发明名称 |
DE-OBFUSCATING SCRIPTED LANGUAGE FOR NETWORK INTRUSION DETECTION USING A REGULAR EXPRESSION SIGNATURE |
摘要 |
A device receives data, identifies a context associated with the data, and identifies a script, within the data, associated with the context. The device parses the script to identify tokens, forms nodes based on the tokens, and assembles a syntax tree using the nodes. The device renames one or more identifiers associated with the nodes and generates a normalized text, associated with the script, based on the syntax tree after renaming the one or more identifiers. The device determines whether the normalized text matches a regular expression signature and processes the data based on determining whether the normalized text matches the regular expression signature. The device processes the data by a first process when the normalized text matches the regular expression signature or by a second process, different from the first process, when the normalized text does not match the regular expression signature. |
申请公布号 |
US2016094572(A1) |
申请公布日期 |
2016.03.31 |
申请号 |
US201414501798 |
申请日期 |
2014.09.30 |
申请人 |
Juniper Networks, Inc. |
发明人 |
TYAGI Ankur |
分类号 |
H04L29/06;G06F17/27 |
主分类号 |
H04L29/06 |
代理机构 |
|
代理人 |
|
主权项 |
1. A device, comprising:
one or more processors to:
receive data;identify a context associated with the data;identify a script, within the data, associated with the context;parse the script to identify tokens;form nodes based on the tokens;assemble a syntax tree using the nodes;rename one or more identifiers associated with the nodes;generate a normalized text, associated with the script, based on the syntax tree after renaming the one or more identifiers;determine whether the normalized text matches a regular expression signature; andprocess the data based on determining whether the normalized text matches the regular expression signature,
the data being processed by a first process when the normalized text matches the regular expression signature,the data being processed by a second process when the normalized text does not match the regular expression signature,the first process being different from the second process. |
地址 |
Sunnyvale CA US |