Method and system for adaptive rule-based content scanners
First Claim
Patent Images
1. A method for scanning content, comprising:
- identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language;
identifying patterns of tokens;
generating a parse tree from the identified patterns of tokens; and
identifying the presence of potential exploits within the parse tree, wherein said identifying tokens, identifying patterns of tokens, and identifying the presence of potential exploits are based upon a set of rules for the specific language.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for scanning content, including identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language, identifying patterns of tokens, generating a parse tree from the identified patterns of tokens, and identifying the presence of potential exploits within the parse tree, wherein said identifying tokens, identifying patterns of tokens, and identifying the presence of potential exploits are based upon a set of rules for the specific language. A system and a computer readable storage medium are also described and claimed.
181 Citations
43 Claims
-
1. A method for scanning content, comprising:
-
identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language;
identifying patterns of tokens;
generating a parse tree from the identified patterns of tokens; and
identifying the presence of potential exploits within the parse tree, wherein said identifying tokens, identifying patterns of tokens, and identifying the presence of potential exploits are based upon a set of rules for the specific language. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for scanning content, comprising:
-
a tokenizer for identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language;
a parser operatively coupled to said tokenizer for identifying patterns of tokens, and generating a parse tree therefrom; and
an analyzer operatively coupled to said parser for analyzing the parse tree and identifying the presence of potential exploits therewithin, wherein said tokenizer, said parser and said analyzer use a set of rules for the specific language to identify tokens, patterns and potential exploits, respectively. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
-
identifying tokens within an incoming byte stream, the tokens being lexical constructs for a specific language;
identifying patterns of tokens;
generating a parse tree from the identified patterns of tokens; and
identifying the presence of potential exploits within the parse tree, wherein said identifying tokens, identifying patters of tokens, and identifying the presence of potential exploits are based upon a set of rules for the specific language.
-
-
29. A method for scanning content, comprising:
-
expressing an exploit in terms of patterns of tokens and rules, where tokens are lexical constructs of a specific programming language, and rules are sequences of tokens that form programmatical constructs; and
parsing an incoming byte source to determine if an exploit is present therewithin, based on said expressing. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
-
36. A system for scanning content, comprising:
a parser for parsing an incoming byte source to determine if an exploit is present therewithin, based on a formal description of the exploit expressed in terms of patterns of tokens and rules, where tokens are lexical constructs of a specific programming language, and rules are sequences of tokens that form programmatical constructs. - View Dependent Claims (37, 38, 39, 40, 41, 42)
-
43. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
-
expressing an exploit in terms of patterns of tokens and rules, where tokens are lexical constructs of a specific programming language, and rules are sequences of tokens that form programmatical constructs; and
parsing an incoming byte source to determine if an exploit is present therewithin, based on said expressing.
-
Specification