Malicious code detection technologies
Saved in:
| Title: | Malicious code detection technologies |
|---|---|
| Patent Number: | 9,213,839 |
| Publication Date: | December 15, 2015 |
| Appl. No: | 14/207665 |
| Application Filed: | March 13, 2014 |
| Abstract: | An embodiment of the present application provides technologies for detecting malicious content embedded in a content downloaded from an external source. The downloaded content converted into an opcode sequence by a web browser in a computing device. The opcode sequence is compared with a pre-stored opcode signature. The opcode signature comprises multiple sentences, and each sentence has multiple clauses. Each clause may include a matching opcode, a condition, an instruction, and an identifier. When a matching opcode in a clause matches with an opcode of the opcode sequence, and the condition as specified in the clause is determined to be true, the instruction in the clause is taken and next sentence identified by the identifier is taken to match the opcode sequence. Eventually, the last taken clause in the opcode signature may instruct whether opcode sequence contains malicious code. |
| Inventors: | HUAWEI TECHNOLOGIES CO.,LTD. (Shenzhen, Guangdong, CN) |
| Assignees: | HUAWEI TECHNOLOGIES CO., LTD. (Shenzhen, CN) |
| Claim: | 1. A method, executed by a computing device, for identifying malicious codes in electronic contents, comprising: obtaining an opcode (operation code) sequence from a downloaded content, wherein the opcode sequence comprises a first opcode and a second opcode; and comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code, wherein the opcode signature comprises a first sentence and a second sentence, the first sentence includes a first matching clause, the first matching clause comprises a first matching opcode, a first condition, a first instruction for a first action to be taken, and an identifier identifying the second sentence; the second sentence comprises one or more second matching clauses and a default clause, each second matching clause includes a second matching opcode, a second condition, and a second instruction for a second action to be taken, and the default clause includes a third instruction for a third action to be taken; and wherein comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code comprises: determining whether the first opcode of the opcode sequence matches with the first matching opcode, and the first condition is true; if the first opcode matches with the first matching opcode, and the first condition is true, taking the first action according to the first instruction; searching the second sentence for a matching clause among the one or more second matching clauses, wherein the second opcode of the opcode sequence matches with a matching opcode of the matching clause; if the matching clause in the second sentence is found, and the second condition in the matching clause is true, taking an action according to the second instruction in the matching clause, if the matching clause in the second sentence is not found, taking the third action according to the third instruction in the default clause of the second sentence. |
| Claim: | 2. The method according to claim 1 , wherein the third action includes reporting that the opcode sequence contains malicious code. |
| Claim: | 3. The method according to claim 1 , wherein the second opcode is placed sequentially next to the first opcode in the opcode sequence. |
| Claim: | 4. The method according to claim 1 , wherein the method further comprises: after receiving the opcode sequence and before obtaining the opcode signature to determine whether the opcode sequence contains malicious content, obtaining the opcode signature in a filtering format which includes an expression; and determining whether the opcode sequence contains any opcode that matches with the expression. |
| Claim: | 5. The method according to claim 1 , wherein before obtaining the opcode sequence, the method further comprises: obtaining the downloaded content; and wherein obtaining the opcode sequence from the downloaded content comprises: executing codes of the downloaded content by a program installed in the computing device to obtain the opcode sequence. |
| Claim: | 6. A computing device for identifying malicious code in electronic contents, comprising: a memory; and one or more processors; wherein the memory is configured to store an opcode (operation code) signature and one or more software modules executed by the one or more processors, the one or more software modules including instructions for: obtaining an opcode sequence from a downloaded content, wherein the opcode sequence comprises a first opcode and a second opcode; and comparing the opcode sequence with the opcode signature to determine whether the opcode sequence contains any malicious code, wherein the opcode signature comprises a first sentence and a second sentence, the first sentence includes a first matching clause, the first matching clause comprises a first matching opcode, a first condition, a first instruction for a first action to be taken, and an identifier identifying the second sentence; the second sentence comprises one or more second matching clauses and a default clause, each second matching clause includes a second matching opcode, a second condition, and a second instruction for a second action to be taken, and the default clause includes a third instruction for a third action to be taken; and wherein comparing the opcode sequence with the opcode signature to determine whether the opcode sequence contains any malicious code comprises: determining whether the first opcode of the opcode sequence matches with the first matching opcode, and the first condition is true; if the first opcode matches with the first matching opcode, and the first condition is true, taking the first action according to the first instruction; searching the second sentence for a matching clause among the one or more second matching clauses, wherein the second opcode of the opcode sequence matches with a matching opcode of the matching clause; if the matching clause in the second sentence is found, and the second condition in the matching clause is true, taking an action according to the second instruction in the matching clause, if the matching clause in the second sentence is not found, taking the third action according to the third instruction in the default clause of the second sentence. |
| Claim: | 7. The computing device according to claim 6 , wherein the third action includes reporting that the opcode sequence contains malicious code. |
| Claim: | 8. The computing device according to claim 6 , wherein the second opcode is placed sequentially next to the first opcode in the opcode sequence. |
| Claim: | 9. The computing device according to claim 6 , wherein the one or more software module further includes instructions for: obtaining the opcode signature in a filtering format which includes an expression; and determining whether the opcode sequence contains any opcode that matches with the expression. |
| Claim: | 10. The computing device according to claim 6 , wherein the one or more software module further includes instructions for: obtaining the downloaded content; and wherein obtaining the opcode sequence from the downloaded content comprises: executing codes of the downloaded content by a program installed in the computing device to obtain the opcode sequence. |
| Claim: | 11. The computing device according to claim 6 , wherein the computing device is a client device connected to Internet, or a proxy server connected to the Internet and serving a client device. |
| Claim: | 12. A computer program product for identifying malicious code in electronic contents, comprising a non-transitory computer readable storage medium storing computer readable instructions, wherein when the computer readable instructions are executed by a computing device, cause the computing device to perform a method that comprises: obtaining an opcode (operation code) sequence from a downloaded content, wherein the opcode sequence comprises a first opcode and a second opcode; and comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code, wherein the opcode signature comprises a first sentence and a second sentence, the first sentence includes a first matching clause, the first matching clause comprises a first matching opcode, a first condition, a first instruction for a first action to be taken, and an identifier identifying the second sentence; the second sentence comprises one or more second matching clauses and a default clause, each second matching clause includes a second matching opcode, a second condition, and a second instruction for a second action to be taken, and the default clause includes a third instruction for a third action to be taken; and wherein comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code comprises: determining whether the first opcode of the opcode sequence matches with the first matching opcode, and the first condition is true; if the first opcode matches with the first matching opcode, and the first condition is true, taking the first action according to the first instruction; searching the second sentence for a matching clause among the one or more second matching clauses, wherein the second opcode of the opcode sequence matches with a matching opcode of the matching clause; if the matching clause in the second sentence is found, and the second condition in the matching clause is true, taking an action according to the second instruction in the matching clause, if the matching clause in the second sentence is not found, taking the third action according to the third instruction in the default clause of the second sentence. |
| Claim: | 13. The computer program product according to claim 12 , wherein the third action includes reporting that the opcode sequence contains malicious code. |
| Claim: | 14. The computer program product according to claim 12 , wherein the second opcode is placed sequentially next to the first opcode in the opcode sequence. |
| Claim: | 15. The computer program product according to claim 12 , wherein the method further comprises: obtaining the opcode signature in a filtering format which includes an expression; and determining whether the opcode sequence contains any opcode that match with the expression. |
| Claim: | 16. The computer program product according to claim 12 , wherein the method further comprises: obtaining the downloaded content; and wherein obtaining the opcode sequence from the downloaded content comprises: executing codes of the downloaded content by a program installed in the computing device to obtain the opcode sequence. |
| Claim: | 17. The computer program product according to claim 12 , wherein the computing device is a client device connected to Internet, or a proxy server connected to the Internet and serving a client device. |
| Patent References Cited: | 7724684 May 2010 Cassod et al. 8612995 December 2013 Yun 8826439 September 2014 Hu et al. 2009/0327688 December 2009 Li et al. 2011/0167496 July 2011 McPhail et al. 2012/0240231 September 2012 Sohn et al. 2014/0137255 May 2014 Wang et al. 101304409 November 2008 101359351 February 2009 101388057 March 2009 102254120 November 2011 1542115 June 2005 |
| Assistant Examiner: | Jamshidi, Ghodrat |
| Primary Examiner: | Le, Chau |
| Attorney, Agent or Firm: | Huawei Technologies Co., Ltd. |
| Accession Number: | edspgr.09213839 |
| Database: | USPTO Patent Grants |
| Abstract: | An embodiment of the present application provides technologies for detecting malicious content embedded in a content downloaded from an external source. The downloaded content converted into an opcode sequence by a web browser in a computing device. The opcode sequence is compared with a pre-stored opcode signature. The opcode signature comprises multiple sentences, and each sentence has multiple clauses. Each clause may include a matching opcode, a condition, an instruction, and an identifier. When a matching opcode in a clause matches with an opcode of the opcode sequence, and the condition as specified in the clause is determined to be true, the instruction in the clause is taken and next sentence identified by the identifier is taken to match the opcode sequence. Eventually, the last taken clause in the opcode signature may instruct whether opcode sequence contains malicious code. |
|---|