主权项 |
1. A method for dynamic protocol decoding and analysis of a data stream comprising data packets, for detecting malicious traffic in the data stream, the method comprising: using a hardware processor for:
(a) detecting an encoded portion of the data stream, which is encoded according to an encoding method; (b) decoding the encoded portion of the data stream into a decoded data stream; and (c) executing a protocol decoding program, comprising a plurality of program rules and a sequence of protocol decoding instructions, to inspect the decoded data stream, comprising:
(i) executing a concrete type instruction from at least two types of concrete type instructions, each type of the concrete type instructions defining a different length of a data unit of a data packet in the decoded data stream, and causing reading a data unit according to the length defined by a number of bytes by the concrete type instruction being executed;(ii) executing a pseudo type instruction of a first type, comprising analyzing data contained in the data unit read by the concrete type instructions;(iii) executing a pseudo type instruction of a second type for controlling a program flow of the protocol decoding program by jumping to a protocol decoding instruction in the sequence of protocol decoding instructions as a function of the data contained in the data unit; and(iv) provided the data contained in said data unit satisfies a predefined condition: terminating the protocol decoding instructions and triggering a program rule of the protocol decoding program, otherwise executing a next protocol decoding instruction in the sequence of protocol decoding instructions. |