DE-OBFUSCATING SCRIPTED LANGUAGE FOR NETWORK INTRUSION DETECTION USING A REGULAR EXPRESSION SIGNATURE

摘要

A device receives data, identifies a context associated with the data, and identifies a script, within the data, associated with the context. The device parses the script to identify tokens, forms nodes based on the tokens, and assembles a syntax tree using the nodes. The device renames one or more identifiers associated with the nodes and generates a normalized text, associated with the script, based on the syntax tree after renaming the one or more identifiers. The device determines whether the normalized text matches a regular expression signature and processes the data based on determining whether the normalized text matches the regular expression signature. The device processes the data by a first process when the normalized text matches the regular expression signature or by a second process, different from the first process, when the normalized text does not match the regular expression signature.

主权项

1. A device, comprising:
one or more processors to:
receive data;identify a context associated with the data;identify a script, within the data, associated with the context;parse the script to identify tokens;form nodes based on the tokens;assemble a syntax tree using the nodes;rename one or more identifiers associated with the nodes;generate a normalized text, associated with the script, based on the syntax tree after renaming the one or more identifiers;determine whether the normalized text matches a regular expression signature; andprocess the data based on determining whether the normalized text matches the regular expression signature,
the data being processed by a first process when the normalized text matches the regular expression signature,the data being processed by a second process when the normalized text does not match the regular expression signature,the first process being different from the second process.