WO2006113722A3 - High-performance context-free parser for polymorphic malware detection - Google Patents

High-performance context-free parser for polymorphic malware detection Download PDF

Info

Publication number
WO2006113722A3
WO2006113722A3 PCT/US2006/014574 US2006014574W WO2006113722A3 WO 2006113722 A3 WO2006113722 A3 WO 2006113722A3 US 2006014574 W US2006014574 W US 2006014574W WO 2006113722 A3 WO2006113722 A3 WO 2006113722A3
Authority
WO
Grant status
Application
Patent type
Prior art keywords
system
free
invention
parser
high
Prior art date
Application number
PCT/US2006/014574
Other languages
French (fr)
Other versions
WO2006113722A2 (en )
Inventor
Young H Cho
William H Mangione-Smith
Original Assignee
Young H Cho
William H Mangione-Smith
Univ California
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Abstract

The invention provides a method and apparatus for advanced network intrusion detection. The system uses deep packet inspection that can recognize languages described by context-free grammars. The system combines deep packet inspection with one or more grammar parsers (409A-409M). The invention can detect token streams (408) even when polymorphic. The system looks for tokens at multiple byte alignments and is capable of detecting multiple suspicious token streams (408). The invention is capable of detecting languages expressed in LL(I) or LR(I) grammar. The result is a system that can detect attacking code wherever it is located in the data stream (408).
PCT/US2006/014574 2005-04-18 2006-04-18 High-performance context-free parser for polymorphic malware detection WO2006113722A3 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US67224405 true 2005-04-18 2005-04-18
US60/672,244 2005-04-18

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11918592 US20090070459A1 (en) 2005-04-18 2006-04-18 High-Performance Context-Free Parser for Polymorphic Malware Detection

Publications (2)

Publication Number Publication Date
WO2006113722A2 true WO2006113722A2 (en) 2006-10-26
WO2006113722A3 true true WO2006113722A3 (en) 2006-12-14

Family

ID=37115867

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/014574 WO2006113722A3 (en) 2005-04-18 2006-04-18 High-performance context-free parser for polymorphic malware detection

Country Status (2)

Country Link
US (1) US20090070459A1 (en)
WO (1) WO2006113722A3 (en)

Families Citing this family (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8548170B2 (en) 2003-12-10 2013-10-01 Mcafee, Inc. Document de-registration
US8656039B2 (en) 2003-12-10 2014-02-18 Mcafee, Inc. Rule parser
US7984175B2 (en) 2003-12-10 2011-07-19 Mcafee, Inc. Method and apparatus for data capture and analysis system
US7962591B2 (en) * 2004-06-23 2011-06-14 Mcafee, Inc. Object classification in a capture system
US8560534B2 (en) * 2004-08-23 2013-10-15 Mcafee, Inc. Database for a capture system
US7949849B2 (en) * 2004-08-24 2011-05-24 Mcafee, Inc. File system for a capture system
US7907608B2 (en) * 2005-08-12 2011-03-15 Mcafee, Inc. High speed packet capture
US7818326B2 (en) * 2005-08-31 2010-10-19 Mcafee, Inc. System and method for word indexing in a capture system and querying thereof
US8024804B2 (en) * 2006-03-08 2011-09-20 Imperva, Inc. Correlation engine for detecting network attacks and detection method
US8504537B2 (en) 2006-03-24 2013-08-06 Mcafee, Inc. Signature distribution in a document registration system
US7958227B2 (en) 2006-05-22 2011-06-07 Mcafee, Inc. Attributes of captured objects in a capture system
US20080080505A1 (en) * 2006-09-29 2008-04-03 Munoz Robert J Methods and Apparatus for Performing Packet Processing Operations in a Network
US7895463B2 (en) 2007-08-28 2011-02-22 Cisco Technology, Inc. Redundant application network appliances using a low latency lossless interconnect link
US8667556B2 (en) 2008-05-19 2014-03-04 Cisco Technology, Inc. Method and apparatus for building and managing policies
US8094560B2 (en) 2008-05-19 2012-01-10 Cisco Technology, Inc. Multi-stage multi-core processing of network packets
US8677453B2 (en) 2008-05-19 2014-03-18 Cisco Technology, Inc. Highly parallel evaluation of XACML policies
US8205242B2 (en) 2008-07-10 2012-06-19 Mcafee, Inc. System and method for data mining and security policy management
US9253154B2 (en) 2008-08-12 2016-02-02 Mcafee, Inc. Configuration management for a capture/registration system
WO2010060480A1 (en) * 2008-11-26 2010-06-03 Telecom Italia S.P.A. Application data flow management in an ip network
US8487941B2 (en) * 2008-12-15 2013-07-16 Leonovus Usa Inc. Media action script acceleration apparatus
US20100149215A1 (en) * 2008-12-15 2010-06-17 Personal Web Systems, Inc. Media Action Script Acceleration Apparatus, System and Method
US8850591B2 (en) 2009-01-13 2014-09-30 Mcafee, Inc. System and method for concept building
US8706709B2 (en) 2009-01-15 2014-04-22 Mcafee, Inc. System and method for intelligent term grouping
US8473442B1 (en) 2009-02-25 2013-06-25 Mcafee, Inc. System and method for intelligent state management
US8291497B1 (en) * 2009-03-20 2012-10-16 Symantec Corporation Systems and methods for byte-level context diversity-based automatic malware signature generation
US8667121B2 (en) 2009-03-25 2014-03-04 Mcafee, Inc. System and method for managing data and policies
US8447722B1 (en) 2009-03-25 2013-05-21 Mcafee, Inc. System and method for data mining and security policy management
US9871807B2 (en) * 2009-06-12 2018-01-16 Microsoft Technology Licensing, Llc Generic protocol decoder for generic application-level protocol signatures
US8068431B2 (en) * 2009-07-17 2011-11-29 Satyam Computer Services Limited System and method for deep packet inspection
US9110875B2 (en) * 2010-02-11 2015-08-18 International Business Machines Corporation XML post-processing hardware acceleration
US8782790B1 (en) * 2010-02-19 2014-07-15 Symantec Corporation Signature creation for malicious network traffic
US9213838B2 (en) * 2011-05-13 2015-12-15 Mcafee Ireland Holdings Limited Systems and methods of processing data associated with detection and/or handling of malware
US8666931B2 (en) * 2010-07-16 2014-03-04 Board Of Trustees Of Michigan State University Regular expression matching using TCAMs for network intrusion detection
US20120096554A1 (en) * 2010-10-19 2012-04-19 Lavasoft Ab Malware identification
US8806615B2 (en) 2010-11-04 2014-08-12 Mcafee, Inc. System and method for protecting specified data combinations
US9002876B2 (en) * 2010-12-02 2015-04-07 Sap Se Interpreted computer language to analyze business object data with defined relations
US8949371B1 (en) * 2011-09-29 2015-02-03 Symantec Corporation Time and space efficient method and system for detecting structured data in free text
US20130246336A1 (en) 2011-12-27 2013-09-19 Mcafee, Inc. System and method for providing data protection workflows in a network environment
US20140041030A1 (en) * 2012-02-17 2014-02-06 Shape Security, Inc System for finding code in a data flow
US9158893B2 (en) * 2012-02-17 2015-10-13 Shape Security, Inc. System for finding code in a data flow
US9687540B2 (en) 2012-10-26 2017-06-27 Intervet Inc. Cross-protecting Salmonella vaccines
US8943589B2 (en) * 2012-12-04 2015-01-27 International Business Machines Corporation Application testing system and method
US9225737B2 (en) 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
US9178908B2 (en) 2013-03-15 2015-11-03 Shape Security, Inc. Protecting against the introduction of alien content
US9338143B2 (en) 2013-03-15 2016-05-10 Shape Security, Inc. Stateless web content anti-automation
EP3028203A4 (en) * 2013-07-31 2017-03-29 Hewlett-Packard Enterprise Development LP Signal tokens indicative of malware
US9465651B2 (en) * 2014-01-09 2016-10-11 Netronome Systems, Inc. Transactional memory having local CAM and NFA resources
US8954583B1 (en) 2014-01-20 2015-02-10 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US9225729B1 (en) 2014-01-21 2015-12-29 Shape Security, Inc. Blind hash compression
US8997226B1 (en) 2014-04-17 2015-03-31 Shape Security, Inc. Detection of client-side malware activity
US9680797B2 (en) 2014-05-28 2017-06-13 Oracle International Corporation Deep packet inspection (DPI) of network packets for keywords of a vocabulary
US9405910B2 (en) * 2014-06-02 2016-08-02 Shape Security, Inc. Automatic library detection
US9825984B1 (en) 2014-08-27 2017-11-21 Shape Security, Inc. Background analysis of web content
US9954893B1 (en) 2014-09-23 2018-04-24 Shape Security, Inc. Techniques for combating man-in-the-browser attacks
US9800602B2 (en) 2014-09-30 2017-10-24 Shape Security, Inc. Automated hardening of web page content
US9479526B1 (en) 2014-11-13 2016-10-25 Shape Security, Inc. Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5070528A (en) * 1990-06-29 1991-12-03 Digital Equipment Corporation Generic encryption technique for communication networks
US6487666B1 (en) * 1999-01-15 2002-11-26 Cisco Technology, Inc. Intrusion detection signature analysis using regular expressions and logical operators
US20050108554A1 (en) * 1997-11-06 2005-05-19 Moshe Rubin Method and system for adaptive rule-based content scanners
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1055269A (en) * 1996-08-08 1998-02-24 Fuji Xerox Co Ltd Information processor
US20050216770A1 (en) * 2003-01-24 2005-09-29 Mistletoe Technologies, Inc. Intrusion detection system
KR101150653B1 (en) * 2004-06-04 2012-05-29 포티파이 소프트웨어 엘엘씨 Apparatus and method for developing, testing and monitoring secure software
US7962591B2 (en) * 2004-06-23 2011-06-14 Mcafee, Inc. Object classification in a capture system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5070528A (en) * 1990-06-29 1991-12-03 Digital Equipment Corporation Generic encryption technique for communication networks
US20050108554A1 (en) * 1997-11-06 2005-05-19 Moshe Rubin Method and system for adaptive rule-based content scanners
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US6487666B1 (en) * 1999-01-15 2002-11-26 Cisco Technology, Inc. Intrusion detection signature analysis using regular expressions and logical operators

Also Published As

Publication number Publication date Type
WO2006113722A2 (en) 2006-10-26 application
US20090070459A1 (en) 2009-03-12 application

Similar Documents

Publication Publication Date Title
WO2007143225A3 (en) Analyte monitoring system and method
CN101001242A (en) Method of network equipment invaded detection
Wu et al. Simultaneous determination of amantadine, rimantadine and memantine in chicken muscle using multi-walled carbon nanotubes as a reversed-dispersive solid phase extraction sorbent
DE20304714U1 (en) Equipment separating lengths of wood on conveyor into lengths, qualities or cross sections, has mechanical handling system for transferring selected lengths
US7908657B1 (en) Detecting variants of known threats
RU2325694C1 (en) Method of computer network protection (variants)
DE20022841U1 (en) An apparatus for motion detection
WO2009072484A1 (en) Inspecting apparatus and inspecting method
WO2003087772A3 (en) Method for detecting low concentrations of a target bacterium that uses phages to infect target bacterial cells
WO2006025050A3 (en) Method and system for adaptive rule-based content scanners
RU2367913C1 (en) Measurement electronic device and methods for detection of volume content of gas
WO2006015188A3 (en) Methods and apparatus for improving the accuracy and reach of electronic media exposure measurement systems
WO2007043015A3 (en) Improved proximity detection method
Takada et al. Evaluation of false alarm rates of a walkthrough detection portal designed for detecting triacetone triperoxide (TATP) vapour from field test results and receiver operating characteristic (ROC) curves
JP4550802B2 (en) Detection system detection methods and disorders substance disorders materials
WO2008031106A3 (en) Method and system for providing an integrated analyte sensor insertion device and data processing unit
CN102859565A (en) Method and system for security system tampering detection
CA2535198A1 (en) Methods and apparatus for identifying chronic performance problems on data networks
US20140143871A1 (en) Method of inspecting mass websites by visiting
WO2006023743A3 (en) Laminar scrubber apparatus for capturing carbon dioxide from air and methods of use
WO2008101194A3 (en) Capacitance detection in a droplet actuator
Saadawi et al. Special issue on “Cyber Security”
He et al. Research of defending buffer overflow exploits based on detecting and preventing shellcode
CA2399243A1 (en) Method and apparatus for simultaneously retrieving portions of a data stream from different channels
JP2006226979A (en) Flaw detection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 11918592

Country of ref document: US

NENP Non-entry into the national phase in:

Ref country code: DE

NENP Non-entry into the national phase in:

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06750580

Country of ref document: EP

Kind code of ref document: A2