System and method for analyzing malicious code using a static analyzer
First Claim
Patent Images
1. A computer-implemented method comprising:
- parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device;
transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code;
analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function;
in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and
determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.
7 Assignments
0 Petitions
Accused Products
Abstract
Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device; transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code; analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function; in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A tangible computer readable storage device or storage disc comprising instructions that, when executed, cause a gateway device to at least:
-
parse computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device; generate an abstract syntax tree from the parsed computer code, the abstract syntax tree containing a first node having a statement from the parsed computer code; determine if the statement in the first node contains a user-defined function; in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and determine the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A device comprising:
-
a memory; and a processor configured to; parse computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device; transform the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code; analyze the statement in the first node to determine if the statement contains a user-defined function; in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and determine the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification