US2018225453A1PendingUtilityA1

Method for detecting a threat and threat detecting apparatus

Assignee: LEIDOS INNOVATIONS TECH INCPriority: Nov 25, 2015Filed: Apr 6, 2018Published: Aug 9, 2018
Est. expiryNov 25, 2035(~9.4 yrs left)· nominal 20-yr term from priority
G06F 21/564G06F 21/56G06F 18/29H04L 63/1416G06K 9/6296G06F 21/554
44
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Aspects of the disclosure include a threat detecting apparatus. The threat detecting apparatus can include an interface circuit, an opcode detector, and a pattern analyzer. The interface circuit is configured to receive a data stream. The opcode detector can be configured to identify an opcode sequence embedded in the data stream based on a first model graph that includes a plurality of interconnected token nodes. Each token node is representative of an occurrence or a non-occurrence of a token. The pattern analyzer may be configured to identify an opcode signature embedded in the identified opcode sequence based on a second model graph, and to output a signal indicative of the successful identification of the opcode signature. The second model graph can include a plurality of interconnected opcode nodes, and each opcode node can be representative of an occurrence or a non-occurrence of a predetermined combination of one or more opcodes.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A threat detecting apparatus, comprising:
 an interface circuit configured to receive a data stream;   an opcode detector implemented by hardware circuitry and configured to identify an opcode sequence embedded in the data stream based on a first model graph, the first model graph including a plurality of interconnected token nodes, each token node of the plurality of interconnected token nodes being representative of an occurrence or a non-occurrence of a token, and each token being a predetermined combination of bits or bytes; and   a pattern analyzer implemented by the hardware circuitry and configured to identify an opcode signature embedded in the identified opcode sequence based on a second model graph, and to output a signal indicative of successful identification of the opcode signature, the second model graph including a plurality of interconnected opcode nodes, each opcode node of the plurality of interconnected opcode nodes being representative of an occurrence or a non-occurrence of a predetermined combination of one or more opcodes,   wherein the opcode detector is configured to traverse the first model graph in N process threads based on the data stream and N different byte alignments, or to traverse the first model graph, which incorporates redundant paths based on the N possible byte alignments of the data stream, in one process thread based on the data stream, where N is an integer greater than one.   
     
     
         2 . The threat detecting apparatus of  claim 1 , wherein the opcode detector is configured to:
 identify a matched one of a plurality of preamble nodes in the first model graph that matches first X tokens of the data stream, X being an integer greater than one;   move a pointer to traverse the first model graph starting from the matched one of the plurality of preamble nodes based on the other tokens of the data stream in a sequential order; and   when the pointer reaches an end node of the first model graph, update an opcode sequence record to include an opcode corresponding to the end node.   
     
     
         3 . The threat detecting apparatus of  claim 2 , wherein the opcode detector is further configured to, after identifying an opcode, discard the processed tokens in the data stream and traverse the first model graph based on the remaining portion of the data stream to identify a next opcode in a recursive manner. 
     
     
         4 . The threat detecting apparatus of  claim 1 , wherein the pattern analyzer is configured to:
 move a pointer to traverse the second model graph from a starting node of the second model graph based on opcodes of the identified opcode sequence in a sequential order; and   when the pointer reaches an end node of the second model graph, report identification of an opcode signature corresponding to the reached end node.   
     
     
         5 . The threat detecting apparatus of  claim 1 , further comprising:
 a memory circuit configured to store at least a portion of the first model graph or at least a portion of the second model graph.   
     
     
         6 . The threat detecting apparatus of  claim 5 , wherein
 the memory circuit is configured to store a set of instructions, and   the hardware circuitry of the threat detecting apparatus comprises a processor configured to execute the set of instructions to function as the opcode detector or the pattern analyzer.   
     
     
         7 . The threat detecting apparatus of  claim 1 , wherein the hardware circuitry comprises:
 an application-specific integrated circuit (ASIC) configured to function as the opcode detector or the pattern analyzer.   
     
     
         8 . The threat detecting apparatus of  claim 7 , wherein at least a portion of the first model graph or a portion of the second model graph is hard-wired in the ASIC. 
     
     
         9 . A method for detecting a threat, comprising:
 receiving a data stream by an interface circuit;   identifying an opcode sequence embedded in the data stream by an opcode detector based on a first model graph, the first model graph including a plurality of interconnected token nodes, each token node of the plurality of interconnected token nodes being representative of an occurrence or a non-occurrence of a token, and each token being a predetermined combination of bits or bytes;   identifying an opcode signature embedded in the identified opcode sequence by a pattern analyzer based on a second model graph, the second model graph including a plurality of interconnected opcode nodes, each opcode node of the plurality of interconnected opcode nodes being representative of an occurrence or a non-occurrence of a predetermined combination of one or more opcodes; and   outputting a signal indicative of successful identification of the opcode signature by the pattern analyzer,   wherein the identifying the opcode sequence embedded in the data stream comprises traversing the first model graph in N process threads based on the data stream and N possible byte alignments, or traversing the first model graph, which incorporates redundant paths based on the N possible byte alignments of the data stream, in one process thread based on the data stream, where N is an integer greater than one.   
     
     
         10 . The method of  claim 9 , wherein identifying an opcode sequence embedded in the data stream comprises:
 identifying a matched one of a plurality of preamble nodes in the first model graph that matches first X tokens of the data stream, X being an integer greater than one;   moving a pointer to traverse the first model graph starting from the matched one of the plurality of preamble node based on the other tokens of the data stream in a sequential order; and   when the decision pointer reaches an end node of the first model graph, updating an opcode sequence record to include an opcode corresponding to the reached end node.   
     
     
         11 . The method of  claim 10 , wherein identifying an opcode sequence embedded in the data stream further comprises:
 after identifying an opcode, discarding the processed tokens in the data stream and traversing the first model graph based on the remaining portion of the data stream to identify a next opcode in a recursive manner.   
     
     
         12 . The method of  claim 9 , wherein identifying an opcode signature embedded in the identified opcode sequence comprises:
 moving a pointer to traverse the second model graph from a starting node of the second model graph based on opcodes of the identified opcode sequence in a sequential order; and   when the pointer reaches an end node of the second model graph, report identification of an opcode signature corresponding to the reached end node.   
     
     
         13 . The method of  claim 9 , further comprising:
 retrieving a portion of the first model graph or a portion of the second model graph from a memory circuit.   
     
     
         14 . A threat detecting apparatus, comprising:
 a threat detection circuit configured to:
 identify an opcode sequence embedded in a data stream based on a first model graph, the first model graph including a plurality of interconnected token nodes, each token node of the plurality of interconnected token nodes being representative of an occurrence or a non-occurrence of a token, and each token being a predetermined combination of bits or bytes; 
 identify an opcode signature embedded in the identified opcode sequence based on a second model graph, the second model graph including a plurality of interconnected opcode nodes, each opcode node of the plurality of interconnected opcode nodes being representative of an occurrence or a non-occurrence of a predetermined combination of one or more opcodes; and 
 output an indication signal indicative of successful identification of the opcode signature, 
   wherein the threat detection circuit is configured to traverse the first model graph in N process threads based on the data stream and N different byte alignments, or to traverse the first model graph, which incorporates redundant paths based on the N possible byte alignments of the data stream, in one process thread based on the data stream, where N is an integer greater than one.   
     
     
         15 . The threat detecting apparatus of  claim 14 , further comprising:
 a memory circuit configured to store a set of instructions and at least a portion of a first model graph or at least a portion of a second model graph,   wherein the threat detection circuit comprises a processor configured to execute the set of instructions to function as the threat detection circuit.   
     
     
         16 . The threat detecting apparatus of  claim 14 , wherein the threat detection circuit comprises:
 an application-specific integrated circuit (ASIC) configured to function as the threat detection circuit.

Join the waitlist — get patent alerts

Track US2018225453A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.