Modern methods of information exchange use a complex mix of code and content. For example, a significant amount of data is exchanged by requesting content or information from web servers or other servers configured to deliver information over a data network, and receiving the information in a browser or other similarly usable application. For the clarity of the description, a web server is used as an example of a server supplying the mix of content and code, and a browser is used as an example of an application that receives such a mix.
Often, the server supplies the requested information with code. The browser uses the code to arrange or present the information, manipulate or modify the information, validate or secure the information, or perform some computation relative to the information.
Any number of servers or server applications can supply the requested information. Similarly, the code portion of the code-content mix received at a browser can come from any number of servers. Furthermore, the code can take any of the many possible forms that are suitable for this purpose. A script is code written in a scripting language. Like other types of code, scripts can be embedded in the data received into a browser.
It is not uncommon for scripts to be inserted in a data exchange between a browser and a server. Often, such script insertion has a malicious intention, which can range from minor to major breaches. For example, some malicious scripts are inserted in the data reaching a browser to present advertisements and offers to the user of the browser. Some other scripts are inserted to track a user's activities on the browser. Still other scripts are inserted to collect sensitive information such as passwords or account numbers. Scripts capable of violating an organization's data security to steal large amounts of financial data, sensitive information, or to perform corporate espionage are also known to exist.
Presently, software such as antivirus tools, anti-malware applications, browser safety add-ons, ad blockers, and server blacklists are available to deal with the ever increasing epidemic of malicious code. These presently available technologies essentially match portions of suspect code against lists of previously seen suspect code fragments known as signatures. If the portion of the suspect code matches a signature, the presently available solutions flag the code as malicious. If a code is inserted by a known malicious source, such as a server on a blacklist, the presently available solutions flag the code as malicious. Presently available solutions also prevent the code that is flagged as malicious from executing.