METHOD AND SYSTEM FOR DYNAMIC PROTOCOL DECODING AND ANALYSIS

摘要

A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.;29

主权项

1. A method for inspecting a data stream, comprising data packets, in a computer system in a computer network, the method comprising:
using a hardware processor for: (a) detecting an encoded portion of the data stream, which is encoded according to an encoding method; (b) decoding the encoded portion of the data stream into a decoded data stream; and (c) executing a protocol decoding program comprising a sequence of protocol decoding instructions, to inspect the decoded data stream, comprising:
(i) executing a concrete type instruction from at least two types of concrete type instructions, each type of the concrete type instructions defining a different length of a data unit of a data packet in the decoded data stream, and causing reading a data unit according to the length defined by a number of bytes by the concrete type instruction being executed;(ii) executing a pseudo type instruction of a first type, comprising analyzing data contained in the data unit read by the concrete type instructions;(iii) executing a pseudo type instruction of a second type for controlling a program flow of the protocol decoding program by jumping to a protocol decoding instruction in the sequence of protocol decoding instructions as a function of the data contained in the data unit; and(iv) provided the data contained in said data unit satisfies a predefined condition, terminating the protocol decoding program, otherwise executing a next protocol decoding instruction in the sequence of protocol decoding instructions.