Probabilistic shellcode detection
First Claim
Patent Images
1. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:
- receive at an anti-malware engine an arbitrary file, the arbitrary file including a plurality of data blocks;
determine where one or more candidate areas exist within the arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;
search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and
calculating for any such instruction candidate found in any of the at least one nearby areas a statistical probability based on a disassembly of instructions starting at a found offset location corresponding to the location of the such instruction candidate that the disassembled instructions are shellcode.
12 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.
-
Citations
22 Claims
-
1. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:
-
receive at an anti-malware engine an arbitrary file, the arbitrary file including a plurality of data blocks; determine where one or more candidate areas exist within the arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area; search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and calculating for any such instruction candidate found in any of the at least one nearby areas a statistical probability based on a disassembly of instructions starting at a found offset location corresponding to the location of the such instruction candidate that the disassembled instructions are shellcode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A gateway comprising:
-
an anti-malware engine, executing on a hardware processor, operable to scan a given arbitrary file, the given arbitrary file including a plurality of data blocks, and to determine if any candidate areas exist within the given arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area includes a subset of the plurality of data blocks of the given arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area; for any given candidate area located within the given arbitrary file, search at least one nearby area surrounding the candidate area for instruction candidates, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the given arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the given arbitrary file; and for any such instruction candidates found in any of the at least one nearby areas, calculate a statistical probability based on one or more disassembled instructions starting at a found offset location corresponding to the location of the such instruction candidate to determine a likelihood that the given arbitrary file includes shellcode. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:
-
receive at an anti-malware engine an arbitrary file, the arbitrary the including a plurality of data blocks; scan contents of the arbitrary file to determine if any candidate areas exist within the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area; for any candidate areas found in the arbitrary file, first search the areas surrounding the any candidate areas to determine if any function calls or any code branching instructions exist in the areas surrounding the any candidate areas, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and if no function calls and no code branching instructions are found, search the areas surrounding the any candidate areas for known characteristical shellcode sequences. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer network comprising:
-
a gateway including an anti-malware engine, the anti-malware engine operable to; receive an arbitrary file, the arbitrary file including a plurality of data blocks; scan contents of the arbitrary file for a candidate area, the candidate area containing a subset of the plurality of data blocks from the arbitrary file and containing repetitive constructs that have a potential to overflow a buffer; determine if any function calls or any code branching instructions exist in an area surrounding the candidate area, wherein the area surrounding a given candidate area includes either a predetermined number of data blocks immediately preceding the candidate area or a predetermined number of data blocks immediately following the candidate area; and generating a statistical probability representing the likelihood that the arbitrary the includes shellcode by performing a statistical analysis of the instructions starting at a resulting location of at least one found function call or code branching instruction to generate an overall shellcode probability for the arbitrary file. - View Dependent Claims (21, 22)
-
Specification