| 发明名称 | System and method for detecting malicious script | ||
| 摘要 | Provided are a system and method for detecting a malicious script. The system includes a script decomposition module for decomposing a web page into scripts, a static analysis module for statically analyzing the decomposed scripts in the form of a document file, a dynamic analysis module for dynamically executing and analyzing the decomposed scripts, and a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts. The system and method can recognize a hidden dangerous hypertext markup language (HTML) tag irrespective of an obfuscation technique for hiding a malicious script in a web page and thus can cope with an unknown obfuscation technique. | ||
| 申请公布号 | US9032516(B2) | 申请公布日期 | 2015.05.12 |
| 申请号 | US201012944100 | 申请日期 | 2010.11.11 |
| 申请人 | Electronics and Telecommunications Research Institute | 发明人 | Kim Tae Ghyoon;Choi Young Han;Choi Seok Jin;Lee Cheol Won |
| 分类号 | G06F11/00;G06F21/56 | 主分类号 | G06F11/00 |
| 代理机构 | LRK Patent Law Firm | 代理人 | LRK Patent Law Firm |
| 主权项 | 1. A system for detecting a malicious script, comprising: a computer processor executing instructions for performing steps of: downloading a web page to a web browser; decomposing the downloaded web page into scripts, extracting the scripts from the web page, generating a hypertext markup language (HTML) document for each of the extracted scripts and storing each of the generated HTML documents; performing a static analysis on each of the HTML documents by opening each HTML document with a text editor and counting the number of times that a signature of each dangerous HTML tag included in a dangerous HTML tag database is identical to text patterns of each of the scripts corresponding to the HTML documents; performing a dynamic analysis that dynamically executes each of the HTML documents through the web browser and uses a plug-in which operates in a memory area of the web browser to analyze each of the scripts corresponding to the HTML documents in a completed script execution state by accessing results of the executed HTML documents using a function provided by the web browser and counting the number of times that the content of each of the results of the dynamically executed HTML documents is identical to each signature included in the dangerous HTML tag database; and performing a comparison for each of the scripts of the web page that compares the number of times counted by the static analysis with the number of times counted by the dynamic analysis, wherein a script of the scripts from the web page is determined as a malicious script when the number of times counted by the static analysis and the number of times counted by the dynamic analysis are different. | ||
| 地址 | Daejeon KR | ||