System and method for analyzing malicious code using a static analyzer

US 9,081,961 B2
Filed: 06/09/2011
Issued: 07/14/2015
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device;

transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code;

analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function;

in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and

determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.

Citations

20 Claims

1. A computer-implemented method comprising:
- parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device;
  
  transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code;
  
  analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function;
  
  in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and
  
  determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method according to claim 1, wherein analyzing the statement in the first node to determine if the statement contains theuser-defined function further comprises:
    - identifying a variable contained in the first node;
      
      identifying symbol data describing the variable, the symbol data including a name of the variable and a value associated with the variable; and
      
      storing the symbol data in a symbol table.
  - 3. The computer-implemented method according to claim 2, further comprising:
    - determining context data associated with the statement, the context data describing a scope of the statement;
      
      caching the context data in a context table; and
      
      associating the context data in the context table with corresponding symbol data in the symbol table.
  - 4. The computer-implemented method according to claim 1, further comprising:
    - determining if the first node includes a probe function; and
      
      in response to determining that the first node does not include the probe function, inserting the probe function in the first node.
  - 5. The computer-implemented method according to claim 1, further comprising:
    - determining if the statement in the first node is a simple statement, the simple statement being a statement having a basic language operator applied to a variable and a function code associated with a standard library of a programming language of the computer code.
  - 6. The computer-implemented method according to claim 2, wherein executing the statement further comprises:
    - detecting induced changes to the symbol data after executing the statement; and
      
      updating the symbol table to reflect the induced changes to the symbol data.
  - 7. The computer-implemented method according to claim 1, further comprising, in response to determining that the computer code is malicious, blocking the computer code.

8. A tangible computer readable storage device or storage disc comprising instructions that, when executed, cause a gateway device to at least:
- parse computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device;
  
  generate an abstract syntax tree from the parsed computer code, the abstract syntax tree containing a first node having a statement from the parsed computer code;
  
  determine if the statement in the first node contains a user-defined function;
  
  in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and
  
  determine the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway device to:
    - identify a variable contained in the first node;
      
      identify symbol data describing the variable, the symbol data including a name of the variable and a value associated with the variable; and
      
      store the symbol data in a symbol table.
  - 10. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway device to:
    - determine context data associated with the statement, the context data describing a scope of the statement;
      
      cache the context data in a context table; and
      
      associate the context data in the context table with corresponding symbol data in the symbol table.
  - 11. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway device to:
    - determine if the first node includes a probe function; and
      
      in response to determining that the first node does not include the probe function, inserting the probe function in the first node.
  - 12. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway device to determine if the statement in the first node is a simple statement, the simple statement being a statement having a basic language operator applied to a variable and a function code associated with a standard library of a programming language of the computer code.
  - 13. The tangible computer readable storage device or storage disc of claim 9, wherein the instructions further cause the gateway device to:
    - detect induced changes to the symbol data after executing the statement; and
      
      update the symbol table to reflect the induced changes to the symbol data.
  - 14. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway device to, in response to the determination that the computer code is malicious, block the computer code.

15. A device comprising:
- a memory; and
  
  a processor configured to;
  
  parse computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device;
  
  transform the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code;
  
  analyze the statement in the first node to determine if the statement contains a user-defined function;
  
  in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and
  
  determine the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device of claim 15, wherein the processor is further configured to:
    - identify a variable contained in the first node;
      
      identify symbol data describing the variable, the symbol data including a name of the variable and a value associated with the variable; and
      
      store the symbol data in a symbol table.
  - 17. The device of claim 16, wherein the processor is further configured to:
    - determine context data associated with the statement, the context data describing a scope of the statement;
      
      cache the context data in a context table; and
      
      associate the context data in the context table with corresponding symbol data in the symbol table.
  - 18. The device of claim 16, wherein the processor is further configured to:
    - determine if the statement in the first node is a simple statement, the simple statement being a statement having a basic language operator applied to a variable and a function code associated with a standard library of a programming language of the computer code.
  - 19. The device of claim 16, wherein the processor is further configured to:
    - detect induced changes to the symbol data after executing the statement; and
      
      update the symbol table to reflect the induced changes to the symbol data.
  - 20. The device of claim 16, wherein the processor is further configured to, in response to the determination that the computer code is malicious, block the computer code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Yermakov, Alexander, Kaplan, Mark
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Ho, Thomas

Application Number

US13/156,971
Publication Number

US 20110307956A1
Time in Patent Office

1,496 Days
Field of Search

726/4, 726/22, 726/24, 726/2
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

System and method for analyzing malicious code using a static analyzer

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing malicious code using a static analyzer

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links