发明名称 |
System and method for analyzing malicious code using a static analyzer |
摘要 |
Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table. |
申请公布号 |
US9081961(B2) |
申请公布日期 |
2015.07.14 |
申请号 |
US201113156971 |
申请日期 |
2011.06.09 |
申请人 |
Trustwave Holdings, Inc. |
发明人 |
Yermakov Alexander;Kaplan Mark |
分类号 |
G06F21/56;G06F17/22;H04L29/06;G06F21/55 |
主分类号 |
G06F21/56 |
代理机构 |
Hanley, Flight & Zimmerman, LLC |
代理人 |
Hanley, Flight & Zimmerman, LLC |
主权项 |
1. A computer-implemented method comprising:
parsing, via a processor, computer code received from a non-trusted entity via a network, the computer code received by a gateway when sent by the non-trusted entity to a client device in response to a request from the client device; transforming, via the processor, the parsed computer code into an abstract syntax tree, the abstract syntax tree containing a first node having a statement from the parsed computer code; analyzing, via the processor, the statement in the first node to determine if the statement contains a user-defined function; in response to determining that the statement in the first node does not contain the user-defined function, executing the statement; and determining the computer code is malicious by comparing a result of the execution of the statement in the first node to a set of rules denoting malicious behavior. |
地址 |
Chicago IL US |