System and method for detecting malicious content

摘要

A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.

主权项

1. A computer-implemented method for detecting malicious code in web content received from a web server, the method comprising:
loading an application interface (API) trap rule associated with a vulnerability definition into a simulator of a web browser to modify an API function of the web browser to intercept malicious code; extracting metadata from network protocol information associated with the web content; extracting a dynamic part of the web content; simulating, via the simulator, the web browser using the extracted metadata in a sandbox to execute the dynamic part of the web content; determining that the execution of the dynamic part of the web content includes an API call that triggers the API trap rule; and in response to the triggered API trap rule, monitoring execution of the associated API function in the simulator to identify a match with the vulnerability definition.