The present invention relates to protection of networks and, more particularly, to a system and method for detecting malicious code in a stream of data, such as in a gateway to a data network.
Network attacks include both “worm” attacks and “virus” attacks. A virus attack is performed typically during an expected transfer of executable code. The virus bearing code is attached to the executable code. Virus attacks are prevented by anti-virus software that is signature-based. Typically, anti-virus software interacts with a database of known viruses that includes virus signatures. A virus signature is typically one or more instructions or data known to be included in the code bearing the virus. Anti-virus software is used to scan executable code and search for virus' signatures during or just subsequent to transfer. Anti-virus software is therefore reactive only to known threats and unable to protect against new and/or unknown threats. A worm attack is a network attack based on sending malicious code over parts of network connections where code is not expected such as during data transfer of non-executable code, e.g. while browsing the Internet. An application, running on targeted computers receiving the code, is tricked into executing the malicious code using known weaknesses in the operating system and/or in the application running on the targeted computer. New worms usually spread much faster than new viruses and as a result the signature-based method is too slow. Consequently, detection of a worm attack requires a different approach from anti-virus scanning.
Worm attacks that exploit a vulnerability known as an overflow are particularly common. Buffer overflows and their more recent variations, heap overflows and integer overflows, are a common form of security threat in software systems. Vulnerabilities attributed to overflows have increasingly dominated all computer vulnerabilities with over 50% of security advisories issued in the year 2003 relating to buffer overflows alone. Recent contagious computer worms include Slammer, Blaster and Welchia, all exploiting buffer overflow vulnerabilities, inflicting billions of dollars worth of damages on the computing community. An effective solution to malicious code detection will significantly improve the security of a networked computing systems.
There is considerable prior art in the field of detecting worms and viruses. The prior art teaches three ways to detect worms and viruses as follows
(1) Scanning: The scanning method includes detection of malicious code by scanning network messages for strings, e.g. signatures, which are previously known to occur in malicious code. Prior art references representative of this method to detect malicious code include, Hile et al. U.S. Pat. No. 5,319,776, Hershey et al. U.S. Pat. No. 5,414,833, and Judge et al., US patent application 2003/0196095.(2) Emulation: Emulation method for detection of viruses in particular, includes executing the code in an isolated environment so that no damage occurs if the code turns out to be malicious. Emulation methods monitor in the isolated environment for behavior symptomatic of infection by malicious code. Prior art references that teach emulation methods include Schnurer et al., U.S. Pat. No. 5,842,002, Jordan US patent application 2002/0073323, Yann et al., US patent application 2002/0078368 and Jordan, US patent application 2002/0091934.(3) Semantic analysis: The method includes analyzing the code to predict without actually executing the code whether the code is malicious. Prior art references that teach this method include Hollander et al. U.S. Pat. No. 6,301,699, Chen international patent application WO98/14872, Schmall et al. US2002/0066024 and Chandnani et al., US patent application 2002/0073330. Chen WO98/14872, teaches a method for detecting and removing viruses in macros. A macro virus-scanning module detects unknown macro virus' signatures by obtaining comparison data that includes sets of instruction identifiers from a virus information module.
Reference is now made to FIG. 1 showing a simplified prior art data network including a wide area network (WAN) 111 attached to a local area network (LAN) 115 through a gateway 101. Attached to WAN 111 is a malicious client 105b, the user of malicious client is attempting to exploit, for instance, a buffer overflow vulnerability in either client machine 105a and/or application server 113 in LAN 115.
Hollander et al. U.S. Pat. No. 6,301,699 is directed towards a semantic analysis method to detect an attempt to obtain super-user privileges in a computer by passing a binary string as a function parameter thereby causing a buffer overflow. Hollander et al. '699 teach disassembling the string and following possible execution paths of the resulting code to find invalid targets of jump instructions as well as system calls. Hollander et al. '699 teach a method to detect buffer overflow exploitations in progress in application server 113 or client machine 105a. 
None of the prior art references teach a semantic analysis method for detecting malicious code in a stream of data, for instance at a gateway 101 of local area network 115. Detection of malicious code at the network level in a stream of data is done before forwarding the code to the target of the attack, e.g application server 113 or client machine 105a. Often internal client machine 105a can not be attacked directly by an external client machine 105b, however using a technique known as cross site scripting, attacking client machine 105b can install an attacking code in internal application server 113 and subsequently internal client machine 105a is tricked to load the attacking code.
There is thus a need for, and it would be highly advantageous to have, a system and method for detection of malicious code in a stream of data offering protection from malicious code at the network level.