System and Method for Detecting Anomalies in Electronic Documents

Abstract

A system and method are described herein for detecting an anomaly in an electronic document. In a computer system, a detection engine is attached to an application program which processes the electronic document. Function calls to a service provided through an application program interface (API) are intercepted by the detection engine as the application program processes the electronic document. If an entry for the intercepted function call is not present in the detection model, or an entry is present but the argument value does not match the argument value in the detection model, an alert is raised. The detection model is populated by processing a plurality of known good documents, populating the detection model with entries on intercepted good function calls and their argument values. A threshold may be applied to the detection model, removing from the detection model function calls which were observed less than the threshold amount.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS[0001]This application is related to, and claims priority to, Patent Cooperation Treaty (PCT) International Application Number PCT / NL2012 / 050537, entitled “METHOD AND SYSTEM FOR CLASSIFYING A PROTOCOL MESSAGE IN A DATA COMMUNICATIONS NETWORK” and filed Jul. 26, 2012, which claims the benefit of U.S. Provisional Patent Application No. 61 / 511,685, entitled, “METHOD AND SYSTEM FOR CLASSIFYING A PROTOCOL MESSAGE IN A DATA COMMUNICATIONS NETWORK” and filed Jul. 26, 2011, and Netherlands Application No. NL 2007180, entitled “METHOD AND SYSTEM FOR CLASSIFYING A PROTOCOL MESSAGE IN A DATA COMMUNICATIONS NETWORK” and filed Jul. 26, 2011. Each of the aforementioned applications is incorporated herein by reference.BACKGROUND OF THE INVENTION[0002]1. Field of the Invention[0003]The present invention relates generally to detecting anomalous or malicious content in electronic documents.[0004]2. Description of the Prior Art[0005]Along with the rise of the use...

AI Technical Summary

Benefits of technology

The patent is about a computer program that detects abnormal functions in electronic documents. It does this by analyzing a sample of known good documents, where each contains a function call and an argument value. When the program detects a function call in a new document, it can add that entry to a detection model, which helps identify abnormal functions. The technical effect is improved detection of abnormal functions in electronic documents.

Problems solved by technology

Along with the rise of the use of computers in modern life, there has been a rise in the misuse of such computers.

Unfortunately, a given document may contain not only text and graphics, but also malicious commands which cause a scripting engine such as JavaScript to breach security on the computer system by exploiting software flaws, and surreptitiously install malicious software.

Such malicious software can be difficult to detect, and expensive to remedy once present and detected on a computer system.

Signature-based malware detection systems have a number of serious difficulties.

One difficulty is that they only detect malware that has already been identified; they defend against yesterday's known attacks, but not the unknown attacks of tomorrow.

This process of identification, creating a digital signature, and distributing the digital signature to customers may take hours, days, or longer from the time the electronic document is first identified as malicious and submitted to the company.

An electronic document may never be submitted as malicious if it is not recognized as malicious; thus a carefully crafted malicious electronic document may continue to be successfully malicious for months or even years.

Additional difficulties come from the nature of the digital signature process.

In practice in a signature-based malware detection system, when such a collision occurs, the detection system mistakenly identifies an innocuous file as malicious.

An additional difficulty arising from the digital signature process comes from a goal of the digital signature algorithms themselves, that small changes in an electronic document result in large changes in its digital signature.

Such anomaly-based systems also have issues with false positive alerts, for example during application program installation or updating, when application program component files must be created or modified.

Images