System and method for analyzing malicious code using a static analyzer

摘要

Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.

主权项

1. A computer-implemented method comprising:
parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device; transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code; analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function; in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior.