Method and system for adaptive rule-based content scanners

DC CAFC

US 8,225,408 B2
Filed: 08/30/2004
Issued: 07/17/2012
Est. Priority Date: 11/06/1997
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer processor-based multi-lingual method for scanning incoming program code, comprising:

receiving, by a computer, an incoming stream of program code;

determining, by the computer, any specific one of a plurality of programming languages in which the incoming stream is written;

instantiating, by the computer, a scanner for the specific programming language, in response to said determining, the scanner comprising parser rules and analyzer rules for the specific programming language, wherein the parser rules define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language, and wherein the analyzer rules identify certain combinations of tokens and patterns as being indicators of potential exploits, exploits being portions of program code that are malicious;

identifying, by the computer, individual tokens within the incoming stream;

dynamically building, by the computer while said receiving receives the incoming stream, a parse tree whose nodes represent tokens and patterns in accordance with the parser rules;

dynamically detecting, by the computer while said dynamically building builds the parse tree, combinations of nodes in the parse tree which are indicators of potential exploits, based on the analyzer rules; and

indicating, by the computer, the presence of potential exploits within the incoming stream, based on said dynamically detecting.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

8 Petitions

Accused Products

Abstract

A method for scanning content, including identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language, identifying patterns of tokens, generating a parse tree from the identified patterns of tokens, and identifying the presence of potential exploits within the parse tree, wherein said identifying tokens, identifying patterns of tokens, and identifying the presence of potential exploits are based upon a set of rules for the specific language. A system and a computer readable storage medium are also described and claimed.

93 Citations

View as Search Results

35 Claims

1. A computer processor-based multi-lingual method for scanning incoming program code, comprising:
- receiving, by a computer, an incoming stream of program code;
  
  determining, by the computer, any specific one of a plurality of programming languages in which the incoming stream is written;
  
  instantiating, by the computer, a scanner for the specific programming language, in response to said determining, the scanner comprising parser rules and analyzer rules for the specific programming language, wherein the parser rules define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language, and wherein the analyzer rules identify certain combinations of tokens and patterns as being indicators of potential exploits, exploits being portions of program code that are malicious;
  
  identifying, by the computer, individual tokens within the incoming stream;
  
  dynamically building, by the computer while said receiving receives the incoming stream, a parse tree whose nodes represent tokens and patterns in accordance with the parser rules;
  
  dynamically detecting, by the computer while said dynamically building builds the parse tree, combinations of nodes in the parse tree which are indicators of potential exploits, based on the analyzer rules; and
  
  indicating, by the computer, the presence of potential exploits within the incoming stream, based on said dynamically detecting.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein said dynamically building a parse tree is based upon a shift-and-reduce algorithm.
  - 3. The method of claim 1 wherein the parser rules and analyzer rules include actions to be performed when rules are matched.
  - 4. The method of claim 1 wherein the specific programming language is JavaScript.
  - 5. The method of claim 1 wherein the specific programming language is Visual Basic VBScript.
  - 6. The method of claim 1 wherein the specific programming language is HTML.
  - 7. The method of claim 1 wherein the specific programming language is Uniform Resource Identifier (URI).
  - 8. The method of claim 1 wherein the incoming stream of program code includes embedded program code, the method further comprising:
    - identifying, by the computer, another one of the plurality of programming languages in which the embedded program code is written, the other programming language being different that the specific programming language in which the incoming stream is written; and
      
      repeating said instantiating, said identifying, said dynamically building, said dynamically detecting and said indicating for the embedded program code, based on the parser rules and the analyzer rules for the other programming language.

9. A computer system for multi-lingual content scanning, comprising:
- a non-transitory computer-readable storage medium storing computer-executable program code that is executed by a computer to scan incoming program code;
  
  a receiver, stored on the medium and executed by the computer, for receiving an incoming stream of program code;
  
  a multi-lingual language detector, stored on the medium and executed by the computer, operatively coupled to said receiver for detecting any specific one of a plurality of programming languages in which the incoming stream is written;
  
  a scanner instantiator, stored on the medium and executed by the computer, operatively coupled to said receiver and said multi-lingual language detector for instantiating a scanner for the specific programming language, in response to said determining, the scanner comprising;
  
  a rules accessor for accessing parser rules and analyzer rules for the specific programming language, wherein the parser rules define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language, and wherein the analyzer rules identify certain combinations of tokens and patterns as being indicators of potential exploits, exploits being portions of program code that are malicious;
  
  a tokenizer, for identifying individual tokens within the incoming;
  
  a parser, for dynamically building while said receiver is receiving the incoming stream, a parse tree whose nodes represent tokens and patterns in accordance with the parser rules accessed by said rules accessor; and
  
  an analyzer, for dynamically detecting, while said parser is dynamically building the parse tree, combinations of nodes in the parse tree which are indicators of potential exploits, based on the analyzer rules; and
  
  a notifier, stored on the medium and executed by the computer, operatively coupled to said scanner instantiator for indicating the presence of potential exploits within the incoming stream, based on results of said analyzer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 10. The system of claim 9 further comprising a pre-scanner for identifying program code that is innocuous and for routing the innocuous program code so as to bypass said tokenizer, said parser and said analyzer.
  - 11. The system of claim 9 wherein said parser dynamically builds the parse tree using a shift-and-reduce algorithm.
  - 12. The system of claim 9 wherein said parser comprises a pattern-matching engine, for matching a pattern within a sequence of tokens in accordance with the parser rules accessed by said rules accessor.
  - 13. The system of claim 12 wherein the parser rules accessed by said rules accessor are represented as finite-state machines.
  - 14. The system of claim 12 wherein the parser rules are represented as pattern expression trees.
  - 15. The system of claim 12 wherein parser rules are merged into a single deterministic finite automaton (DFA).
  - 16. The system of claim 9 wherein the parser rules and analyzer rules include actions to be performed when rules are matched.
  - 17. The system of claim 16 further comprising a scripting engine stored on the medium and executed by the computer, operatively coupled to said parser and said analyzer, for implementing the actions to be performed.
  - 18. The system of claim 9 wherein the specific programming language is JavaScript.
  - 19. The system of claim 9 wherein the specific programming language is Visual Basic script.
  - 20. The system of claim 9 wherein the specific programming language is HTML.
  - 21. The system of claim 9 wherein the specific programming languages language is Uniform Resource Identifier (URI).

22. A non-transitory computer-readable storage medium storing program code for causing a computer to perform the steps of:
- receiving an incoming stream of program code;
  
  determining any specific one of a plurality of programming languages in which the incoming stream is written;
  
  instantiating a scanner for the specific programming language, in response to said determining, the scanner comprising parser rules and analyzer rules for the specific programming language, wherein the parser rules define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language, and wherein the analyzer rules identify certain combinations of tokens and patterns as being indicators of corresponding exploits, exploits being portions of program code that are malicious;
  
  identifying individual tokens within the incoming stream;
  
  dynamically building, while said receiving receives the incoming stream, a parse tree whose nodes represent tokens and patterns in accordance with the parser rules;
  
  dynamically detecting, while said dynamically building builds the parse tree, combinations of nodes in the parse tree which are indicator or potential exploits, based on the analyzer rules; and
  
  indicating the presence of potential exploits within the incoming stream, based on said dynamically detecting.

23. A computer processor-based multi-lingual method for scanning content incoming program code, comprising:
- for each of a plurality of programming languages, expressing exploits in terms of patterns of tokens and rules, wherein exploits are portions of program code that are malicious, wherein tokens are lexical constructs of a specific programming language, and wherein rules designate certain patterns of tokens as forming programmatical constructs;
  
  receiving, by a computer, an incoming stream of program code;
  
  determining, by the computer, any specific one of the plurality of programming languages in which the incoming stream is written;
  
  dynamically building, while said receiving receives the incoming stream, a parse tree whose nodes represent tokens and rules vis-à
  
  -vis the specific programming language;
  
  dynamically detecting, while said dynamically building builds the parse tree, patterns of nodes in the parse tree which are indicators of potential exploits, based on said expressing vis-à
  
  -vis the specific programming language; and
  
  indicating, by the computer, the presence of potential exploits within the incoming stream, based on said dynamically detecting.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The method of claim 23 wherein said dynamically building comprises positioning nodes of the parse tree corresponding to rules as parent nodes, the children of which correspond to the tokens within the patterns that correspond to the rules.
  - 25. The method of claim 24 wherein said dynamically building comprises adding a new parent node to the parse tree when a rule is matched.
  - 26. The method of claim 25 wherein said dynamically detecting detects patterns of nodes in the parse tree whenever said adding adds a new parent node to the parse tree.
  - 27. The method of claim 26 wherein tokens and rules have names associated therewith, and wherein said dynamically building comprises assigning values to nodes in the parse tree, the value of a node corresponding to a token being the name of the corresponding token, and the value of a node corresponding to a rule being the name of the corresponding rule.
  - 28. The method of claim 27 wherein said dynamically building comprises storing an indicator for a matched rule in the new parent node of the parse tree when the rule is matched.

29. A computer system for multi-lingual content scanning, comprising:
- a non-transitory computer-readable storage medium storing computer-executable program code that is executed by a computer to scan incoming program code;
  
  an accessor, stored on the medium and executed by the computer, for accessing descriptions of exploits in terms of patterns of tokens and rules, wherein exploits are portions of program code that are malicious, wherein tokens are lexical constructs of any one of a plurality of programming languages, and wherein rules designate certain patterns of tokens as forming programmatical constructs;
  
  a receiver, stored on the medium and executed by the computer, for receiving an incoming stream of program code;
  
  a multi-lingual language detector, stored on the medium and executed by the computer, operatively coupled with said receiver for detecting any specific one of the plurality of programming languages in which the incoming stream is written;
  
  a parser, stored on the medium and executed by the computer, operatively coupled with said accessor, with said receiver and with said language detector for dynamically building, while said receiver is receiving the incoming stream, a parse tree whose nodes represent tokens and rules vis-à
  
  -vis the specific programming language;
  
  an analyzer, stored on the medium and executed by the computer, operatively coupled with said parser, with said accessor and with said language detector, for dynamically detecting, while said parser is dynamically building the parse tree, patterns of nodes in the parse tree which are indicators of potential exploits, based on the descriptions of exploits vis-à
  
  -vis the specific programming language; and
  
  a notifier, stored on the medium and executed by the computer, operatively coupled with said analyzer, for indicating the presence of potential exploits within the incoming stream, based on results of said analyzer.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The system of claim 29 wherein said parser positions nodes of the parse tree corresponding to rules as parent nodes, the children of which correspond to tokens within the patterns that correspond to the rules.
  - 31. The system of claim 30 wherein said parser adds a new parent node to the parse tree when a rule is matched.
  - 32. The medium of claim 31 wherein said analyzer dynamically detects patterns of nodes in the parse tree when said parser adds a new parent node to the parse tree.
  - 33. The system of claim 32 wherein tokens and rules have names associated therewith, and wherein said parser assigns values to nodes in the parse tree, the value of a node corresponding to a token being the name of the corresponding token, and the value of a node corresponding to a rule being the name of the corresponding rule.
  - 34. The system of claim 33 wherein said parser stores an indicator for a matched rule in the new parent node of the parse tree when the rule is matched.

35. A non-transitory computer-readable storage medium storing program code for causing a computer to perform the steps of:
- for each of a plurality of programming languages, expressing exploits in terms of corresponding patterns of tokens and rules, wherein exploits are portions of program code that are malicious, wherein tokens are lexical constructs of a specific programming language, and wherein rules designate certain patterns of tokens as forming programmatical constructs;
  
  receiving an incoming stream of program code;
  
  determining any specific one of the plurality of programming languages in which the incoming stream is written;
  
  dynamically building, while said receiving receives the incoming stream, a parse tree whose nodes correspond to tokens and rules vis-à
  
  -vis the specific programming language;
  
  dynamically detecting, while said dynamically building builds the parse tree, patterns of nodes in the parse tree which are indicators of potential exploits, based on said expressing vis-à
  
  -vis the specific programming language; and
  
  indicating, by the computer, the presence of potential exploits within the incoming stream, based on said dynamically detecting.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan, Inc. (SoftBank Group Corp.)
Inventors
Rubin, Moshe, Matitya, Moshe, Melnick, Artem, Touboul, Shlomo, Yermakov, Alexander, Shaked, Amit
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/930,884
Publication Number

US 20050108554A1
Time in Patent Office

2,878 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 2221/2119   Authenticating web pages, e...

G06F 8/427   Parsing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Method and system for adaptive rule-based content scanners

First Claim

5 Assignments

Litigations

8 Petitions

Accused Products

Abstract

93 Citations

35 Claims

Specification

30 Family Members

Thank you for your feedback