RU2613535C1 - Method for detecting malicious software and elements - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method involves the analysis of programmes or messages that meet the suspicion criteria or criteria groups, and the creation of a message indicating the result of malicious elements detection, wherein in a server, or a browser, or a communication channel therebetween a filter system is inserted, which analyzes the transmitted documents taking into account the database including the data on the known safe elements, and if the document contains unknown potentially malicious elements absent in the safe elements database, the received document is decomposed into a plurality of individual ones containing the unknown potentially malicious elements from which files are created, the number of which correlates with the number of decomposed elements, after which one or more sets of files are composed from decomposed elements, which are subjected to the dynamic detection for tracking the deviations from the normal client programme behaviour as a result of malicious elements actions, and the document is transmitted to the browser without the identified malicious elements.

EFFECT: increasing the malicious programmes and elements detection reliability.

12 cl, 1 dwg

Description

The invention relates to the field of identification and analysis of data transmitted through a communication network, in particular to the identification, detection and analysis of malicious programs and elements or malicious software.

As the technology and infrastructure of computer networks improves, the volume and speed of data transmitted between devices on a computer network is growing rapidly. At the same time, the transmitted data may contain malicious programs and elements. A malicious program is a computer software product that is capable of penetrating a computing device without the knowledge or consent of the owner of the device. Malicious programs have become a common term and mean a general class of software, which includes many malicious, intrusive or otherwise interfering forms of software or machine code. Malicious programs include various viruses, worms, Trojan horses (or Trojans), rootkits, spyware, adware, programs that exploit vulnerabilities in third-party software, and any other unwanted malicious software. Various types of malware can collect personal information related to the user and send this information back to the information collection device. Other types of malware can cause the computing device to fail or not work at all.

Widely known are methods and means of identifying and removing malicious elements using anti-virus software. Traditional antivirus software uses search sequences and a predefined analytic approach to search for known malware.

However, given that malware code can be changed quite often by the malware author, a predefined search sequence and rule-based analysis may not detect updated programs.

Thus, the disadvantages of antivirus software include the inability to detect new or unknown viruses.

These problems are also solved by well-known methods for detecting a suspicious mode of operation of a program in antivirus software and evaluating it. If anti-virus software finds significant correlations of code or behavior with already known malicious codes, the anti-virus application may assume that it detects a new virus or malware. These methods fall under the generic term “heuristic” malware detection methods. As a rule, heuristic analysis means that the program being analyzed is launched in some isolated and safe environment, and the method collects information about its execution. The specified method evaluates the maximum possible amount of information and allows us to draw conclusions about the legitimacy of the analyzed program, or the program’s focus on something non-standard or malicious. Heuristic analysis has several advantages. It works whether the specific code has been analyzed or not previously. It can also recognize new viruses and Trojan programs.

However, such a method has inherent disadvantages such as insufficient reliability of the analysis, since the line between the correct and harmful mode of operation of the software may be uncertain, the degree of similarity with already known malicious code or behavior may be deliberately hidden. At the same time, considerable time is required associated with the need to check the program in a safe environment, in which you can be sure that the harm will not be done. In addition, one should take into account a set of various techniques of malware authors aimed at preventing the heuristic type of analysis.

The invention is known (RU 2417429, 04/27/11) for a method of minimizing an attacker's use of vulnerabilities in software installed on a target computer by examining network traffic there and identifying malicious code before it can be executed and / or installed. At the transport level (for example, the Transmission Control Protocol (TCP) socket level), network traffic is monitored by the security component installed on the target computer. When a message is received intended for the computing system, the data included in the message is compared with the exploit features (code that exploits vulnerabilities in software produced by third parties) used to identify malicious code. The security service, which collects information about the malicious code, identifies the rules that instruct the security component to take the appropriate action on the received message by comparing the data in the message with the signs of the exploit.

However, in this method there is no possibility of selective monitoring of interpreted objects of websites, and not all traffic at the transport level, there is no monitoring and analysis of correlations of transmitted metadata, there is no possibility of analyzing individual interpreted files, the possibility of asynchronous detection of malicious elements on the website, there is no real-time detection, and the function of correlating data received in synchronous (real-time) and asynchronous modes is also not performed ah work.

Closest to the claimed method is a heuristic method of code analysis (RU 2526716, 08/27/2014), which includes the following steps: using a processor of a computing device, perform a static evaluation of program instructions in a program containing a sequence of program instructions stored on a machine-readable medium, functionally connected with a processor, moreover, a static evaluation is performed without executing said program instructions, and each instruction in the aforementioned sequence to each of a group of suspicion criteria, wherein criteria used to evaluate the suspicion of each instruction based on expected results during instruction execution, it is determined by said processor, whether each instruction satisfies sequence in any of the criteria of a group of suspicion criteria; appoint, by means of said processor, a quantity at the level of instructions for each instruction that violates any of the criteria for suspicion, moreover, a quantity at the level of instructions reflects one or more of the experience of use, comparison with another code generated using an official tool, and comparisons with another sequence of instructions generated by an official tool; summarize, by means of said processor, quantitative indicators at the instruction level for each instruction to obtain a quantitative indicator at the program level; determining by means of said processor whether the quantitative indicator at the program level exceeds a threshold value; and if the quantitative indicator at the program level exceeds a threshold value, a message is generated by said processor indicating the result of malware detection.

However, the aforementioned method is characterized by the above-mentioned disadvantages of heuristic methods - insufficient reliability of detection of malicious elements.

Common signs: working with network traffic and databases of safe and insecure objects, and detected malicious elements are not transmitted to the user's computer.

The main task solved by the claimed invention is the creation of a method for detecting malicious programs and elements on a website and traffic, capable of detecting malicious programs and elements with high reliability.

EFFECT: increased reliability of detection of malicious programs and elements.

The technical result is achieved due to the fact that in the known method for detecting malicious programs, including analyzing a program or message elements that satisfy a criterion or group of criteria for suspiciousness and creating a message indicating the result of detection of malicious programs and elements, to a server, browser or communication channel a filtering system is built between them, which analyzes the transmitted documents in accordance with a database including data on known safe elements ntah, and if the document contains potentially harmful elements that are not in the database of safe elements, decompose the resulting document into many separate elements, from which create a lot of files from decomposed elements, the number of which corresponds to the number of decomposed elements, compose one or several sets of files from decomposed elements that are dynamically detected to track deviations from normal behavior actions of the client program as a result of the actions of malicious elements, and if one or several malicious elements are detected, they are included in the database as malicious, and the remaining elements are safe, and the document is transmitted to the browser without any malicious elements detected.

When composing, a functional, or incremental, or complete compositional set of files from decomposed elements is performed.

In the case of a composition based on a functional set, the functional relationships between the decomposed elements are analyzed and functional blocks are formed, each of which contains decomposed elements connected functionally to each other.

The number of composite files generated on the basis of the functional set is equal to the number of functional blocks and one base file compiled on the basis of the original file from which all potentially harmful elements are removed.

The number of composite files generated on the basis of an incremental set is equal to the number of decomposed elements and one base file composed on the basis of the original file from which all potentially harmful elements are removed.

When compositing based on a complete combination set, composite files are formed on the basis of a complete combinatorial search of potentially harmful elements so that each combination set file contains a unique combination of decomposed elements.

In one embodiment of the method, the analysis of the document outgoing from the server can be carried out together with the analysis of the metadata received on the server, for example, the User Agent and IP address and sent back from the server, for example, the status code and redirection address.

The method may use a detection system configured to ensure that malicious codes are triggered while working with the corresponding type of interpreted files, for example, vulnerable versions of Microsoft Office to open DOC (X), Adobe Acrobat Reader for PDF, Adobe Flash Player for SWF.

The distinguishing features of the invention are the decomposition and subsequent composition of one or several sets of composite files from decomposed elements, which allow an unambiguous verdict to establish the harmfulness of website elements, interpreted files and traffic by opening and interpreting each of these files using software designed to work with this type of file under the control of a specialized software detector code so that any deviation in the normal The operation of the above mentioned software would be detected by the detector and, based on fixing the abnormal behavior of the client program, an unambiguous verdict would be issued on the presence or absence of a malicious element in the open file.

At the same time, the increase in the reliability of detection of malicious programs and elements is also achieved through the use of dynamic (rather than static, on the emulator) real-time detection using a set of files based on a composition of elements extracted by decomposition from the original file.

The drawing schematically shows a device with which the method can be implemented.

A device for implementing the method in one embodiment comprises a filtering unit 1 connected to a decomposition and composition unit 2, with a browser 8 and with a server 9 connected to each other. The filtering unit 1 and the decomposition and composition unit 2 are also connected to the global databases of 4 harmful elements and the database of 5 safe elements. In addition, the filtering unit 1 is connected to a local database of 6 safe elements and a local database of 7 malicious elements. In this case, the decomposition and composition unit 2 is connected to the dynamic detection unit 3.

The inventive method is implemented as follows.

Moreover, the inventive method is not limited to the specific described implementation options, as they may vary.

The browser sends a request for a document to the server, the server accepts the request, processes it, generates a document and sends it in response. At the same time, synchronous and asynchronous options are possible. The asynchronous option is needed to reduce delays for the user when analyzing data, since the documents that he downloads have already been received and checked by the system itself. Thus, there are two options for the development of events for the user: in the first case, the user sends a request through his browser to receive a document (HTML pages, for example), which is generated by the server and sent back to the user. But first, before being sent to the user, the document is sent to filtering unit 1. Filtering unit 1 checks the document for the presence of potentially harmful elements against local databases of known safe 6 and 7 harmful elements. If the document contains potentially harmful elements that are absent in both databases, filtering unit 1 updates the local databases of safe 6 and malicious 7 elements using global databases of safe 5 and malicious 4 elements, and then checks the document for both local databases 6 and 7 safe and malicious elements again. If after checking the updated local databases 6 and 7 of known malicious and safe elements in the document there are elements that are not in the specified databases, the document is sent to server 9 to check and qualify unknown potentially harmful elements. This check takes some time, and therefore the user will have to wait until the analysis is complete.

In the asynchronous mode of operation, the site security system installed on the server itself initiates the first request for a document, analyzes it and qualifies all unknown potentially dangerous elements. In this case, the first user will not feel any delays in receiving the requested document, that is, they will be, but only for the analysis of all potentially dangerous elements of the document according to the local databases of safe and malicious elements. In this case, the wait time for the first user is saved. In synchronous processing, the delay is only for the first user, the subsequent ones already use the results of the initial analysis, and therefore the delay is minimal for them, because there is only an analysis of the local databases of malicious and safe elements for the analysis of unknown potentially harmful elements of the document.

The filtering unit 1, built into the server, browser or communication channel between them, analyzes the transmitted documents in accordance with the local database 6, which includes data on known safe elements. Local databases of safe and malicious elements are initially created by fully replicating data from the corresponding global databases 4 and 5 located on the protection system server. These databases can be updated using filtering unit 1 if unknown elements are detected in outgoing documents, the types of which, according to the current settings of the block, can be used to attack a browser or other user software, as well as by a signal from the server, after analysis, malicious elements on servers with installed protection systems and according to the schedule according to the current settings of the filtering unit 1.

The filtering unit 1, mainly made in the form of software embedded in the server, or a browser, or a communication channel between the browser and the server, analyzes the sent document using a local database of 6 secure elements, also installed in the server, or a browser, or a communication channel between the browser and a server in read-only mode, in which the local database of 6 safe elements is not updated with new data so as not to disrupt the coherence of the database.

In addition, a computer program is also built into server 9, either browser 8, or in the communication channel between them, which is a local database of 7 malicious elements that is also used as part of this operation in read-only mode. If the sent document contains unknown elements that are absent both in the local database of 7 known malicious elements and in the local database of 6 safe elements, and the types of which, after conducting a comparative analysis according to the settings of the filtering block, can be used to attack the browser or other application software on the user side, updating in the "write only" mode of local databases 6 and 7 by adding to them from global databases 4 and 5 are implemented mainly in the form of software and installed on the server 9. This is followed by another check in "read only" mode sent by the document on both local databases - 7 malicious and safe 6 elements. In this case, at the current stage of document verification, only those new elements are added to the local database of 7 malicious elements that are present in the global database of 4 malicious elements, but which are not in the local one. Similarly, the database of 6 safe elements is updated. Unknown elements at this stage of document verification are not added to local databases, but only subject to further classification on the server.

Thus, filtering unit 1 checks the potentially harmful elements of the received file for compliance with elements already known as malicious and safe.

If even after this it is established that the document to be sent contains unknown elements that may be potentially harmful, and whose types, after conducting a comparative analysis according to the settings of the filtering unit, can be used to attack a browser or other software on the user side, filtering unit 1 sends such a document to the decomposition and composition unit 2. A document containing unknown potentially harmful elements is sent by sending the appropriate packet more of a set of data packets to server 9, where data is received and processed by decomposition and composition mainly using a program installed on server 9.

The decomposition of the resulting document is carried out by splitting it into many separate elements containing unknown potentially harmful elements, from which create many files with decomposed elements. After decomposition of the received document into individual constituent elements, a set of files is compiled based on a functional, incremental or complete set as follows:

- in the case of choosing a composition based on a functional set, the functional relationships between decomposed elements are preliminarily analyzed. At the same time, all elements that are functionally connected with each other are revealed, and a functional block is formed from them. The number of files in the functional set must be equal to the number of functional blocks and one base file, compiled on the basis of the original file, from which all unknown potentially harmful elements are deleted;

- in the case of choosing a composition based on an incremental set, potentially harmful elements are added one to each subsequent composition file, the number of which is equal to the number of decomposed elements plus one base file based on the original file from which all unknown potentially harmful elements were deleted;

- in the case of selecting a complete compositional set, the number of composites is a set of composites from the original decomposed elements, assembled in such a way as to include all possible unique combinations of decomposed elements, (2 ^∧ N-1), (two to the power of decomposed elements without unit) plus one base file.

The following are examples of the implementation of the method in various ways when implementing the decomposition of the document with the subsequent composition.

For example, the original file intercepted by the filtering unit.

There are two unknown potentially malicious <script> elements in this file. First one

Second of them

As a result of decomposition of the source file, we have two decomposed elements plus the base composition file.

a) The basic composition file, which is the basis for the compilation of the composition set, in which there are no unknown potentially harmful elements:

b) The first of the unknown potentially harmful elements:

c) The second of the unknown potentially harmful elements:

The resulting decomposed potentially harmful elements are subsequently used to compile various compositional kits in the following embodiments.

1) Functional composition.

Both potentially harmful elements of the <script> type, b) and c), are functionally in no way connected with each other, they are independently working scripts, so we get three composition files created by embedding function blocks in the base composition file, one after the other, inserted into the positions of the files of the composition set in which they were in the original file. This is necessary to identify malicious elements and separate them from safe ones. In this case, three composite files were obtained. Composition file No. 1:

Composition file No. 2:

Composition file No. 3:

2) Incremental composition.

If there are two unknown potentially harmful elements, b) and c), we create three composition files by adding, one after the other, these elements to the previous composition file, inserting them at the positions where they were present in the original file.

Composition file No. 1:

Composition file No. 2:

Composition file No. 3:

3) Full compositional kit

If two unknown potentially harmful elements are detected, b) and c), respectively, the following complete combinational set of these elements is created, taking into account the basic composition file created by a complete combinatorial search so that each file from the combinatorial set is unique, and inserts of unknown potentially harmful elements in those positions in which they were present in the original file.

Composition file No. 1:

Composition file No. 2:

Composition file No. 3:

Composition file No. 4:

The appearance of 4 composite files is caused by the need to present a complete combinatorial set of 2 elements, for example: Basic file, basic file + element No. 1, basic file + element No. 2, basic file + element No. 1 + element No. 2. If there are three such elements, then we have: a basic file, a basic file + element No. 1, a basic file + element No. 2, a basic file + element No. 3, a basic file + element No. 1 + element No. 2, a basic file + element No. 1 + element No. 3, the base file + element No. 3 + element No. 2, the basic file + element No. 1 + element No. 2 + element No. 3. The above determines expression 2 in the degree of the number of decomposed elements without a unit plus one basic test file.

After this, the composition of the functional (1-M + 1), incremental (1-N + 1) or full compositional (1-2 ^∧ N) sets of files from decomposed elements is produced, where M is the number of functional blocks and N is the number of decomposed elements .

Subsequently, compiled file set compositions are subjected to dynamic detection.

Moreover, in the case of a composition based on a functional set, those functionally related blocks of elements from all unknowns to the system are detected as malicious elements that received the verdict “the malicious code was triggered” when analyzed in the dynamic detection unit 3.

In the case of incremental dialing, the element that causes the verdict “malicious code was triggered” by the dynamic detection unit is detected as a malicious element.

In the case of a complete compositional set, malicious elements are detected by correlating 2 verdicts handed down by the dynamic detection unit for each specific file of the compositional set. Since each file of the composition set is unique, and together they contain all unknown potentially harmful elements, if a verdict is received from block 2, for each file of the complete composition set individually, all elements that are harmful can be immediately identified. Also, it is possible to obtain a file that is devoid of all elements identified as malicious for transferring it to the filtering unit.

If incremental composition was used and malicious behavior was detected, starting with a file in which an unknown potentially harmful element was used, then such an identified element is added to the database of malicious elements, removed from the composition set, all tested unknown elements before it are added to the safe database , after which a new incremental compositional set of the remaining elements is built, starting with the last safe, and the files are compositional -set again sent for detection. All these operations are repeated until all unknown elements are identified and will be in the corresponding databases. In the case when no malicious behavior has been detected for any of the incremental set files, all unknown potentially harmful elements included in the set are added to the global database of safe elements.

When using the full compositional set, the data obtained is analyzed in a single frame, i.e. all unknown potentially dangerous file elements are identified simultaneously with the addition of each of them, according to the verdict, to the global database of malicious 7 and safe 6 elements, respectively.

When using a composition based on a functional set, the functionally related blocks within the original document are analyzed. In the future, element-by-element analysis is also possible inside a functional block that has received a verdict from the side of dynamic detection block 3 - “the operation of malicious code was detected”.

Elements in the set can be modified to eliminate delays in the operation of the interpreted code. For example, JavaScript may be delayed for a certain time in order to pass the check of dynamic detection unit 3, which is limited in time, but the user would have worked a malicious element. To eliminate this scenario, you can modify the JavaScript element in order to remove the time delay from the code by doing this at the stage of composing the composition set.

A composite set of decomposed elements obtained from the original file is subjected to dynamic detection to detect deviations from the normal behavior of the client program into which the file is downloaded from the composite set for its interpretation as a result of the actions of malicious elements. At the same time, each file from the composition set is downloaded using a special loader program implemented as software installed on the server of the security system and implementing dynamic detection. The process of dynamic detection is necessary in order for the malicious code contained in the file to trigger, and it should work in the time it takes to detect. At the same time, the fact of the exploit’s response should be recorded, identifying the progress of the client software as abnormal. To achieve the task, the dynamic detection unit can be made in the form of software installed on the server of the security system, which is based on a program for working with the corresponding type of documents and having or emulating vulnerabilities associated with the interpretation of this type of documents, working under the control of additional a software layer whose task is to identify anomalies in the execution of the software client or its behavior.

Also, as a dynamic detector 3, it is possible to use special software installed on the server and emulate, partially or completely, the progress of the client software related to the interpretation of the corresponding file type.

The program for working with the corresponding type of documents installed on the server and which is part of the dynamic detection unit is able to work with a certain type of file, interpreting its internal structure in such a way as to trigger the malicious code in the file if it is present there. The abnormal course of execution of program code is characterized by a deviation of the paths for executing client software instructions from those prescribed by the developers of this software so that malicious code contained in one form or another in a file from a composition set can be executed in the same way as client program code providing. The abnormal behavior of client software is characterized by the use of tools provided by the operating system to perform operations that are not required to interpret the internal structure of the file from the composition set and, therefore, go beyond the predefined set of allowed actions and calls of the operating system tools for this client software.

After decomposition and composition, as well as dynamic detection, which allows to separate safe elements from malicious ones, the resulting file containing only safe elements is returned to filtering unit 1. Filtering unit 1 also updates the local databases of safe 6 and malicious 7 elements. If the filtering unit 1 is interfaced with the automatic treatment unit (not shown in the drawing), then it sends to the automatic treatment unit all the information about the detected malicious elements, which will be necessary for the unique identification of the malicious code or data on the website itself or adjacent to These are resources that transmit a document with malicious elements in the original file previously sent from the server to the user.

At the same time, filtering unit 1 replaces the original outgoing document with the one that was transferred back from decomposition and composition unit 2, and also adjusts, if necessary, the outgoing metadata of the user’s request, for example, changing the size of the outgoing file from the original to a new one that does not contain malicious elements. After the file is sent, filtering unit 1 updates both local databases of malicious 7 and safe 6 elements, receiving data for updating them from the corresponding global databases 4 and 5.

If one or several malicious elements are identified, they are entered into the database as malicious, the rest as safe. Those elements that were identified as malicious are deleted from the document so that the document opens without errors for the user.

To do this, the received file is checked for the validity of document files with deleted malicious elements. Validation is carried out after the removal of elements identified as malicious, but before the transmission of the adjusted document to browser 8.

Without validation, the file may be corrupted as a result of the removal of malicious elements. At the same time, the validity check can also be carried out at the filtering stage after the removal of known malicious elements from the document with its subsequent adjustment if necessary. The validity of the document is checked in filtering unit 1 if malicious elements are removed from the document. In this case, the file is received from the filtering unit 1, it is checked for validity, according to predefined rules and standards, after which, if necessary, the file is adjusted according to predefined algorithms and transferred back to the filtering unit.

If one or more malicious elements are detected in the outgoing document, which was analyzed by the decomposition and composition unit 2 based on the verdicts rendered by the dynamic detection unit 3 (for example, “the malicious code was detected” - “the malicious code was not detected”) for of a particular composition set file that was loaded into it for verification, those elements that were identified as malicious are entered by the decomposition and composition unit 2 in the glo cial database 4 malicious elements. The specified database is implemented as software and installed on server 9 so that in the future such elements in outgoing traffic could be unambiguously identified as malicious. All other unknown potentially harmful elements are identified as safe, and after decomposition and composition, records of new elements identified as safe in write-only mode are included in the global database of safe elements 5 so that in the future similar elements in outgoing traffic could Unambiguously interpreted as safe.

After dynamic detection, the outgoing document is rearranged in such a way as to exclude from its structure those elements that have been identified as malicious. After that, the document is transmitted to the filtering system 1, which receives the given file and checks it for validity, after which it prepares the document for transfer to the browser 8 to the user, modifying if necessary the metadata in the original response to the client’s browser request. Next, the original outgoing file is replaced with a new one, as a result of which a safe version of the requested original document is sent to the user.

When malicious elements are detected, the following is implemented.

The shell executes code on a site located in a large number of files that also operate with values from local or located remotely on other database servers. Each operation executed by the command interpreter is logged, as well as each value of the incoming and outgoing parameters for this operation. For example, if there is a malicious insertion into the HTML code of a page, then this insertion begins in the interpreted file that was received for the user, from position 444. At the same time, the shell of the shell is raised in order to identify the set of commands on the site that it inserted into file this malicious element. Suppose this is the file do_not_do_eval.php, line 34, this is the command “eval (“ something inside ”). In this case, the decision-maker on this website is informed that the command on line 34 “eua1 (“ something is inside ”) from the do_not_do_eval.php file is malicious code on the site, with a proposal to delete it.

If there is a block for the history of changes to files on server 9 and a block for collecting logs of the command interpreter and server, an automated disinfection block, as a result of analyzing data on the server’s operation and the history of changes in the do_not_do_eval.php file that interests us, for the line “eval (“ which something inside ")", the automated treatment unit can also render a verdict on what exactly means the attacker used to infect the website, and also provide the decision-maker on the website with a conclusion about Agah, who need to take to prevent similar incidents in the future.

It is known that sometimes an automated system will not be able to treat itself in cases of, for example, new types of server infections, but it will be able to tell the site staff (or invited specialists) where exactly it is necessary to look for the cause of the problem, which is important, since the site can have a huge the number of files with commands and data, as well as many millions of records in related databases.

Also, in all modes, it is possible to detect attacks such as "user redirection", for this it is necessary to add to the analysis of the document outgoing from the server also the analysis of the metadata received on the server (for example, User Agent and IP address) and sent from the server back (for example status code and redirect address). It is possible to dynamically redirect the user using tags and data inside the issued page, sometimes through the metadata, giving the server response “301” (301 redirect) with the redirection address. You can analyze the issued code for the verdict of the “redirect to an address not associated with the original site” detector; you can analyze the metadata of the 301st server response to reach the verdict “redirect to an address not associated with the original site”.

The claimed invention can be widely used to identify, detect and analyze malicious elements on a website and in traffic. At the same time, the reliability of detection of malicious programs and elements is significantly increased and the time required to detect them is reduced.

Claims (12)

1. A method for detecting malicious programs and elements, including analyzing a program or messages that satisfy a criterion or group of criteria for suspiciousness, and creating a message indicating the result of detecting malicious elements, characterized in that a filtering system is built into the server, browser or communication channel between them , which analyzes the transmitted documents taking into account a database that includes data on known safe elements, and if the document contains potentially malicious elements that are not in the database of safe elements decompose the received document into many decomposed elements containing potentially harmful elements, from which they create files, the number of which correlates with the number of decomposed elements, and then compose one or more sets of files from decomposed elements, which are dynamically detected to track deviations from the normal behavior of the client program as a result of ate actions harmful elements, and transfer the document to the browser is performed without detection of malicious elements. 2. The method according to p. 1, characterized in that when detecting malicious elements include them in the database of malicious elements, and the remaining elements in the database of safe elements, 3. The method according to p. 1, characterized in that when the composition is carried out functional, or incremental, or a complete compositional set of files from decomposed elements. 4. The method according to p. 3, characterized in that when the composition is based on a functional set, the functional relationships between the decomposed elements are analyzed and functional blocks are formed, each of which contains decomposed elements that are functionally connected to each other. 5. The method according to claim 4, characterized in that the number of composite files generated on the basis of the functional set is equal to the number of functional blocks and one base file composed on the basis of the original file from which all unknown potentially harmful elements have been removed. 6. The method according to p. 3, characterized in that the number of composite files generated on the basis of an incremental set is equal to the number of decomposed elements and one base file composed on the basis of the original file from which all potentially harmful elements are removed. 7. The method according to p. 3, characterized in that when the composition is based on a complete combination set, the composite files are formed on the basis of a complete combinatorial search of potentially harmful elements. 8. The method according to p. 1, characterized in that upon detection of malicious elements additionally carry out automatic treatment of the site. 9. The method according to p. 1, characterized in that the verification of the outgoing document from the server is carried out together with the verification of metadata received on the server, for example, User Agent and IP address, and sent from the server back, for example, status code and redirection address. 10. The method according to p. 1, characterized in that the detection is carried out using programs that can provide the ability to trigger malicious codes in the process of working with the corresponding type of interpreted files, for example, vulnerable versions of Microsoft Office to open DOC (X), Adobe Acrobat Reader for PDF, Adobe Flash Player for SWF. 11. The method according to p. 1, characterized in that to track deviations from the normal behavior of the client program, files from the composition set are fed to its input. 12. The method according to p. 1, characterized in that they verify the validity of the document files with the deleted malicious elements.

Images