DETECTION OF CODE EXECUTION EXPLOITS
First Claim
Patent Images
1. A method of detecting shell code in an arbitrary file comprising:
- determining where one or more candidate areas exist within an arbitrary file;
searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate; and
calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.
10 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.
77 Citations
26 Claims
-
1. A method of detecting shell code in an arbitrary file comprising:
-
determining where one or more candidate areas exist within an arbitrary file; searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate; and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A gateway comprising:
-
an anti-malware engine operable to scan an arbitrary file and to determine if any candidate areas exist within the arbitrary file; for any given candidate area located within the arbitrary file, search at least one nearby area surrounding the candidate area for any instruction candidates; and for any such instruction candidates, calculate a statistical probability based on one or more disassembled instructions starting at a found offset of the instruction candidate to determine a likelihood that the arbitrary file includes shellcode. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method of detecting shellcode in an arbitrary file comprising:
-
scanning an arbitrary file to determine if any candidate areas exist within the arbitrary file; for any candidate areas found in the arbitrary file, first searching the areas surrounding the any candidate areas to determine if any function calls or any code branching instructions exist in the areas surrounding the any candidate areas; and if no function calls and no code branching instructions are found, searching the areas surrounding the any candidate areas for known characteristical shellcode sequences. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A computer network comprising:
-
a gateway including an anti-malware engine operable to perform the following; receiving an arbitrary file; scanning the arbitrary file for repetitive constructs that are potentially intended to overflow a buffer; determining if any function calls or any code branching instructions exist in the areas surrounding the repetitive constructs; and generating a statistical probability representing the likelihood that the arbitrary file includes shellcode by performing a statistical analysis of the instructions starting at each found offset to generate an overall shellcode probability for the instructions starting at the each found offset. - View Dependent Claims (25, 26)
-
Specification