulation of user information.
상세보기
Gschwind,Michael Karl; O'Brien,Kathryn M.; O'Brien,John Kevin; Salapura,Valentina, Method and apparatus for mapping debugging information when debugging integrated executables in a heterogeneous architecture.
상세보기
Kaul, Prateek, Method and apparatus for safe web browsing.
상세보기
Gabriel, Basil S., Method and system for secure network access using a virtual machine.
상세보기
Buchthal,David Michael; Forschler,Lucas Jason; Gallagher,Thomas Patrick; Loisey,Christophe Rene; Pullen,Walter David; Turski,Andrzej, Method, system, and computer-readable medium for filtering harmful HTML in an electronic document.
상세보기
Bertman,Justin R.; Liston,Bryan M.; Boney,Matthew L., System and method for locating malware.
상세보기
Dewey, David Bryan; Freeman, Robert G.; Griswold, Paul Elliott, System, method and program product for detecting computer attacks.
상세보기

이 특허를 인용한 특허 (3)

Liu, Wei-Wei; Ma, Qian, Computer apparatus and control method for optical disk drive thereof.
상세보기
Warman, Leon Robert; Kufeld, Kurt; Vosshall, Peter Sven; Johansson, Jesper Mikael; Peterson, Kyle Bradley; Hill, Peter Frank, Distributed split browser content inspection and analysis.
상세보기
Stolfo, Salvatore J.; Li, Wei-Jen; Keromytis, Angelos D.; Androulaki, Elli, Methods, media, and systems for detecting attack on a digital processing device.
상세보기

내보내기 메뉴

내보내기 구분

파일저장
인쇄
메일전송

구성항목

기본정보
상세정보

관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC

저장형식

Text(ASCII format)
Excel format
PIAS분석(.xls)

메일정보

받는사람 (필수): @
보내는사람 (선택): @
제목
내용: KISTI 검색결과 이메일 서비스

안내

총 건의 자료가 검색되었습니다.

다운받으실 자료의 인덱스를 입력하세요. (1-10,000)

검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다.

데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요)

다운로드 파일은 UTF-8 형태로 저장됩니다.
파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오.

Text(ASCII format)
Excel format

AI-Helper ※ AI-Helper는 을 사용합니다.

AI-Helper

안녕하세요, AI-Helper입니다. 좌측 "선택된 텍스트"에서 텍스트를 선택하여 요약, 번역, 용어설명을 실행하세요.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

연합인증

System and method for detecting malicious script 원문보기