×

Probabilistic shellcode detection

  • US 8,549,624 B2
  • Filed: 04/15/2008
  • Issued: 10/01/2013
  • Est. Priority Date: 04/14/2008
  • Status: Active Grant
First Claim
Patent Images

1. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:

  • receive at an anti-malware engine an arbitrary file, the arbitrary file including a plurality of data blocks;

    determine where one or more candidate areas exist within the arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;

    search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and

    calculating for any such instruction candidate found in any of the at least one nearby areas a statistical probability based on a disassembly of instructions starting at a found offset location corresponding to the location of the such instruction candidate that the disassembled instructions are shellcode.

View all claims
  • 12 Assignments
Timeline View
Assignment View
    ×
    ×