High-Performance Context-Free Parser for Polymorphic Malware Detection
First Claim
Patent Images
1. An apparatus for inspecting a packet stream comprising:
- an inspection block for inspecting the packet stream;
a tokenizer coupled to the inspection block for converting the output of the inspection block to a stream of tokens;
a parser for receiving the token stream and for verifying grammatical structure of the token stream.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides a method and apparatus for advanced network intrusion detection. The system uses deep packet inspection that can recognize languages described by context-free grammars. The system combines deep packet inspection with one or more grammar parsers (409A-409M). The invention can detect token streams (408) even when polymorphic. The system looks for tokens at multiple byte alignments and is capable of detecting multiple suspicious token streams (408). The invention is capable of detecting languages expressed in LL(I) or LR(I) grammar. The result is a system that can detect attacking code wherever it is located in the data stream (408).
132 Citations
14 Claims
-
1. An apparatus for inspecting a packet stream comprising:
-
an inspection block for inspecting the packet stream; a tokenizer coupled to the inspection block for converting the output of the inspection block to a stream of tokens; a parser for receiving the token stream and for verifying grammatical structure of the token stream. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification