DETECTING EXPLOIT CODE IN NETWORK FLOWS

摘要

The present invention discloses detecting exploit code in network flows. The network data packets are intercepted by a flow monitor, which generates data flows from the intercepted data packets. A content filter is utilized for filtering out legitimate programs from the data flows, and the unfiltered portions are provided to an executable code recognizer which detects executable code. The executable code recognizer also performs convergent binary disassembly on the unfiltered portions of the data flows, constructs a control flow graph, control flow analysis, data flow analysis, and constraint enforcement in order to detect executable code.