Detection of polymorphic script language viruses by data driven lexical analysis

US 20020073330A1
Filed: 07/14/2001
Published: 06/13/2002
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method of detecting script language viruses in data streams comprising:

preparing language description data corresponding to at least one script language;

preparing detection data for viral code corresponding to the script language virus; and

lexically analyzing a data stream using the language description data and the detection data to detect the viral code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting script language viruses is provided. The apparatus includes a script language processor, a detection data processor and a detection engine. The script language processor prepares language description data corresponding to at least one script language. The detection data processor prepares detection data for viral code corresponding to the script language virus. The detection engine lexically analyzes a data stream using the language description data and the detection data to detect the viral code. The language description data may correspond to language definition rules and language check rules. The data stream may be converted to a stream of tokens, wherein the lexical analysis is performed on the token stream. The script language virus detection apparatus may be a computer program stored on a computer readable medium and/or transmitted via a computer network or other transmission medium.

Citations

23 Claims

1. A method of detecting script language viruses in data streams comprising:
- preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to the script language virus; and
  
  lexically analyzing a data stream using the language description data and the detection data to detect the viral code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the language description data correspond to Dynamic Finite Automata data.
  - 3. The method of claim 2, wherein the Dynamic Finite Automata data comprises a set of states, with each state having a corresponding set of transitions and each transition having an associated character to be matched and an associated next state.
  - 4. The method of claim 1, wherein the language description data correspond to language definition rules and language check rules.
  - 5. The method of claim 4, wherein the lexical analysis includes one or more pattern matches based on the language definition rules.
  - 6. The method of claim 4, wherein a script language used by the data stream is determined by the lexical analysis using the language check rules.
  - 7. The method of claim 1 further comprising setting language definition rules for each of the at least one script language.
  - 8. The method of claim 1, wherein the detection data comprise at least one test, wherein each of the at least one test correspond to a pattern match or a cyclical redundancy check.
  - 9. The method of claim 1, wherein the step of preparing detection data comprises:
    - obtaining samples of the viral code;
      
      analyzing the obtained samples; and
      
      setting a detection regimen that includes at least one pattern match or cyclical redundancy check based on the analysis of the obtained samples.
  - 10. The method of claim 1, wherein the data stream is converted to a stream of tokens using lexical analysis.
  - 11. The method of claim 10, wherein the tokens correspond to respective language constructs.
  - 12. The method of claim 10, wherein a cyclical redundancy check is performed on the stream of tokens to detect viral code.
  - 17. The apparatus of claim 16, wherein the language description data correspond to Dynamic Finite Automata data.
  - 18. The apparatus of claim 17, wherein the Dynamic Finite Automata data comprises at least one set of states, with each state having a corresponding set of transitions and each transition having an associated character to be matched and an associated next state.
  - 19. The apparatus of claim 16, wherein the language description data correspond to language definition rules and language check rules.
  - 20. The apparatus of claim 19, wherein the lexical analysis by the detection engine includes one or more pattern matches based on the language definition rules.
  - 21. The apparatus of claim 19, wherein a script language used by the data stream is determined by the lexical analysis of the detection engine using the language check rules.
  - 22. The apparatus of claim 16, wherein the detection data comprise at least one test, and each of the at least one test correspond to a pattern match or a cyclical redundancy check.
  - 23. The apparatus of claim 16, wherein detection engine converts the data stream to a stream of tokens using lexical analysis, and the tokens correspond to respective language constructs.

13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting script language viruses, the method steps comprising:
- preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to the script language virus; and
  
  lexically analyzing a data stream using the language description data and the detection data to detect the viral code.

14. A computer system, comprising:
- a processor; and
  
  a program storage device readable by the computer system, tangibly embodying a program of instructions executable by the processor to perform method steps for detecting script language viruses, the method steps comprising;
  
  preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to the script language virus; and
  
  lexically analyzing a data stream using the language description data and the detection data to detect the viral code.

15. A computer data signal embodied in a transmission medium which embodies instructions executable by a computer for detecting a script language virus, comprising:
- a first segment including script language processor code to prepare language description data corresponding to at least one script language;
  
  a second segment including detection data processor code to prepare detection data for viral code corresponding to the script language virus; and
  
  a third segment including detection engine code to lexically analyze a data stream using the language description data and the detection data to detect viral code.

16. An apparatus for detecting script language viruses, comprising:
- a script language processor, wherein the script language processor prepares language description data corresponding to at least one script language;
  
  a detection data processor, wherein the detection data processor prepares detection data for viral code corresponding to a script language virus; and
  
  a detection engine, wherein the detection engine lexically analyzes a data stream using the language description data and the detection data to detect the viral code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Chandnani, Anjali, Yann, Trevor

Granted Patent

US 7,636,945 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/563 by source code analysis

Detection of polymorphic script language viruses by data driven lexical analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of polymorphic script language viruses by data driven lexical analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links