Detection of polymorphic script language viruses by data driven lexical analysis

US 7,636,945 B2
Filed: 07/14/2001
Issued: 12/22/2009
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method of detecting script language viruses in data streams comprising:

using a processor for;

preparing language description data corresponding to at least one script language;

preparing detection data for viral code corresponding to a script language virus;

lexically analyzing a data stream to identify the at least one script language;

lexically analyzing the data stream using the language description data to generate a stream of tokens;

generating viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and

lexically analyzing the stream of tokens using the detection data and the language description data to identify the script language virus.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting script language viruses is provided. The apparatus includes a script language processor, a detection data processor and a detection engine. The script language processor prepares language description data corresponding to at least one script language. The detection data processor prepares detection data for viral code corresponding to the script language virus. The detection engine lexically analyzes a data stream using the language description data and the detection data to detect the viral code. The language description data may correspond to language definition rules and language check rules. The data stream may be converted to a stream of tokens, wherein the lexical analysis is performed on the token stream. The script language virus detection apparatus may be a computer program stored on a computer readable medium and/or transmitted via a computer network or other transmission medium.

51 Citations

View as Search Results

22 Claims

1. A method of detecting script language viruses in data streams comprising:
- using a processor for;
  
  preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to a script language virus;
  
  lexically analyzing a data stream to identify the at least one script language;
  
  lexically analyzing the data stream using the language description data to generate a stream of tokens;
  
  generating viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and
  
  lexically analyzing the stream of tokens using the detection data and the language description data to identify the script language virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the language description data correspond to Dynamic Finite Automata data.
  - 3. The method of claim 2, wherein the Dynamic Finite Automata data comprises a set of states, with each state having a corresponding set of transaction having an associated character to be matched and an associated next state.
  - 4. The method of claim 1, wherein the language description data correspond to language definition rules and check rules, wherein the language definition rules include descriptions of constructs of the target script language and relationships between the constructs.
  - 5. The method of claim 4, wherein the lexical analysis includes one or more pattern matches based on the language definition rules.
  - 6. The method of claim 4, wherein a script language used by the data stream is determined by the lexical analysis using the language check rules.
  - 7. The method of claim 1 further comprising setting language definition rules for each of the least one script language.
  - 8. The method of claim 1, wherein the detection data comprise at least one test, wherein each of the at least one test correspond to a pattern match or a cyclical redundancy check.
  - 9. The method of claim 1, wherein the step of preparing detection data comprises:
    - obtaining samples of the viral code;
      
      analyzing the obtained samples; and
      
      setting a detection regimen that includes at least one pattern match or cyclical redundancy check based on the analysis of the obtained samples.
  - 10. The method of claim 1, wherein the data stream is converted to a stream of tokens using lexical analysis.
  - 11. The method of claim 10, wherein the tokens correspond to respective language constructs.
  - 12. The method of claim 10, wherein a cyclical redundancy check is performed on the stream of tokens to detect viral code.

13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting script language viruses, the method steps comprising:
- preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to a script language virus;
  
  lexically analyzing a data stream to identify the at least one script language;
  
  lexically analyzing the data stream using the language description data to generate a stream of tokens;
  
  generating viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and
  
  lexically analyzing the stream of tokens using the detection data and the language description data to identify the script language virus.

14. A computer system, comprising:
- a processor; and
  
  a program storage device readable by the computer system, tangibly embodying a program of instructions executable by the processor to perform method steps for detecting script language viruses, the method steps comprising;
  
  preparing language description data corresponding to at least one script language;
  
  preparing detection data for viral code corresponding to a script language virus; and
  
  lexically analyzing a data stream to identify the at least one script language;
  
  lexically analyzing the data stream using the language description data to generate a stream of tokens;
  
  generating viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and
  
  lexically analyzing the stream of tokens using the detection data and the language description data to identify the script language virus.

15. An apparatus for detecting script language viruses, comprising:
- a script language processor, wherein the script language processor prepares language description data corresponding to at least one script language;
  
  a detection data processor, wherein the detection data processor prepares detection data for viral code corresponding to a script language virus and wherein the detection data processor generates viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and
  
  a detection engine, wherein the detection engine converts a data stream to a stream of tokens using lexical analysis, wherein the tokens correspond to respective language constructs, wherein the detection engine lexically analyzes the stream of tokens using the language description data and the detection data to identify the script language virus.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the language description data correspond to Dynamic Finite Automata data.
  - 17. The apparatus of claim 16, wherein the Dynamic Finite Automata data comprises at least one set of states, with each state having a corresponding set of transitions and each transition having an associated character to be matched and an associated next state.
  - 18. The apparatus of claim 15, wherein the language description data corresponds to language definition rules and language check rules, wherein the language definition rules include descriptions of constructs of the target script language and relationships between the constructs.
  - 19. The apparatus of claim 18, wherein the lexical analysis by the detection engine includes one or more pattern matches based on the language definition rules.
  - 20. The apparatus of claim 18, wherein a script language used by the data stream is determined by the lexical analysis of the detection engine using the language check rules.
  - 21. The apparatus of claim 15, wherein the detection data comprises at least one test, and each of the at least one test correspond to a pattern match or a cyclical redundancy check.

22. A method, comprising:
- using a processor for;
  
  receiving a data stream;
  
  lexically analyzing the data stream to identify a script language;
  
  receiving language description data for the script language;
  
  lexically analyzing the data stream using the language description data to generate a stream of tokens;
  
  generating viral code detection data by analyzing a plurality of samples of polymorphic script language viral code; and
  
  lexically analyzing the stream of tokens using the viral code detection data and the language description data to identify at least one script language virus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Chandnani, Anjali, Yann, Trevor
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US09/905,343
Publication Number

US 20020073330A1
Time in Patent Office

3,083 Days
Field of Search

713/187, 713/188, 713/200, 726/24, 717/142
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

Detection of polymorphic script language viruses by data driven lexical analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Detection of polymorphic script language viruses by data driven lexical analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others