WO2024062484A1 - Procédé et système de transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu - Google Patents

Procédé et système de transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu Download PDF

Info

Publication number
WO2024062484A1
WO2024062484A1 PCT/IL2023/051024 IL2023051024W WO2024062484A1 WO 2024062484 A1 WO2024062484 A1 WO 2024062484A1 IL 2023051024 W IL2023051024 W IL 2023051024W WO 2024062484 A1 WO2024062484 A1 WO 2024062484A1
Authority
WO
WIPO (PCT)
Prior art keywords
data structure
vulnerability
rule
omission
detection rule
Prior art date
Application number
PCT/IL2023/051024
Other languages
English (en)
Inventor
Ran DUBIN
Original Assignee
Ariel Scientific Innovations Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ariel Scientific Innovations Ltd. filed Critical Ariel Scientific Innovations Ltd.
Publication of WO2024062484A1 publication Critical patent/WO2024062484A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present invention relates generally to systems and methods of cyber security. More specifically, the present invention relates to automated transfer of vulnerability detection to content disarm and reconstruction rules, for mitigating cyberattacks.
  • the damage may extend to resources in addition to the one initially identified as vulnerable, including, e.g., further resources of the organization that owns the initial resource, and the resources of other involved parties (customers, suppliers).
  • cyberattacks have become increasingly sophisticated and dangerous.
  • CDR Content Disarm and Reconstraction
  • the purpose of the claimed invention is to make a computer security solution which provides more vulnerability-specific protection than conventional CDR solutions on the one hand and more time-critical protection than conventional malware-analysis-based solutions on the other hand.
  • the invention may be directed to a method of mitigating cyber vulnerabilities by at least one processor.
  • the method may include receiving a detection rale, representing a known cyber vulnerability associated with a specific data structure type; parsing the detection rale, to produce a generic representation of the detection rale; and based on the generic representation and the specific data structure type, creating a disarm rale for mitigating the cyber vulnerability in incoming data structures of the specific data structure type.
  • the invention may be directed to a method of mitigating cyber vulnerabilities by at least one processor, the method including receiving a target data structure of a specific data structure type; receiving a detection rule, representing a known cyber vulnerability associated with the specific data structure type; based on the detection rule, detecting at least one portion of the target data structure that comprises an instantiation of the known cyber vulnerability; creating a detected vulnerability map representing an interconnection between the detected portion and at least one section and/or element of the data structure, related to the detected portion; based on said detected vulnerability map, applying an omission action on the target data structure, to omit the detected portion and the at least one section and/or element, thus obtaining a disarmed data structure.
  • the invention may be directed to a system for mitigating cyber vulnerabilities, the system including a non-transitory memory device, wherein modules of instruction code are stored, and at least one processor associated with the memory device, and configured to execute the modules of instruction code, whereupon execution of said modules of instruction code, the at least one processor is configured to receive a detection rule, representing a known cyber vulnerability associated with a specific data structure type; parse the detection rule, to produce a generic representation of the detection rule; and based on the generic representation and the specific data structure type, create a disarm rule for mitigating the cyber vulnerability in incoming data structures of the specific data structure type.
  • a detection rule representing a known cyber vulnerability associated with a specific data structure type
  • parse the detection rule to produce a generic representation of the detection rule
  • based on the generic representation and the specific data structure type create a disarm rule for mitigating the cyber vulnerability in incoming data structures of the specific data structure type.
  • said disarm rule includes an association between (a) an instantiation of the known cyber vulnerability in a data structure of the specific data structure type, and (b) at least one omission action, required for omitting at least one portion of the data structure, wherein said portion comprises the known cyber vulnerability.
  • the method further includes receiving a target data structure of the specific data structure type; and applying the omission action on the target data structure, to omit said portion, thus obtaining a disarmed data structure.
  • the method further includes receiving a target data structure of the specific data structure type; applying the detection rule, to detect at least one portion of the target data structure that comprises the instantiation of the known cyber vulnerability; creating a detected vulnerability map representing an interconnection between the detected portion and at least one section and/or element of the data structure, related to the detected portion; based on said detected vulnerability map, applying the omission action on the target data structure, to omit the detected portion, thus obtaining a disarmed data structure.
  • the omission action further comprises omission of at least one section and/or element of the data structure, related to the detected portion; and/or at least one reference to said section or element.
  • the method further includes creating a reconstruction rule based on the generic representation and the specific data structure type, wherein said reconstruction rule includes an association between (a) location of an instantiation of the known cyber vulnerability in a data structure of the specific data structure type, and (b) at least one reconstruction action, required for maintaining a predefined functionality of the data structure following omission of the known cyber vulnerability from the data structure.
  • the method further includes applying the reconstruction action on the disarmed data structure, to maintain the predefined functionality of the target data structure.
  • the data structure is selected from a list consisting of a file, a data stream, a string representing an Application Programming Interface (API) request, and a string representing an API response.
  • API Application Programming Interface
  • the detection rule is of a first type of a plurality of detection rule types
  • parsing the detection rule includes producing a generic representation that is common to (i) the first type and (ii) at least one second type of the plurality of detection rule types.
  • Fig. 1 is a block diagram, depicting a computing device which may be included in the system for mitigating cyber vulnerabilities according to some embodiments.
  • Fig. 2A is a block diagram, depicting a system for mitigating cyber vulnerabilities, according to some embodiments;
  • FIG. 2B is a block diagram, depicting a system for mitigating cyber vulnerabilities, according to alternative embodiments
  • Fig. 3A is a flow diagram, depicting a method of mitigating cyber vulnerabilities, according to some embodiments.
  • Fig. 3B is a flow diagram, depicting a method of mitigating cyber vulnerabilities, according to alternative embodiments.
  • the terms “plurality” and “a plurality” as used herein may include, for example, “multiple” or “two or more”.
  • the terms “plurality” or “a plurality” may be used throughout the specification to describe two or more components, devices, elements, units, parameters, or the like.
  • the term “set” when used herein may include one or more items.
  • the following description of the claimed invention is provided in accordance with the task of mitigating cyber vulnerabilities in incoming data structures of specific data structure type, wherein the data structure is a file.
  • Such a specific embodiment is provided in order for the description to be sufficiently illustrative and it is not intended to limit the scope of protection claimed by the invention. It should be understood for the one ordinary skilled in the art that the implementation of the claimed invention in accordance with such a task is provided as a non-exclusive example and other practical implementations can be covered by the claimed invention.
  • data structure may be a data stream, or a string representing an Application Programming Interface (API) request, or a string representing an API response etc.
  • API Application Programming Interface
  • FIG. 1 is a block diagram depicting a computing device, which may be included within an embodiment of a system for mitigating cyber vulnerabilities, according to some embodiments.
  • Computing device 1 may include processor or controller 2 that may be, for example, a central processing unit (CPU) processor, a chip or any suitable computing or computational device, operating system 3, memory device 4, instruction code 5, storage system 6, input devices 7 and output devices 8.
  • processor 2 or one or more controllers or processors, possibly across multiple units or devices
  • More than one computing device 1 may be included in, and one or more computing devices 1 may act as the components of, a system according to embodiments of the invention.
  • Operating system 3 may be or may include any code segment (e.g., one similar to instruction code 5 described herein) designed and/or configured to perform tasks involving coordination, scheduling, arbitration, supervising, controlling or otherwise managing operation of computing device 1 , for example, scheduling execution of software programs or tasks or enabling software programs or other modules or units to communicate.
  • Operating system 3 may be a commercial operating system. It will be noted that an operating system 3 may be an optional component, e.g., in some embodiments, a system may include a computing device that does not require or include an operating system 3.
  • Memory device 4 may be or may include, for example, a Random- Access Memory (RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a double data rate (DDR) memory chip, a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short-term memory unit, a long term memory unit, or other suitable memory units or storage units.
  • Memory device 4 may be or may include a plurality of possibly different memory units.
  • Memory device 4 may be a computer or processor non-transitory readable medium, or a computer non-transitory storage medium, e.g., a RAM.
  • a non-transitory storage medium such as memory device 4, a hard disk drive, another storage device, etc. may store instructions or code which when executed by a processor may cause the processor to carry out methods as described herein.
  • Instruction code 5 may be any executable code, e.g., an application, a program, a process, task, or script. Instruction code 5 may be executed by processor or controller 2 possibly under control of operating system 3. For example, instruction code 5 may be an application that mitigate cyber vulnerabilities as further described herein. Although, for the sake of clarity, a single item of instruction code 5 is shown in Fig. 1, a system according to some embodiments of the invention may include a plurality of executable code segments or modules similar to instruction code 5 that may be loaded into memory device 4 and cause processor 2 to carry out methods described herein.
  • Storage system 6 may be or may include, for example, a flash memory as known in the art, a memory that is internal to, or embedded in, a micro controller or chip as known in the art, a hard disk drive, a CD-Recordable (CD-R) drive, a Blu-ray disk (BD), a universal serial bus (USB) device or other suitable removable and/or fixed storage unit.
  • Various types of input and output data may be stored in storage system 6 and may be loaded from storage system 6 into memory device 4 where it may be processed by processor or controller 2.
  • memory device 4 may be a non-volatile memory having the storage capacity of storage system 6. Accordingly, although shown as a separate component, storage system 6 may be embedded or included in memory device 4.
  • Input devices 7 may be or may include any suitable input devices, components, or systems, e.g., a detachable keyboard or keypad, a mouse and the like.
  • Output devices 8 may include one or more (possibly detachable) displays or monitors, speakers and/or any other suitable output devices.
  • Any applicable input/output (RO) devices may be connected to Computing device 1 as shown by blocks 7 and 8.
  • NIC network interface card
  • USB universal serial bus
  • any suitable number of input devices 7 and output device 8 may be operatively connected to Computing device 1 as shown by blocks 7 and 8.
  • a system may include components such as, but not limited to, a plurality of central processing units (CPU) or any other suitable multi-purpose or specific processors or controllers (e.g., similar to element 2), a plurality of input units, a plurality of output units, a plurality of memory units, and a plurality of storage units.
  • CPU central processing units
  • controllers e.g., similar to element 2
  • FIG. 2 A is a block diagram, depicting a system 10 for mitigating cyber vulnerabilities, according to some embodiments.
  • system 10 may be implemented as a software module, a hardware module, or any combination thereof.
  • system 10 may be or may include a computing device such as element 1 of Fig. 1 .
  • system 10 may be or may include a separate program product, application or API module.
  • system 10 may be adapted to execute one or more modules of instruction code (e.g., element 5 of Fig. 1) to request, receive, analyze, calculate and produce various data in order to mitigate cyber vulnerabilities, as further described in detail herein.
  • instruction code e.g., element 5 of Fig. 1
  • arrows may represent flow of one or more data elements to and/or from system 10, and/or among modules or elements of system 10. Some arrows have been omitted in Fig. 2 for the purpose of clarity.
  • system 10 may include data structure analyzer 20 and detection rule converter 30, which may be implemented as the modules of instruction code (e.g., similar to instruction code 5).
  • system 10 may be configured to receive input (target) data structure 10A (e.g., a file) of specific data structure type 20A1 (e.g., .doc, .pdf format, etc.).
  • System 10 may be further configured to form input queue 11 A from received input data structures 10A, e.g., placing them in order of appearance.
  • Data structure analyzer 20 may be configured to receive input data structure 10A from input queue 11 A, analyze it and form data structure type information 20A about received data structure 10A (e.g., information describing file sections present in the .pdf file, their interconnection and content, such as image, text, metadata etc.).
  • detection rule converter 30 may be configured to receive data structure type information 20A. Detection rule converter 30 may be further configured to request at least one detection rule of detection rules 40A, representing known cyber vulnerability 40A1 associated with specific data structure type 20A1, defined by data structure type information 20A. Detection rules 40 A may be provided by third-party detection rule database 40. In some embodiments, detection rules 40A may be selected from a plurality of detection rule types, such as Yara, Sigma, Suricata, Snort etc., which are known from the prior art. Detection rules 40A may include various combinations of hexadecimal strings, text strings, regular expressions, arithmetic actions, and may be configured to be used with different content decoders.
  • Detection rule converter 30 may be further configured to receive at least one detection rule of detection rules 40A, parse received detection rule and produce generic representation 30A of detection rule.
  • generic representation 30A may be such a representation that has a format common to the abovementioned detection rule types (e.g., Yara, Sigma, Suricata, Snort, and the like).
  • detection rule converter 30 may be configured to map, or parse various detection rules of various format languages and syntaxes per type. Detection rule converter 30 may thus provide generic representation 30A as a universal way of performing the following disarming actions independently of the differences in detection rules syntax and format.
  • system 10 may further include the following modules of instruction code (e.g., similar to instruction code 5): disarm rule generation module 50 and content disarm module 60.
  • instruction code e.g., similar to instruction code 5
  • disarm rule generation module 50 may be configured to receive data structure type information 20A of data structure 10A from input queue 11 A and generic representation 30A of respective detection rule. Disarm rule generation module 50 may be further configured to create disarm rule 50A based on generic representation 30A and data structure type 20 Al specified by received data structure type information 20A.
  • Disarm rule 50A may include an association between (a) instantiation 50A1 of known cyber vulnerability 40A1 in a data structure (e.g., in data structure 10A from input queue 11 A) of specific data structure type 20A1 (e.g., defined by data structure type information 20A), and (b) at least one omission action 50A2, required for omitting at least one portion 10A1 of the data structure, wherein said portion 10A1 comprises known cyber vulnerability 40A1.
  • a data structure e.g., in data structure 10A from input queue 11 A
  • specific data structure type 20A1 e.g., defined by data structure type information 20A
  • at least one omission action 50A2 required for omitting at least one portion 10A1 of the data structure, wherein said portion 10A1 comprises known cyber vulnerability 40A1.
  • omission action 50A2 may include omission of a specific keyword located in specific section 10A2 of data structure 10A of specific data structure type 20A1.
  • omission action 50A2 may include a definition for omission of one or more sections 10A2 of data structure 10A.
  • content disarm module 60 may be configured to receive data structures 10A from input queue 11A and respective disarm rules 50A. Content disarm module 60 may be further configured to mitigate cyber vulnerabilities in incoming data structure (e.g., in data structure 10A from input queue 11 A) of specific data structure type 20A1 (e.g., defined by data structure type information 20A). In particular, content disarm module 60 may be further configured to apply omission action 50A2 of disarm rule 50A on data structure 10A from input queue 11 A, to omit portion 10A1 of data structure 10A including respective known cyber vulnerability 40A1. Content disarm module 60 may be further configured to output disarmed data structure 60A.
  • incoming data structure e.g., in data structure 10A from input queue 11 A
  • specific data structure type 20A1 e.g., defined by data structure type information 20A
  • content disarm module 60 may be further configured to apply omission action 50A2 of disarm rule 50A on data structure 10A from input queue 11 A, to omit portion 10A1 of data
  • system 10 may further include the following modules of instruction code (e.g., similar to instruction code 5): reconstruction rule generation module 70 and content reconstruction module 80.
  • instruction code e.g., similar to instruction code 5
  • reconstruction rule generation module 70 may be configured to receive data structure type information 20A of data structure 10A from input queue 11 A and generic representation 30A of respective detection rule. Reconstruction rule generation module 70 may be further configured to create reconstruction rule 70A based on received generic representation 30A and data structure type 20A1 specified by received data structure type information 20 A.
  • Reconstruction rule 70A may include an association between (a) location 70A1 of instantiation 50A1 of known cyber vulnerability 40A1 in a data structure (e.g., in data structure 10A from input queue 11 A) of specific data structure type (e.g., data structure type 20 Al defined by data structure type information 20A), and (b) at least one reconstruction action 70A2, required for maintaining a predefined functionality of the data structure following omission of known cyber vulnerability 40A1 from the data structure.
  • a data structure e.g., in data structure 10A from input queue 11 A
  • specific data structure type e.g., data structure type 20 Al defined by data structure type information 20A
  • reconstruction action 70A2 required for maintaining a predefined functionality of the data structure following omission of known cyber vulnerability 40A1 from the data structure.
  • data structure 10A may be a .pdf file that may include a body section and a header section, wherein header section includes image having known cyber vulnerability 40A1.
  • reconstruction action 70A2 may include replacing the existing header section with a template header section, for example including text message informing a user that this section was replaced in order to disarm potentially malicious content.
  • content reconstruction module 80 may be configured to receive reconstruction rule 70A and respective disarmed data structure 60A. Content reconstruction module 80 may be further configured to apply reconstruction action 70A2 of reconstruction rule 70A on disarmed data structure 60A, to maintain the predefined functionality of the target data structure (e.g., respective data structure 10A from input queue 11A). Content reconstruction module 80 may be further configured to output reconstructed data structure 80A.
  • System 10 may be further configured to output reconstructed data structures 80A as output data structures 10B.
  • FIG. 2B is a block diagram, depicting a system 10 for mitigating cyber vulnerabilities, according to alternative embodiments.
  • Embodiments represented in Fig. 2B are similar in general aspects to embodiments represented in Figs. 2A, except for the further described aspects.
  • Embodiments represented in Fig. 2B provide preliminary detection and analysis of instantiations of known cyber vulnerabilities in input data structures (e.g., data structures 10A from input queue 11 A). Such detection and analysis provide the ability to perform omission actions with respect to minimum reasonable amount of data and thus reduce risks of irrevocably corrupting data structures.
  • system 10 may further include vulnerability detection module 90 (e.g., implemented as module of instruction code similar to instruction code 5).
  • Vulnerability detection module 90 may be configured to receive data structures 10A from input queue 11A and detection rules 40A representing known cyber vulnerabilities associated with the data structure types of the respective data structures (same detection rules 40A as requested by detection rule converter 30 for specific data structure 10A from input queue 11 A).
  • vulnerability detection module 90 may be further configured to apply respective detection rule 40A, to detect a portion of the data structure (e.g., portion 10A1 of data structure 10A from input queue 11A) that includes instantiation 50A1 of respective known cyber vulnerability 40A1.
  • Vulnerability detection module 90 may be further configured to create detected vulnerability map 90B representing interconnection between detected portion 10A1 and at least one section 10A2 and/or element 10 A3 of the data structure (e.g., of data structure 10A from input queue 11 A), related to detected portion 10A1.
  • detected vulnerability map 90B may include additional information of the structure of detected vulnerability and its relation to data structure 10A. Such additional information may include specific detected keyword which is suspected to include instantiation 50A1 of known cyber vulnerability 40A1, information about the location of the keyword, information about various accompanying data, references to the detected keyword throughout data structure 10A etc.
  • detection rule 40A may represent several interconnected known cyber vulnerabilities 40A1.
  • detected vulnerability map 90B may include additional information of the structure of each detected vulnerability 40 Al of detection rule 40A, considering their interconnection, and their relation to data structure 10A. In case only part of interconnected vulnerabilities 40A1 are detected in data structure 10A, detected vulnerability map may include information regarding only the detected part accordingly.
  • Vulnerability detection module 90 may be further configured to label data structure 10A as a potentially safe, in case there is no portion that includes instantiation 50A1 of respective known cyber vulnerability 40A1 detected in data structure 10A, and, accordingly, output safe data structures 90A.
  • Content disarm module 60 may be further configured to receive data structures 10A from input queue 11 A, respective disarm rule 50A and detected vulnerability map 90B.
  • content disarm module 60 may be configured to analyze whether it is sufficient to omit only the keyword which is suspected to include instantiation 50 Al of known cyber vulnerability 40A1, or the entire related content (e.g., entire section 10A2 of data structure 10A, references 10A4 to the keyword etc.) should be omitted in order to disarm potentially malicious content.
  • Content disarm module 60 may be further configured to apply, based on said detected vulnerability map 90B, omission action 50A2 of disarm rule 50A on the target data structure (e.g., data structure 10A from input queue 11 A), to omit the determined sufficient amount of data.
  • Such sufficient amount of data may include, e.g., portion 10A1 of data structure 10A that includes instantiation 50A1 of respective known cyber vulnerability 40A1, corresponding section 10A2 and/or element 10A3 of data structure 10A, related to detected portion 10A1, at least one reference 10A4 to said section 10A2, element 10 A3 or portion 10A1, etc.
  • Content disarm module 60 may be further configured to output respective disarmed data structure (e.g., disarmed data structure 60A).
  • System 10 may be further configured to include safe data structures 90A in output data structures 10B, in addition to reconstructed data structures 80A.
  • Fig. 3A a flow diagram is presented, depicting a method of mitigating cyber vulnerabilities, by at least one processor, according to some embodiments.
  • the at least one processor e.g., processor 2 of Fig. 1
  • may perform receiving a target data structure e.g., input data structure 10A
  • the specific data structure type e.g., data structure type 20A1
  • Step S 1005 may be carried out by data structure analyzer 20 (as described with reference to Figs. 2 A and 2B).
  • the at least one processor may perform receiving of a detection rule (e.g., detection rule 40A), representing a known cyber vulnerability (e.g., known cyber vulnerability 40A1) associated with a specific data structure type (e.g., data structure type 20A1, defined by data structure type information 20A).
  • Step S 1010 may be carried out by detection rule converter 30 and vulnerability detection module 90 (as described with reference to Figs. 2A and 2B).
  • the at least one processor may perform parsing of the detection rule (e.g., detection rule 40A), to produce a generic representation (e.g., generic representation 30A) of the detection rule.
  • Step S 1015 may be carried out by detection rule converter 30 (as described with reference to Figs. 2A and 2B).
  • the at least one processor e.g., processor 2 of Fig. 1
  • may perform creation of a disarm rule e.g., disarm rule 50A for mitigating the cyber vulnerability (e.g.
  • cyber vulnerability 40A1 in incoming data structures (e.g., in data structure 10A from input queue 11A) of the specific data structure type (e.g., data structure type 20A1, defined by data structure type information 20 A), based on the generic representation (e.g., generic representation 30A) and the specific data structure type (e.g., data structure type 20A1).
  • specific data structure type e.g., data structure type 20A1, defined by data structure type information 20 A
  • generic representation e.g., generic representation 30A
  • specific data structure type e.g., data structure type 20A1
  • Said disarm rule comprises an association between (a) an instantiation of the known cyber vulnerability in the data structure of the specific data structure type (e.g., instantiation 50A1 of known cyber vulnerability 40A1 in data structure 10A of specific data structure type 20A1), and (b) at least one omission action (e.g., omission action 50A2), required for omitting at least one portion of the data structure (e.g., portion 10A1 of data structure 10A), wherein said portion comprises the known cyber vulnerability.
  • Step S 1020 may be carried out by disarm rule generation module 50 (as described with reference to Figs. 2 A and 2B).
  • the at least one processor may perform creation of a reconstruction rule (e.g., reconstruction rule 70A) based on the generic representation (e.g., generic representation 30A) and the specific data structure type (e.g., data structure type 20A1, defined by data structure type information 20 A).
  • a reconstruction rule e.g., reconstruction rule 70A
  • generic representation e.g., generic representation 30A
  • specific data structure type e.g., data structure type 20A1, defined by data structure type information 20 A.
  • Said reconstruction rule comprises an association between (a) a location of the instantiation of the known cyber vulnerability in the data structure of the specific data structure type (e.g., location 70A1 of instantiation 50A1 of known cyber vulnerability 40A1 in data structure 10A of specific data structure type 20A1), and (b) at least one reconstruction action (e.g., reconstruction action 70A2), required for maintaining a predefined functionality of the data structure (e.g., data structure 10A) following omission of the known cyber vulnerability (e.g., known cyber vulnerability 40A1) from the data structure (e.g., data structure 10A).
  • Step S1025 may be carried out by reconstruction rule generation module 70 (as described with reference to Figs. 2A and 2B).
  • the at least one processor may perform applying of the omission action (e.g., omission action 50A2) on the target data structure (e.g., data structure 10A), to omit said portion (e.g., portion 10A1), thus obtaining a disarmed data structure (e.g., disarmed data structure 60A).
  • Step S1030 may be carried out by content disarm module 60 (as described with reference to Figs. 2A and 2B).
  • the at least one processor may perform applying of the reconstruction action (e.g., reconstruction action 70A2) on the disarmed data structure (e.g., disarmed data structure 60A), to maintain the predefined functionality of the target data structure (e.g., data structure 10A).
  • Step S 1035 may be carried out by content reconstruction module 80 (as described with reference to Figs. 2 A and 2B).
  • FIG. 3B a flow diagram is presented, depicting a method of mitigating cyber vulnerabilities, by at least one processor, according to alternative embodiments.
  • the at least one processor may perform receiving a target data structure (e.g., input data structure 10A) of a specific data structure type (e.g., data structure type 20A1).
  • Step S2005 may be carried out by data structure analyzer 20 (as described with reference to Figs. 2 A and 2B).
  • the at least one processor may perform receiving a detection rule (e.g., detection rule 40A), representing a known cyber vulnerability (e.g., known cyber vulnerability 40A1) associated with the specific data structure type (e.g., data structure type 20A1).
  • a detection rule e.g., detection rule 40A
  • Step S2010 may be carried out by detection rule converter 30 and vulnerability detection module 90 (as described with reference to Figs. 2 A and 2B).
  • the at least one processor may perform detecting, based on the detection rule (e.g., detection rule 40A), at least one portion of the target data structure (e.g., portion 10A1 of data structure 10A) that comprises an instantiation of the known cyber vulnerability (e.g., instantiation 50A1 of known cyber vulnerability 40A1).
  • Step S2015 may be carried out by vulnerability detection module 90 (as described with reference to Figs. 2A and 2B).
  • the at least one processor may perform creating a detected vulnerability map (e.g., detected vulnerability map 90B) representing an interconnection between the detected portion (e.g., portion 10A1) and at least one section and/or element of the data structure (e.g., section 10A2 and/or element 10A3 of data structure 10A), related to the detected portion.
  • Step S2020 may be carried out by vulnerability detection module 90 (as described with reference to Figs. 2A and 2B).
  • the at least one processor may perform applying, based on said detected vulnerability map (e.g., detected vulnerability map 90B), an omission action (e.g., omission action 50A2) on the target data structure (e.g., data structure 10A), to omit the detected portion (e.g., portion 10A1) and the at least one section and/or element (e.g., section 10A2 and/or element 10A3), thus obtaining a disarmed data structure (e.g., disarmed data structure 60A).
  • Step S2025 may be carried out by content disarm module 60 (as described with reference to Figs. 2A and 2B).
  • the example is directed to the mitigation of Log4Shell (CVE-2021-44228), which was a newly discovered vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.
  • CVE-2021-44228 was a newly discovered vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.
  • data structure analyzer 20 may receive API module, which includes references to Apache Log4j logging utility functions, as input data structure 10A.
  • this API module may include the following instruction code:
  • Data structure analyzer 20 may analyze the received API module and form data structure type information 20A about received API module, including information identifying the presence of logging functions, provided by Apache Log4j.
  • Detection rule converter 30 may further receive data structure type information 20A. Detection rule converter 30 may further request a corresponding detection rule 40A, representing known cyber vulnerability 40A1 (e.g., Log4Shell (CVE-2021-44228)) associated with said data structure type 20A1 (e.g., API module utilizing logging functions of Apache Log4j), defined by data structure type information 20A.
  • known cyber vulnerability 40A1 e.g., Log4Shell (CVE-2021-44228)
  • data structure type 20A1 e.g., API module utilizing logging functions of Apache Log4j
  • Detection rule 40A dedicated to Log4Shell (CVE-2021-44228) vulnerability 40A1 may include the following instruction code (e.g., instruction code 5):
  • the abovementioned detection rule 40A is provided by the GitHub Community.
  • Detection rule converter 30 may further receive said detection rule 40A.
  • Detection rule converter 30 may further parse received detection rule 40A and produce generic representation 30A of detection rule.
  • generic representation 30A will simply include the same instructions (e.g., instruction code 5) as described detection rule 40A.
  • instruction code 5 the same instructions
  • Vulnerability detection module 90 may further receive data structure 10A (the described API module) and said detection rule 40A. Vulnerability detection module 90 may apply said detection rule 40A and detect the following portion 10A1: “targetexamplesite[.]com$ ⁇ jndi:ldap://127.0.0.1:6000 ⁇ ”. As can be seen, this portion 10A1 includes the following instantiation 50A1 of respective vulnerability 40A1: “0xe8:$x01: $ ⁇ jndi:ldap:/”.
  • Vulnerability detection module 90 may further create detected vulnerability map 90B representing interconnection between said portion 10A1 and at least one section 10A2 and/or element 10A3 of said API module, related to detected portion 10A1.
  • detected vulnerability map 90B may include information indicating that said vulnerability 40A1 is located at object “request.header.host” of said API module.
  • Disarm rule generation module 50 may further receive data structure type information 20 A and generic representation 30 A specified above.
  • Disarm rule generation module 50 may further create disarm rule 50A based on generic representation 30A and data structure type 20A1 specified by received data structure type information 20A.
  • Disarm rule 50A may include an association between (a) instantiation 50A1 of known cyber vulnerability 40A1 (which is “0xe8:$x01: $ ⁇ jndi:ldap:/” in this example), and (b) at least one omission action 50A2.
  • the omission action 50A2 may include omission of some special characters (e.g., “$”) that are related to the detected portion 10A1.
  • omission action 50A2 may include the following instructions:
  • Content disarm module 60 may further receive data structure 10A (e.g., said API module), said disarm rule 50A and detected vulnerability map 90B.
  • data structure 10A e.g., said API module
  • Content disarm module 60 may further apply, based on said detected vulnerability map 90B, omission action 50A2 of disarm rule 50A on said API module, to omit the determined sufficient amount of data.
  • content disarm module 60 may apply the following instructions:
  • connection .. ⁇ .
  • Content disarm module 60 may further output respectively disarmed data structure 60A.
  • disarmed data structure 60A may have the same instructions as the API module except for the portion 10A1 which, after the omission, may be the following: "host” : “targetexamplesite[.]com.
  • Reconstruction rule generation module 70 may further receive said data structure type information 20A and generic representation 30A. Reconstruction rule generation module 70 may further create reconstruction rule 70A.
  • Reconstruction rule 70A may include an association between (a) location 70A1 of instantiation 50A1 of known cyber vulnerability 40A1 in said API module (which is object “request. header”, according to the example), and (b) reconstruction action 70A2, required for maintaining a predefined functionality of the API module following omission of cyber vulnerability 40A1 from it.
  • reconstruction action 70A2 may either be skipped or, for instance, include substitution of the initially indicated host address (//127.0.0.1:6000) by the predefined template.
  • reconstruction rule 70A may include the following instructions:
  • reconstructed data structure 80A may include the following amendments to the portion 10A1: "host”: “ Ariel.ac.il/alert.html”.
  • the claimed invention represents a system and method having a practical application of mitigating cyber vulnerabilities.
  • Embodiments of the invention may improve computer technology by providing a technical effect of increasing protection against cyberattacks.
  • the claimed invention represents a computer security solution which provides more vulnerability-specific protection than conventional CDR solutions on the one hand and more time-critical protection than conventional malware-analysis-based solutions on the other hand.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Business, Economics & Management (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne de manière générale des systèmes et des procédés de cybersécurité. Plus particulièrement, la présente invention concerne le transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu pour limiter des cyberattaques. Dans l'aspect général, l'invention peut concerner un procédé et un système de limitation de cybervulnérabilités par au moins un processeur, le procédé comprenant la réception d'une règle de détection, représentant une cybervulnérabilité connue associée à un type de structure de données spécifique ; l'analyse syntaxique de la règle de détection, pour produire une représentation générique de la règle de détection ; et sur la base de la représentation générique et du type de structure de données spécifique, la création d'une règle de désamorçage pour limiter la cybervulnérabilité dans des structures de données entrantes du type de structure de données spécifique.
PCT/IL2023/051024 2022-09-21 2023-09-21 Procédé et système de transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu WO2024062484A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202263408631P 2022-09-21 2022-09-21
US63/408,631 2022-09-21

Publications (1)

Publication Number Publication Date
WO2024062484A1 true WO2024062484A1 (fr) 2024-03-28

Family

ID=90453960

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2023/051024 WO2024062484A1 (fr) 2022-09-21 2023-09-21 Procédé et système de transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu

Country Status (1)

Country Link
WO (1) WO2024062484A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1887754A1 (fr) * 2006-08-10 2008-02-13 Deutsche Telekom AG Système fournissant la détection précoce, alerte et réponse aux menaces électroniques
US20090178144A1 (en) * 2000-11-13 2009-07-09 Redlich Ron M Data Security System and with territorial, geographic and triggering event protocol
US20190268352A1 (en) * 2018-02-26 2019-08-29 OPSWAT, Inc. Method for content disarm and reconstruction (cdr)
US20190311118A1 (en) * 2017-01-05 2019-10-10 Votiro Cybersec Ltd. Providing a fastlane for disarming malicious content in received input content
CN114531306A (zh) * 2022-04-24 2022-05-24 北京安博通金安科技有限公司 一种基于威胁行为的实时检测方法与系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090178144A1 (en) * 2000-11-13 2009-07-09 Redlich Ron M Data Security System and with territorial, geographic and triggering event protocol
EP1887754A1 (fr) * 2006-08-10 2008-02-13 Deutsche Telekom AG Système fournissant la détection précoce, alerte et réponse aux menaces électroniques
US20190311118A1 (en) * 2017-01-05 2019-10-10 Votiro Cybersec Ltd. Providing a fastlane for disarming malicious content in received input content
US20190268352A1 (en) * 2018-02-26 2019-08-29 OPSWAT, Inc. Method for content disarm and reconstruction (cdr)
CN114531306A (zh) * 2022-04-24 2022-05-24 北京安博通金安科技有限公司 一种基于威胁行为的实时检测方法与系统

Similar Documents

Publication Publication Date Title
US10956477B1 (en) System and method for detecting malicious scripts through natural language processing modeling
JP6530786B2 (ja) Webページの悪意のある要素を検出するシステム及び方法
US10972495B2 (en) Methods and apparatus for detecting and identifying malware by mapping feature data into a semantic space
US11381598B2 (en) Phishing detection using certificates associated with uniform resource locators
US9253208B1 (en) System and method for automated phishing detection rule evolution
US9544318B2 (en) HTML security gateway
US20200210424A1 (en) Query engine for remote endpoint information retrieval
US11671448B2 (en) Phishing detection using uniform resource locators
US9083729B1 (en) Systems and methods for determining that uniform resource locators are malicious
Nunan et al. Automatic classification of cross-site scripting in web pages using document-based and URL-based features
US12021894B2 (en) Phishing detection based on modeling of web page content
US10445501B2 (en) Detecting malicious scripts
US20140173730A1 (en) Security Method and Apparatus
US11470114B2 (en) Malware and phishing detection and mediation platform
WO2015109912A1 (fr) Dispositif et procédé de détection d'attaque par dépassement de mémoire tampon, et système de préservation de la sécurité
US9779250B1 (en) Intelligent application wrapper
Malviya et al. Development of web browser prototype with embedded classification capability for mitigating Cross-Site Scripting attacks
CN109150790B (zh) Web页面爬虫识别方法和装置
Nguyen et al. Improving web application firewalls with automatic language detection
Fang et al. Pbdt: Python backdoor detection model based on combined features
Odebade et al. Mitigating anti-forensics in the cloud via resource-based privacy preserving activity attribution
US9398041B2 (en) Identifying stored vulnerabilities in a web service
Sriramya et al. Anomaly based detection of cross site scripting attack in web applications using gradient boosting classifier
WO2024062484A1 (fr) Procédé et système de transfert automatisé de détection de vulnérabilité à des règles de désamorçage et de reconstruction de contenu
Pu et al. BERT‐Embedding‐Based JSP Webshell Detection on Bytecode Level Using XGBoost

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23867754

Country of ref document: EP

Kind code of ref document: A1