SYSTEM AND METHOD FOR DETECTING EXECUTABLE MACHINE INSTRUCTIONS IN A DATA STREAM
First Claim
1. A method of analyzing whether executable code exists within data, said method comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
performing pre-processing on the plurality of values to produce a candidate data subset, said pre-processing being performed by a computer and comprising determining whether the plurality of values meets at least one of (a) a randomness condition, (b) a length condition, and (c) a string ratio condition;
inspecting, with the computer, the candidate data subset for computer instructions;
determining one or more characteristics of the computer instructions; and
taking a predetermined action based on the characteristics of the computer instructions.
4 Assignments
0 Petitions
Accused Products
Abstract
Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions.
194 Citations
19 Claims
-
1. A method of analyzing whether executable code exists within data, said method comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; performing pre-processing on the plurality of values to produce a candidate data subset, said pre-processing being performed by a computer and comprising determining whether the plurality of values meets at least one of (a) a randomness condition, (b) a length condition, and (c) a string ratio condition; inspecting, with the computer, the candidate data subset for computer instructions; determining one or more characteristics of the computer instructions; and taking a predetermined action based on the characteristics of the computer instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A tangible computer readable media wherein the computer readable media includes instructions which enable a machine to perform the following operations:
-
access a plurality of values representing data contained within a memory of a computer system; perform pre-processing on the plurality of values to produce a candidate data subset, said pre-processing being performed by a computer and comprising determining whether the plurality of values meets at least one of (a) a randomness condition, (b) a length condition, and (c) a string ratio condition; inspect, with the computer, the candidate data subset for computer instructions; determine one or more characteristics of the computer instructions; and take a predetermined action based on the characteristics of the computer instructions.
-
-
16. A distributed method of analyzing whether executable code exists within data comprising:
-
at a first location; accessing a plurality of values representing data contained within a memory of a computer system; and performing pre-processing on the plurality of values to produce a candidate data subset, said pre-processing being performed by a first computer and comprising determining whether the plurality of values meets at least one of (a) a randomness condition, (b) a length condition, and (c) a string ratio condition; transmitting the candidate data subset to a second location; at the second location; inspecting, with a second computer, the candidate data subset for computer instructions; determining one or more characteristics of the computer instructions; and taking a predetermined action based on the characteristics of the computer instructions. - View Dependent Claims (17, 18, 19)
-
Specification