Certains contenus de cette application ne sont pas disponibles pour le moment.
Si cette situation persiste, veuillez nous contacter àObservations et contact
1. (WO2018060461) DÉTECTION DE SCRIPTS MALVEILLANTS
Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

CLAIMS

What is claimed is:

1. A computer-implemented method for detecting a malicious script, the computer-implemented method comprising the steps of:

receiving a file;

translating characters in the file to a single case;

identifying a script in the file;

determining tokens for the script; and

creating a normalized output for the script, wherein the normalized output includes tokens that are at least one of retained keywords, control flow characters, and data characters.

2. The computer- implemented method of claim 1, wherein the retained keywords include popular or interesting function names.

3. The computer- implemented method of claim 1, wherein the retained keywords include reserved keywords for a scripting language.

4. The computer- implemented method of claim 1, where creating the normalized output for the script includes filtering comments, string definitions and regular expressions from the script such that the comments, string definitions, regular expressions do not appear in the normalized output.

5. The computer- implemented method of claim 1, wherein identifying the script in the file includes identifying script delimiters in the file.

6. The computer-implemented method of claim 1 , further comprising the step of:

removing duplicate whitespace characters from the file.

7. The computer-implemented method of claim 1 , further comprising the step of:

comparing the normalized output for the script to a database of known malicious scripts.

8. The computer-implemented method of claim 7, further comprising the step of:

generating a first hash value for the normalized output;

wherein the step of comparing the normalized output for the script comprises comparing the first hash value to a second hash value associated with the second script.

9. A system for malware detection comprising:

at least one processor; and

a non-transitory computer readable storage medium having a program stored thereon, the program causing the computer to execute the steps of:

receiving a file containing a script;

translating characters in the file to a single case;

identifying a script in the file;

determining tokens for the script; and

creating a normalized output for the script, wherein the normalized output includes tokens that are at least one of retained keywords, control flow characters, and data characters.

10. The system of claim 9, wherein the at least one processor includes an anti-malware unit to generate hash values.

11. The system of claim 10, wherein the anti-malware unit includes a script normalizer for removing unnecessary information.

12. The system of claim 9, the system further comprising:

a submission server, an internal file database, a main application server, an analyst user interface, and an internal analysis server.

13. A non-transitory computer-readable medium having stored thereon computer executable instructions for causing one or more processors to:

receive a file containing a script;

translate characters in the file to a single case;

identify a script in the file;

determine tokens for the script; and

create a normalized output for the script, wherein the normalized output includes tokens that are at least one of retained keywords, control flow characters, and data characters.