CA2191205A1 - Computer virus trap - Google Patents
Computer virus trapInfo
- Publication number
- CA2191205A1 CA2191205A1 CA002191205A CA2191205A CA2191205A1 CA 2191205 A1 CA2191205 A1 CA 2191205A1 CA 002191205 A CA002191205 A CA 002191205A CA 2191205 A CA2191205 A CA 2191205A CA 2191205 A1 CA2191205 A1 CA 2191205A1
- Authority
- CA
- Canada
- Prior art keywords
- virus
- computer
- emulation
- computer system
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
A computer virus trapping device (10) is described that detects and eliminates computer viruses before they can enter a computer system and wreck havoc on its files, peripherals, etc. The trapping device (10) creates a virtual world that simulates the host computer system (28) intended by the virus to infect. The environment is made as friendly as possible to fool a computer virus into thinking it is present on the host (28), its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. The invention is able to detect any disruptive behaviour occurring within this simulated host computer system. It is further able to remove (52) the virus from the data stream before it is delivered to the host (28) and/or take any action previously instructed by a user (38).
Description
WO 95133237 2 1 ~ 1 2 0 ~i P~ i.. 5.~
COMPUTER VlRUS TRAP
BACKGROUND OF T~E INVENTION
The computer virus problem that exists today had its begimlings sometime in the late 1980s. At that time computer viruses were a novelty and plagued mainly DOS and Macintosh cnmrllt~r~ Today, almost every Fortlme 500 company has ~ rd computer viruses with the current rate beimg about one virus incident every 2 to 3 months.
The term computer virus is applied in common and legal usage to software, code, code blocks, code elements and code segments which perform certam functions in the digital computer eLlVil~ ' Code is intended to meam the digital instructions which the computer responds to. Non damaging or legitimate software, code, code blocks, code segments and code elements that serve a useful purpose would not be cuns;d~.c~ a virus.
Computer viruses have been known to cause physical harm to computer hardware in addition to erasing and destroying data. While rare, there have beencases of viruses that have made calls to disk drive heads actually scoring the media; still others have been di~ UVClCII that ramped up the scam rate on a monitor causing failure. Most viruses do not, however, intPntin~lly cause explicit physical harm and they are discovered before they are triggered to cause damage to data amd files. However, it is after discovery that the real cost of viruses becomes apparent m c~"",~ ,.. with their detection amd removal. In an average computer site this might entail searching 1000 PCs and 35,000 diskettes.If the software engineer misses even one inst~mce of the virus, other computers will be re-infected and the clean up search must be repeated all over again.
A common l~ i~cu~l-,clu~ion is that there are good viruses and bad viruses.
Some viruses are claimed to be benign because they do not have a malicious ., . . . . . . . . ... . . . .. _ .
WO 95/33237 21~ 12 0 5 2 1 ~ . r~
trigger event and cannot do intfntinnA1 harm. However, this misses the poimt that the problems computer viruses cause are mainly due to the trigger events. It is a fact that computer viruses replicate. This by itself is harmful because it nfcf~ ri a search to cleam up all instances of the viruses m a computer inctAllAtinn The damage caused by viruses, not so much due to erased files or data, but in the cost of detection, removal amd also the ac~,u~ u~ulyillg lowered worker ~ ,LiYily can be very high. It has been calculated that the average computersite will spend on the order of about $250,000 on a computer virus cleamup. It has been estimated that computer viruses will cost U.S. computer users ûver a billion dollars in 1994 alone.
The problem will grow ~A~U~ -Lidlly due to the advent of the r" r." " - ~ ;....
Super Highway. The mcreased CulI,.~ iVily among individuals, companies amd gU~IlllU~,llL will allow a computer virus to create havoc. Currently disjoint computer systems that perform various fimctions that we take for granted today, such as, banking, ~ .,".",..., ,-I;n-~, radio, ;,.r...". ~;..,, databases, libraries and credit might meld together in the future. Thus, computer viruses, -nrllPrkf-ll, could have a crippling effect on our society.
A virus cam only cause trouble when it enters a system amd finds a location on which to act. In a general sense, the virus must perform an intendedfunction or a function the user or operator did not intend, expect, ~UIII~ L~ for or otherwise protect against. Some examples of malicious virus activity are:
changing names of files making it drfficult for the user to access the files, moving a file to a rlew location, deletmg files, mterfering with workmg programs (i.e. causing all the words on a screen to fall to the bottom of the screen in a heap), replicating themselves and clogging up the system making it nonfimctional or waiting for a ~ ",;, d time period or after a certain number of toggle operations such as boot, access, cursor llu~ , mouse clicks, etc. before acting.
.. . .
WO 95133237 3 2 1 9 ~ 2 0 ~
.
More felonious t,vpe viruses are those that have been released to cause ruin or ;,.~ of a system for the purposes of sabotage, espionage, financial gain or to impair a competing business. Some examples include: creatmg a trap door which allows access to an un~-lthnri~Pd user for any purpose such as espionage, dumping files or erasure, navigation programs which find routes into systems, password cracking programs, modifying the PYPCllt~hl~ segment of legitunate programs and attachmg themselves to a code block and travel to another site. I
In addition to traditional PCs and networks being vul~dbl~ to virus infections, embedded control systems often used m industrial process control settmgs are also vulnerable. These systems control machiner~, motors, industrial robots amd process data from sensors. Because embedded systems are vulnerable to viruses just as PCs are, the results are potentially quite damaging.
The smooth flow of a factory or assembly line could be devastated by a virus' uncontrolled behavior.
There are many possible ways for a virus to act on a computer system.
All computers go through a boot procedure m which the Basic Input Output System (BIOS) andlor other resident system tools perform a variety of startup tasks such as, findmg drives, testing memory and the system, initiating system files, loading DOS or other Operating System (OS) and bringing up arl initial startup program. The system performs certain h~,"~ ,..F tasks such as various links among other fimctions. A computer system of any utility is complex enough that someone writing a virus has a myriad of UlJIJo~ ics and possibilities in which to cause trouble and mterfere with the proper operation of the system.
The most common solution to the virus problem is to employ amti-virus software that scans, detects and elimmates viruses from computer systems.
These progr~uns work by searching a storage medium such as a hard disk drive or floppy diskette for known patterns of various viruses. However, there are .. . ... . . .. . . . ~
21912~1 W0 9~133237 4 r~
problems associated with this method of ~irus ~iimin~tinn The softw~e can only scam for known viruses which have am id..llirl~le pattern that can be detected using repetitive string searches. To protect against new viruses frequent upgrades must be riictribllt~rl In addition, for the program to detect a vitus it must already have infected that computer. The vims might have done some damage or even replicated itself and spread before it is detected. Also, the program must be rlm often to provide effective protection against viruses especially on systems where programs and data are l~ r~ d frequen~dy between computers via diskettes.
In addition futther liabilities, pratfalls and limitationc to the cutrent breed of anti-virus software solutions exist. This software breaks down into 3 c scalmers, monitors, CRC's. Scanners as previously mentioned work off of databases of known strings. These databases are in constant need of updates. Monitors are memory resident programs mnnitnring the computer for qll~stinnahle behavior. Monitors suffer from high rates of false positives, amd they occupy and take a large portion of the limited cull~. l memory of a PC. CRC's are error checking programs that generate a unique "signature" in the form of a 2-byte number for each and every file to be protected. CRC programs either place the "signature" in the file itself or in a separate file. CRC programs suffer from the fact that they are easy to identify and thus easily tricked intorecreating a "signature" for am infected file. Further, Scarmers & Monitors &
CRC programs must be rlm on the PC in question. Often this is a time c~mCllmin~ chore. These programs usually must have full control of the PC to operate further illcu~ lg the user because he must wait for the scanner to finish before he can begin his normal work. The other critical concept is that the anti-virus software is ruti on the PC in question. It is subject to the limitatinnc and liabilities of the operating system and may already be rurming on am infected PC without knowing it. The invention takes a unique approach by p~lrull--lll~
~ W0 95~33237 5 ~1~12 0 ~j r~ s~-5 its logic outside of the PC, not illcull~i ic.lcing the user and is more effective because the invention's hardware guarantees a clean uninfected start.
Another possible solution is to increaSe computer securit~ to the point where viruses carmot enter the system. Login/password control and encryption do not effect computer viruses. With encryption, detection and .olimin~ltinn is made more difficult because the virus along with good data is encrypted, only becoming decrypted when it attempts to replicate. Clearly, this is quite I)U1d~1ISU1IIC and expensive to ;",I,i~ , .,1 Another possible solution is to avoid computer bulletin bûards, both the CUULUI(~ type such as, Cu~ lv~, Prodigy, the Internet and Usenet, and the private, local. small type. However, this will not prevent viruses from spreading because most viruses do not result from software or data downloaded from infnrm~tinn databases or computer bulletin boards. The operators of both ..ouLu.~,.,,ial on-line services and private bulletin boards are very careful to keep viruses off their systems. They are constantly searching and scannmg anythirlg that is uploaded to their systems before making it available to their a~ha ;1....~.
In addition, most computer viruses of the boot track type do not spread through download data or software. The majority of viruses are spread through diskettes. There are known instamces of cullllll~ ial software being diallil)u~dafter bemg infected by a virus. There are known instances of viruses bemg distributed lul~vi~lLu~ly by diskette m~nllf~.tllrers on blank diskettes. There are no rules for which diskettes are more likely to be free from viruses.
Thus, there is a long felt need for a device that can search for, detect and elirninate viruses before they ever enter mto a computer system that is ll~la~ to a user and effective against all viruses in existence today and those not yet created.
SUMMARY OF THE INVENTION
One ~1~A~ Ir~ of ahmost all viruses is that on their own they are not capable of crossing from one computer OS to another. This is because different .. .. . . .. . ... . . .. . _ . . ..
WO95/33237 219120~ ~3 r~ s~
computer systems in use today ha,ve different internal instructions or command sets. The language perfe~c~y" acceptable amd intrlli,. ihl~ to one OS does not have amy correlation to another. An analogy to humans would be two people speaking drfferent languages not being able to ~Ulll ' ' Although there might exist identical words present in both lamguages it is statistically very unlikely for a ~ or cross over strirlg of words or set of computer iLLi~u~,Liulls (i.e. a virus) to convey a sigluficamt amount of illrUIlllaih)ll or be able to effectively execute a series of i l~Gu~,~iulls. It is even more unlikely for this ,.,i~ d or cross over string of words or series of instructions to migrate from one language or system to another language or system and still be able to convey any useful infornl~*rln or execute a series of c~ "l~
The present invention utilizes this rh~r~rt~rictir of viruses to create am hlllu~ LIalJlc barrier through which a virus calmot escape. The use of a foreignoperatirlg system guarantees the invention a high degree of safety amd .al,ility. While tbe inventors recogluze that such invention can be built without the use of a foreign operating system, such a version of the invention would lack any creditable degree of security. T.n addition, without the use of aforeign operating system the irlvention itself risks ~ ;on A foreign operating system different from the one beirl~ protected is i IL udu~,.,;'. into the data stream before the data arrives at the computer system to be protected. To illustrate: if a program written for DOS will not rlm as intended on a Macintoshneither will a virus. A foreign operati.ng system in order to complete its operation must provide an emul.ation of the target computer operating system (disk drives, memory C~JII~ ports, etc.). The virus is therefor fooled into thinking it is resident on the target computer system it was irltending to infect. It is here. while the virus is resident within the emulated target operatmg system, that the virus is r.,~u.l,A~ ~ to infect files, destroy data and wreak havoc. It is here that the invention diverges from all other strategies in virus-detection and prevention. All other strategies are defensive in nature: they mark ~ w0 9513323~ 7 213 12 0 5 , ~ 5 '~ ''5?
files to detect ullvv~ d changes, they scan for llnintPn~iPd behavior in an attempt to prevent the virus from p. r." " ,;"~ its damage. The present invention takes an offensive strategy by ~llco~l...~mg the virus to infect and destroy files.
The most critical behavior of a virus that computer users to prevent is the virus ability to replicate. Once a virus has erased a hle, made a hard drive illu~.,,alllc, it is detected. Once the virus has done anything considered malicious, it usually is detected. At this point anti-virus software and hardware must be brought in and run to detect and clean ~lles. Prior to its pPrfnr~nin~ this malicious act, a virus must replicate. If it does not replicate, it carmot grow and stay alive. If it has the ability to replicate, it can travel from PC to floppy to PC
to netvvork, etc. It is this behavior of viruses to replicate that the present invention preys on. The virus is l..llCU...~,d to act within this cross platformgenerated emulation so that it can be detected. It is this use of cross platforml ~y and offensive strategy that allows a virus to be detected at amy level before any damage occurs to the protected system. It is in the emulation that the mvention can detect the virus and in the use of 1".,.~ r,.", lo~5;c/.~vil, that it can safely contain the virus. Where the virus can get around DOS or MAC scanners or Operating System or BIOS, it cannot infiltrate amd rlJ,.lh.,.;,.-~r the foreign operating system.
A foreign operating system is chosen based on its ability to monitor and watch any Pmlll~fion~ and for bemg able to ~ir--lofP elements within the emulation (files, falsifying BIOS i..r,...,.-l;., " creating sham peripherals), and for the sheer speed and cnmp~ lhnnol hul ~ u . . _l .
The mventors recognize that it can be done without a 1 ". "~ r". ., . but it will be slow and absolutely unsafe. The use of a foreign operating system can be likened to the use of lead walls and glass walls and lll.,cll~lical arms used by people IllalPi~J ' ,, radioactive materials in labs While it is certainly possible to pick up radioactivity with one's bare hands, it is not highly I~C~ d or is Wo 9~i/33237 2 l 912 0 3 8 r~ s ~
' ;1: ' L ; ' ~ ~
it safe. While the invenfion can be had without the use of a forei~ operating system, it is not highly rec~-mm~n-l~ d nor is it safe.
A primaly object of the present mvention is to provide a virus detection system to detect amd eliminate viruses at their most basic level by simulating the host's ~ /i11 by creatmg a virtual ~orld to fool the virus mto thinking it is resident on the host so as to allow disruptive behavior to be detected and the virus destroyed without harm to the host.
Another object of the present invention is to provide a virus detection system able to detect and trap viruses at amy level using in a way other than performing string searches through memory or files to detect viruses.
Yet another object of the present invention is to provide a virus detection system able to detect as of yet unknown viruses thereby obviating the need for software updates to keep the detection device current.
Still another object of the present inventiorl is to minimize the down time of the host computer system in the event a virus is detected Still amother object of the invention is to record at the user's discretion-the virus to another media for transferal to virus analysis groups. The object is to feed the virus to an internal analysis to compare against a know, previously acquired attempt, such as a trapdoor or file change, or industrial espionage or sabotage code, etc.
Still another object is to record from which incoming source the virus came, i.e., modem, which digiboard channel, internet, Compuserve, LAN
station/Userid, WAN line, etc.
Another object is to alert system ~ 1 .,; "; ~1, h l ;tm of the attack.
BRIEF DESCRIPTION OF THE DRAWINGS
Servmg to illustrate exemplary embodiments of the invention are the drawings of which:
Fig I is a high level functional block diagram of the preferred embodiment of the present invention.
~ wo 95t33237 2 1 9 1 2 ~ 5 P~ 9 Fig. 2 is a fimctional block diagram of the preferred ~mho~lim,ont of the present invention;
Fig. 3 is a fimctional block diagram showing the Arrliro~inn of the present invention in a local area ri~wu~ g ~,~v. ., ~;
Fig. 4 is a functional block diagram showing the A~ ;n,~ of the present invention m a l~ l~c~""",- - rAtinn~ In,~WUlki~A~ CIIVI1UIIII~
Fig. 5 is a high level software logic diagram showing the operating steps of the present invention;
Figs. 6A to 6C together comprise a high level flow chart of the operatirlg steps of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
In order to afford a complete lm~ E of the invention and an appreciation of its advantages, a description of a preferred ~llbodilll~ of the present invention in a typical operating CIIV- Ulllll~ is presented below.
Operating on the principle that a virus camlot cross operating systems, the present invention creates a virlual world for a potential vtrus. An OS that emulates the system to be protected provides a friendly familiar ~llvllullll.~l.. for the virus. The vilus is ~ ,uul t,~d to act in this virtual world created for it. T_e results of the virus' disruptive behavior can be detected and C~ ly the virus can be flagged and eliminated or stored and further analyzed. This scheme is based on the assumptions that almost all viruses are eY~ to~ in nature, no user would tly to purposely COIIllllulli ' a dc;,L-u..liYe virus to another and that it is possible to identify ~ lA instructions m an ellVilUIIlll~ where the illallu~,Lul~ cannot possibly operate.
Shown in Figures 1 and 2 are f~mctional block diagrams of the vt~us trappmg device lû. The Central Pluc~aillg Unit (CPU) 12 can be any computing device (i.e. Intel, Motorola, Paramid, National Semincondutor or Texas I~ a rni~,lu~-lucc,aul, multiple chip set CPUs, board level CPUs, etc.). The Transputer is particularly well suited because almost all PCs in use .. . . . ... . . .. .... . . . . . .
W095/33237 2lsl2a~ t O r~l"~,,,s~ s today employ CPUs other than the Transputer. A guide to the application and ~,.u~,., .,...;,.~ of the Transputer can be found in The Transputer Handbook, byMark Hopkins, copyright 1989 I~N~IOS Ltd. and The Transputer Databook by Mark Hopkins, 3rd Editio~ co''pyright 1992 INMOS Ltd. Italy. As a typical circuit design, EPROM 14 holds the operating software for the CPU 12. RAM 16 provides a temporary storage facility for the CPU 12 to execute the virus detection software. Link adapters 20 provide physical c.. ~1;.. ~ to interface the virus trapping device 10 to the outside world. The trap device 10 is not limited to two link adapters, any number could be I l d to handle a multitude of input data streams. The device 10 reads an incoming data stream from one or more outside sources. An example of a ~,-~..,.,,~,,~;~.-I;nn link 24 are a Local Area Network (LAN) (i.e. Novell), Wide Area Network (WAN) (i.e. networked LANs), the telephone network (i.e.
Modems), radio frequency (RF) type cellular network or some type of data storage device (i.e. floppy diskette, hard disk tape, CD-ROM, magneto-optical, etc.). The ~.. "",.. ~I,nn link 24 provides an incoming data stream for the device 10 to operate on. Diskettes are commonly used to transfer data and programs from one computer to another, thus making it a common entry point into the system for viru3es. An input~output (I/O) interface 18 provides a meansfor the virus trapping device 10 to CUIIUIIUUI' with the computer system being protected 28.
The application of the virus trapprng device 10 in a typical operating ~.lvuulull~llL is shown in Figure 3. The file sener 42 is the computer system tobe protected. The virus trapping device 10 is placed in the data stream that connect3 the filer server 42 to other wllll.~ c 38. The hubs 40 serve to connect the w-~rkct~ nc 38 into a LAN and the modems 36 serve to connect remote workctS~tionc 38 to the file server 42. In this scenario, all traffic to and from the file server 42 is monitored for viruses by the trap 10.
wo95/33237 21912 n~ r l,uu ~0~
Another application of the trapping device 10 is shown in Figure 4. In this scenario, data traffic passing tbrough the t~lPC.. ~.. ,,,ir:ltinn~ network 34 is protected from viruses. A user might have a ~ rl~ ~f file server 30 at a remote site connected to the telephone network 34. Nodes 32 located in the telephone company's central offices perform access and cross connect functions for customers' data traffic. To prevent the spread of a virus through the network, the trapping device 10 is placed m front of each node 3~. Data traffic between wnrk~t:ltinnc 38 co~nected to the telephone network 34 via modems 36 and the ,.,,,;,.r,~.... file server 30 is constantly checked for viruses because the traffic must pass through the virus trapping device 10.
Operation of the virus trapping device 10 is as follows. The trapping device 10 monitors the data stream that enters from the outside world, such as from the ~.,."".,.,.;~ link 24. All data is treated as data whether it is actuaDy data (i.e. data files) or instructions (i.e. ~ ) as it passes over the link 24. At this point the actual u~ u~liou~ have not been executed but rather they are in the process of being l,,,.,-. -;lt~ ~ for execution. While in this state of tr~n~mi~in~, emulation means 48, controlled by the CPU 12, provide a friendly ~ /UUIUII~ for a potential virus. The data is put mto the emulation chamber 48 where the virus is fooled into acting as if it were really present onthe host system. It is desired that any disruptive behavior the virus is capable of displaying take place in emulation chamber 48 such as l~lica~ulg, attacking another program or destroying data. In this virtual world the virus has completeaccess to its ~ VilUl~ It is at this point that analysis and detection means 50 controlled by the CPU 12 catches the virus irl the act of self replication and prevents it from infecting the host system. The virus cannot escape the emulation box 48 because the box exists in a foreign operating l-VUUIUI.~ t with no access to critical files, keyboard, screen, etc. Access to the real world is completely blocked.
W0 95133237 2 1 9 ~ 2 ~ ~ 1 2 Upon startup of the trapping device 10, the emulation software is read from EPROM 14 and executed. When a user turns on his worhstation 38, a cnnnPctinn is . ~ l.r.(1 between ~he workstation 38 and the file server 30 (or 42). A ~ IIF~ II session,is~created in the RAM 16 of the CPU 12. In like fashion, a session is created for each user.
As the user at a workstation 38 runs cnmmqnrl~ and moves file about, data is ultimately written to and read from the file server 30. The trapping device 10 splits the data mto two paths. One path commects directly to the protected computer system 28 without mnrlifirAtinn Data over the other path is written mto the emulation box or virLual world created for each user. The wrik is performed m this box iust as it would have been performed on the file server 30, protected computer 28 or wulh~lhuull 38. Changes in data amd time are simulated to trigger time sensitive viruses, fooling then as to the actual data and time. If the ~ hul~ul~llL changes, it is checked to determine whether simply data was written or whether executable code was written.
Once the executable in mside the emulation box, a Cyclic R~ l y Check (CRC) is made of the Interrupt Request table (IRQ) Also, CRCs are generated on all files that are placed in the emulation box The CRC is an error detechon and correction code widely used in the computer and ' ~ Fr ;~C
fields. Other aspects of the ~l~vUulUll~llL, such as available memory, are savedtoo. All ;,,r~.,,,,AI;,,~ saved is stored outside of the emulation box where it calmot be altered by a virus. The ~At,,ulhblF is forced to run If absolutely nothing happens, a self replicating virus does not exist. If anytbing withm the ~,IIVil~ chamges (i.e. size of files, sudden attempts to write to other r ~ in the emulation box, etc.) it is d~ ";I.rd that a virus does exist amd is ~qttr mrtin~ to self replicate itself.
The first step is to deterniine whether the IRQ table was modified. The second step is to determine if another program was written to. Many programs attach Lll~..lsel~;, to IRQs (i.e. network shell programs, mouse drivers, some ~ WO95133u7 1 3 21~1205 r~ 5~
print drivers, c: Oll and fax drivers). However, none of these programs will try to write code to other PY~cllt~hl~ No legitimate program will attempt direct changes to the File Allocation Table (FAT) or other irlternal OS
disk area. They typically pass their chamges (or writes) through standard well behaved DOS interrupts (INTs) (i e. INT 21). Or, for example, in the case of file repair programs (i.e. Norton Utilities) which do at times write directly to the FAT, they will also not grab IRQs. It is the cnmhin:ilion of grabbing one or more IRQs arld ~ttrnnrtin~ changes to either the FAT or ~ c that allows virus activity to be detected.
In the ~ of the IBM PC, for example, IRQs are prioritized and have different dedicated purposes. IRQ 0 is the system clock, IRQ 1 is the keyboard, etc. Almost no program needs to grab IRQ 0 havmg the highest priority, however a virus must. A virus must grab the highest priority IRQ
because if it had a lower IRQ, then a conventiorlal anti-virus program can get in at a higher priority and make the virus more ~,lh.~ to detection. Mamy viruses grab several IRQs, allowing a virus to be detected by its 'signature'. In addition, most programs except viruses return to DOS about 95% or more of the memory they used for execution upon exiting or receiving an unload i~llu~liull.
Therefore the following activities, monitored in the vi~tual CllVilUll~ created in the emulation box, can be used to detect viruses~ "~ ~ to IRQs, which IRQs have been attached, whether multiple IRQs have been attached, changes to the FAT, changes to .~ , changes to the ~ dlu~.,ll., changes to memory and any Terrrlinate and Stay Resident (TSR) activity after the unload command has been issued and the program should have i In addition a further series of checks can then be initiated: check the "hard drive" and look for additional sectors or blocks being marked "bad" which were good before or vice versa. Has the program attached itself to the internal clock and is it ill~ .~lg its own internal clock? Have any of the error-checking algorithm results chamged?
_ _ _ _ _ _ _ , _ wo gs/33237 2 1 9 1 2 ~ ~ 1 4 ~ C
Upon detection of a virus by the analysis and detection means ~0, response/alarm means 52 can execute any number of user definable optional commands such as messaging or beièping a system adl~ ul, notifying the sender and receiver of the file, ~r~program, deleting the file, writing to a specially prepared floppy drive, calling a pager with a virus message or shutting down a network segment. A logic flow diagram showing t_e operating steps the trap device 10 performs is shown in Figures 6A to 6C.
A high level logic diagram of the software is shown in Figure 5. The imput data stream is generated by r nn links 24. Linlc adapters 20 convert the data input stre~m from a hardware and software protocol specific to ~e particular ~ .., link (i.e. X.25, Novell IPX/SPX, Microsoft NetBEUI, etc.) to a common protocol lln~1Prctan~iahle by the CPU 12. After protocol conversion, the data packets are ~ r."l,lrd into a data stream having a common data format the CPU 12 is ahle to l ' ~ .The data is then processed and analyzed for the presence of virus activity. Following IJIU~ g, data packets are re-assembled and converted to its origmal hardware and software protocol by the I/O Interface 18 before being output to the protected computer system 28.
The trap device 10 passes data directly through to the host system in addition to ~imlllf~nPml~ly IJlU.,C~illg it. T_is is to reduce the processing delays associated with sending large data files to the host system and having the trap device 10 process this data before the host receives it. The entire contents of a large file except for the final write command or the fiIe close command is .";llrd to the host. If no virus is detected, the write or close command is issued. If a virus is detected, the write or close is never issued amd the -,;,luullse/alarm meams 52 takes ~JlU~Jli.lt~ action.
It is clear that the above description of the preferred embodiment in no way limits the scope of the present invention which is defined by the following claims.
COMPUTER VlRUS TRAP
BACKGROUND OF T~E INVENTION
The computer virus problem that exists today had its begimlings sometime in the late 1980s. At that time computer viruses were a novelty and plagued mainly DOS and Macintosh cnmrllt~r~ Today, almost every Fortlme 500 company has ~ rd computer viruses with the current rate beimg about one virus incident every 2 to 3 months.
The term computer virus is applied in common and legal usage to software, code, code blocks, code elements and code segments which perform certam functions in the digital computer eLlVil~ ' Code is intended to meam the digital instructions which the computer responds to. Non damaging or legitimate software, code, code blocks, code segments and code elements that serve a useful purpose would not be cuns;d~.c~ a virus.
Computer viruses have been known to cause physical harm to computer hardware in addition to erasing and destroying data. While rare, there have beencases of viruses that have made calls to disk drive heads actually scoring the media; still others have been di~ UVClCII that ramped up the scam rate on a monitor causing failure. Most viruses do not, however, intPntin~lly cause explicit physical harm and they are discovered before they are triggered to cause damage to data amd files. However, it is after discovery that the real cost of viruses becomes apparent m c~"",~ ,.. with their detection amd removal. In an average computer site this might entail searching 1000 PCs and 35,000 diskettes.If the software engineer misses even one inst~mce of the virus, other computers will be re-infected and the clean up search must be repeated all over again.
A common l~ i~cu~l-,clu~ion is that there are good viruses and bad viruses.
Some viruses are claimed to be benign because they do not have a malicious ., . . . . . . . . ... . . . .. _ .
WO 95/33237 21~ 12 0 5 2 1 ~ . r~
trigger event and cannot do intfntinnA1 harm. However, this misses the poimt that the problems computer viruses cause are mainly due to the trigger events. It is a fact that computer viruses replicate. This by itself is harmful because it nfcf~ ri a search to cleam up all instances of the viruses m a computer inctAllAtinn The damage caused by viruses, not so much due to erased files or data, but in the cost of detection, removal amd also the ac~,u~ u~ulyillg lowered worker ~ ,LiYily can be very high. It has been calculated that the average computersite will spend on the order of about $250,000 on a computer virus cleamup. It has been estimated that computer viruses will cost U.S. computer users ûver a billion dollars in 1994 alone.
The problem will grow ~A~U~ -Lidlly due to the advent of the r" r." " - ~ ;....
Super Highway. The mcreased CulI,.~ iVily among individuals, companies amd gU~IlllU~,llL will allow a computer virus to create havoc. Currently disjoint computer systems that perform various fimctions that we take for granted today, such as, banking, ~ .,".",..., ,-I;n-~, radio, ;,.r...". ~;..,, databases, libraries and credit might meld together in the future. Thus, computer viruses, -nrllPrkf-ll, could have a crippling effect on our society.
A virus cam only cause trouble when it enters a system amd finds a location on which to act. In a general sense, the virus must perform an intendedfunction or a function the user or operator did not intend, expect, ~UIII~ L~ for or otherwise protect against. Some examples of malicious virus activity are:
changing names of files making it drfficult for the user to access the files, moving a file to a rlew location, deletmg files, mterfering with workmg programs (i.e. causing all the words on a screen to fall to the bottom of the screen in a heap), replicating themselves and clogging up the system making it nonfimctional or waiting for a ~ ",;, d time period or after a certain number of toggle operations such as boot, access, cursor llu~ , mouse clicks, etc. before acting.
.. . .
WO 95133237 3 2 1 9 ~ 2 0 ~
.
More felonious t,vpe viruses are those that have been released to cause ruin or ;,.~ of a system for the purposes of sabotage, espionage, financial gain or to impair a competing business. Some examples include: creatmg a trap door which allows access to an un~-lthnri~Pd user for any purpose such as espionage, dumping files or erasure, navigation programs which find routes into systems, password cracking programs, modifying the PYPCllt~hl~ segment of legitunate programs and attachmg themselves to a code block and travel to another site. I
In addition to traditional PCs and networks being vul~dbl~ to virus infections, embedded control systems often used m industrial process control settmgs are also vulnerable. These systems control machiner~, motors, industrial robots amd process data from sensors. Because embedded systems are vulnerable to viruses just as PCs are, the results are potentially quite damaging.
The smooth flow of a factory or assembly line could be devastated by a virus' uncontrolled behavior.
There are many possible ways for a virus to act on a computer system.
All computers go through a boot procedure m which the Basic Input Output System (BIOS) andlor other resident system tools perform a variety of startup tasks such as, findmg drives, testing memory and the system, initiating system files, loading DOS or other Operating System (OS) and bringing up arl initial startup program. The system performs certain h~,"~ ,..F tasks such as various links among other fimctions. A computer system of any utility is complex enough that someone writing a virus has a myriad of UlJIJo~ ics and possibilities in which to cause trouble and mterfere with the proper operation of the system.
The most common solution to the virus problem is to employ amti-virus software that scans, detects and elimmates viruses from computer systems.
These progr~uns work by searching a storage medium such as a hard disk drive or floppy diskette for known patterns of various viruses. However, there are .. . ... . . .. . . . ~
21912~1 W0 9~133237 4 r~
problems associated with this method of ~irus ~iimin~tinn The softw~e can only scam for known viruses which have am id..llirl~le pattern that can be detected using repetitive string searches. To protect against new viruses frequent upgrades must be riictribllt~rl In addition, for the program to detect a vitus it must already have infected that computer. The vims might have done some damage or even replicated itself and spread before it is detected. Also, the program must be rlm often to provide effective protection against viruses especially on systems where programs and data are l~ r~ d frequen~dy between computers via diskettes.
In addition futther liabilities, pratfalls and limitationc to the cutrent breed of anti-virus software solutions exist. This software breaks down into 3 c scalmers, monitors, CRC's. Scanners as previously mentioned work off of databases of known strings. These databases are in constant need of updates. Monitors are memory resident programs mnnitnring the computer for qll~stinnahle behavior. Monitors suffer from high rates of false positives, amd they occupy and take a large portion of the limited cull~. l memory of a PC. CRC's are error checking programs that generate a unique "signature" in the form of a 2-byte number for each and every file to be protected. CRC programs either place the "signature" in the file itself or in a separate file. CRC programs suffer from the fact that they are easy to identify and thus easily tricked intorecreating a "signature" for am infected file. Further, Scarmers & Monitors &
CRC programs must be rlm on the PC in question. Often this is a time c~mCllmin~ chore. These programs usually must have full control of the PC to operate further illcu~ lg the user because he must wait for the scanner to finish before he can begin his normal work. The other critical concept is that the anti-virus software is ruti on the PC in question. It is subject to the limitatinnc and liabilities of the operating system and may already be rurming on am infected PC without knowing it. The invention takes a unique approach by p~lrull--lll~
~ W0 95~33237 5 ~1~12 0 ~j r~ s~-5 its logic outside of the PC, not illcull~i ic.lcing the user and is more effective because the invention's hardware guarantees a clean uninfected start.
Another possible solution is to increaSe computer securit~ to the point where viruses carmot enter the system. Login/password control and encryption do not effect computer viruses. With encryption, detection and .olimin~ltinn is made more difficult because the virus along with good data is encrypted, only becoming decrypted when it attempts to replicate. Clearly, this is quite I)U1d~1ISU1IIC and expensive to ;",I,i~ , .,1 Another possible solution is to avoid computer bulletin bûards, both the CUULUI(~ type such as, Cu~ lv~, Prodigy, the Internet and Usenet, and the private, local. small type. However, this will not prevent viruses from spreading because most viruses do not result from software or data downloaded from infnrm~tinn databases or computer bulletin boards. The operators of both ..ouLu.~,.,,ial on-line services and private bulletin boards are very careful to keep viruses off their systems. They are constantly searching and scannmg anythirlg that is uploaded to their systems before making it available to their a~ha ;1....~.
In addition, most computer viruses of the boot track type do not spread through download data or software. The majority of viruses are spread through diskettes. There are known instamces of cullllll~ ial software being diallil)u~dafter bemg infected by a virus. There are known instances of viruses bemg distributed lul~vi~lLu~ly by diskette m~nllf~.tllrers on blank diskettes. There are no rules for which diskettes are more likely to be free from viruses.
Thus, there is a long felt need for a device that can search for, detect and elirninate viruses before they ever enter mto a computer system that is ll~la~ to a user and effective against all viruses in existence today and those not yet created.
SUMMARY OF THE INVENTION
One ~1~A~ Ir~ of ahmost all viruses is that on their own they are not capable of crossing from one computer OS to another. This is because different .. .. . . .. . ... . . .. . _ . . ..
WO95/33237 219120~ ~3 r~ s~
computer systems in use today ha,ve different internal instructions or command sets. The language perfe~c~y" acceptable amd intrlli,. ihl~ to one OS does not have amy correlation to another. An analogy to humans would be two people speaking drfferent languages not being able to ~Ulll ' ' Although there might exist identical words present in both lamguages it is statistically very unlikely for a ~ or cross over strirlg of words or set of computer iLLi~u~,Liulls (i.e. a virus) to convey a sigluficamt amount of illrUIlllaih)ll or be able to effectively execute a series of i l~Gu~,~iulls. It is even more unlikely for this ,.,i~ d or cross over string of words or series of instructions to migrate from one language or system to another language or system and still be able to convey any useful infornl~*rln or execute a series of c~ "l~
The present invention utilizes this rh~r~rt~rictir of viruses to create am hlllu~ LIalJlc barrier through which a virus calmot escape. The use of a foreignoperatirlg system guarantees the invention a high degree of safety amd .al,ility. While tbe inventors recogluze that such invention can be built without the use of a foreign operating system, such a version of the invention would lack any creditable degree of security. T.n addition, without the use of aforeign operating system the irlvention itself risks ~ ;on A foreign operating system different from the one beirl~ protected is i IL udu~,.,;'. into the data stream before the data arrives at the computer system to be protected. To illustrate: if a program written for DOS will not rlm as intended on a Macintoshneither will a virus. A foreign operati.ng system in order to complete its operation must provide an emul.ation of the target computer operating system (disk drives, memory C~JII~ ports, etc.). The virus is therefor fooled into thinking it is resident on the target computer system it was irltending to infect. It is here. while the virus is resident within the emulated target operatmg system, that the virus is r.,~u.l,A~ ~ to infect files, destroy data and wreak havoc. It is here that the invention diverges from all other strategies in virus-detection and prevention. All other strategies are defensive in nature: they mark ~ w0 9513323~ 7 213 12 0 5 , ~ 5 '~ ''5?
files to detect ullvv~ d changes, they scan for llnintPn~iPd behavior in an attempt to prevent the virus from p. r." " ,;"~ its damage. The present invention takes an offensive strategy by ~llco~l...~mg the virus to infect and destroy files.
The most critical behavior of a virus that computer users to prevent is the virus ability to replicate. Once a virus has erased a hle, made a hard drive illu~.,,alllc, it is detected. Once the virus has done anything considered malicious, it usually is detected. At this point anti-virus software and hardware must be brought in and run to detect and clean ~lles. Prior to its pPrfnr~nin~ this malicious act, a virus must replicate. If it does not replicate, it carmot grow and stay alive. If it has the ability to replicate, it can travel from PC to floppy to PC
to netvvork, etc. It is this behavior of viruses to replicate that the present invention preys on. The virus is l..llCU...~,d to act within this cross platformgenerated emulation so that it can be detected. It is this use of cross platforml ~y and offensive strategy that allows a virus to be detected at amy level before any damage occurs to the protected system. It is in the emulation that the mvention can detect the virus and in the use of 1".,.~ r,.", lo~5;c/.~vil, that it can safely contain the virus. Where the virus can get around DOS or MAC scanners or Operating System or BIOS, it cannot infiltrate amd rlJ,.lh.,.;,.-~r the foreign operating system.
A foreign operating system is chosen based on its ability to monitor and watch any Pmlll~fion~ and for bemg able to ~ir--lofP elements within the emulation (files, falsifying BIOS i..r,...,.-l;., " creating sham peripherals), and for the sheer speed and cnmp~ lhnnol hul ~ u . . _l .
The mventors recognize that it can be done without a 1 ". "~ r". ., . but it will be slow and absolutely unsafe. The use of a foreign operating system can be likened to the use of lead walls and glass walls and lll.,cll~lical arms used by people IllalPi~J ' ,, radioactive materials in labs While it is certainly possible to pick up radioactivity with one's bare hands, it is not highly I~C~ d or is Wo 9~i/33237 2 l 912 0 3 8 r~ s ~
' ;1: ' L ; ' ~ ~
it safe. While the invenfion can be had without the use of a forei~ operating system, it is not highly rec~-mm~n-l~ d nor is it safe.
A primaly object of the present mvention is to provide a virus detection system to detect amd eliminate viruses at their most basic level by simulating the host's ~ /i11 by creatmg a virtual ~orld to fool the virus mto thinking it is resident on the host so as to allow disruptive behavior to be detected and the virus destroyed without harm to the host.
Another object of the present invention is to provide a virus detection system able to detect and trap viruses at amy level using in a way other than performing string searches through memory or files to detect viruses.
Yet another object of the present invention is to provide a virus detection system able to detect as of yet unknown viruses thereby obviating the need for software updates to keep the detection device current.
Still another object of the present inventiorl is to minimize the down time of the host computer system in the event a virus is detected Still amother object of the invention is to record at the user's discretion-the virus to another media for transferal to virus analysis groups. The object is to feed the virus to an internal analysis to compare against a know, previously acquired attempt, such as a trapdoor or file change, or industrial espionage or sabotage code, etc.
Still another object is to record from which incoming source the virus came, i.e., modem, which digiboard channel, internet, Compuserve, LAN
station/Userid, WAN line, etc.
Another object is to alert system ~ 1 .,; "; ~1, h l ;tm of the attack.
BRIEF DESCRIPTION OF THE DRAWINGS
Servmg to illustrate exemplary embodiments of the invention are the drawings of which:
Fig I is a high level functional block diagram of the preferred embodiment of the present invention.
~ wo 95t33237 2 1 9 1 2 ~ 5 P~ 9 Fig. 2 is a fimctional block diagram of the preferred ~mho~lim,ont of the present invention;
Fig. 3 is a fimctional block diagram showing the Arrliro~inn of the present invention in a local area ri~wu~ g ~,~v. ., ~;
Fig. 4 is a functional block diagram showing the A~ ;n,~ of the present invention m a l~ l~c~""",- - rAtinn~ In,~WUlki~A~ CIIVI1UIIII~
Fig. 5 is a high level software logic diagram showing the operating steps of the present invention;
Figs. 6A to 6C together comprise a high level flow chart of the operatirlg steps of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
In order to afford a complete lm~ E of the invention and an appreciation of its advantages, a description of a preferred ~llbodilll~ of the present invention in a typical operating CIIV- Ulllll~ is presented below.
Operating on the principle that a virus camlot cross operating systems, the present invention creates a virlual world for a potential vtrus. An OS that emulates the system to be protected provides a friendly familiar ~llvllullll.~l.. for the virus. The vilus is ~ ,uul t,~d to act in this virtual world created for it. T_e results of the virus' disruptive behavior can be detected and C~ ly the virus can be flagged and eliminated or stored and further analyzed. This scheme is based on the assumptions that almost all viruses are eY~ to~ in nature, no user would tly to purposely COIIllllulli ' a dc;,L-u..liYe virus to another and that it is possible to identify ~ lA instructions m an ellVilUIIlll~ where the illallu~,Lul~ cannot possibly operate.
Shown in Figures 1 and 2 are f~mctional block diagrams of the vt~us trappmg device lû. The Central Pluc~aillg Unit (CPU) 12 can be any computing device (i.e. Intel, Motorola, Paramid, National Semincondutor or Texas I~ a rni~,lu~-lucc,aul, multiple chip set CPUs, board level CPUs, etc.). The Transputer is particularly well suited because almost all PCs in use .. . . . ... . . .. .... . . . . . .
W095/33237 2lsl2a~ t O r~l"~,,,s~ s today employ CPUs other than the Transputer. A guide to the application and ~,.u~,., .,...;,.~ of the Transputer can be found in The Transputer Handbook, byMark Hopkins, copyright 1989 I~N~IOS Ltd. and The Transputer Databook by Mark Hopkins, 3rd Editio~ co''pyright 1992 INMOS Ltd. Italy. As a typical circuit design, EPROM 14 holds the operating software for the CPU 12. RAM 16 provides a temporary storage facility for the CPU 12 to execute the virus detection software. Link adapters 20 provide physical c.. ~1;.. ~ to interface the virus trapping device 10 to the outside world. The trap device 10 is not limited to two link adapters, any number could be I l d to handle a multitude of input data streams. The device 10 reads an incoming data stream from one or more outside sources. An example of a ~,-~..,.,,~,,~;~.-I;nn link 24 are a Local Area Network (LAN) (i.e. Novell), Wide Area Network (WAN) (i.e. networked LANs), the telephone network (i.e.
Modems), radio frequency (RF) type cellular network or some type of data storage device (i.e. floppy diskette, hard disk tape, CD-ROM, magneto-optical, etc.). The ~.. "",.. ~I,nn link 24 provides an incoming data stream for the device 10 to operate on. Diskettes are commonly used to transfer data and programs from one computer to another, thus making it a common entry point into the system for viru3es. An input~output (I/O) interface 18 provides a meansfor the virus trapping device 10 to CUIIUIIUUI' with the computer system being protected 28.
The application of the virus trapprng device 10 in a typical operating ~.lvuulull~llL is shown in Figure 3. The file sener 42 is the computer system tobe protected. The virus trapping device 10 is placed in the data stream that connect3 the filer server 42 to other wllll.~ c 38. The hubs 40 serve to connect the w-~rkct~ nc 38 into a LAN and the modems 36 serve to connect remote workctS~tionc 38 to the file server 42. In this scenario, all traffic to and from the file server 42 is monitored for viruses by the trap 10.
wo95/33237 21912 n~ r l,uu ~0~
Another application of the trapping device 10 is shown in Figure 4. In this scenario, data traffic passing tbrough the t~lPC.. ~.. ,,,ir:ltinn~ network 34 is protected from viruses. A user might have a ~ rl~ ~f file server 30 at a remote site connected to the telephone network 34. Nodes 32 located in the telephone company's central offices perform access and cross connect functions for customers' data traffic. To prevent the spread of a virus through the network, the trapping device 10 is placed m front of each node 3~. Data traffic between wnrk~t:ltinnc 38 co~nected to the telephone network 34 via modems 36 and the ,.,,,;,.r,~.... file server 30 is constantly checked for viruses because the traffic must pass through the virus trapping device 10.
Operation of the virus trapping device 10 is as follows. The trapping device 10 monitors the data stream that enters from the outside world, such as from the ~.,."".,.,.;~ link 24. All data is treated as data whether it is actuaDy data (i.e. data files) or instructions (i.e. ~ ) as it passes over the link 24. At this point the actual u~ u~liou~ have not been executed but rather they are in the process of being l,,,.,-. -;lt~ ~ for execution. While in this state of tr~n~mi~in~, emulation means 48, controlled by the CPU 12, provide a friendly ~ /UUIUII~ for a potential virus. The data is put mto the emulation chamber 48 where the virus is fooled into acting as if it were really present onthe host system. It is desired that any disruptive behavior the virus is capable of displaying take place in emulation chamber 48 such as l~lica~ulg, attacking another program or destroying data. In this virtual world the virus has completeaccess to its ~ VilUl~ It is at this point that analysis and detection means 50 controlled by the CPU 12 catches the virus irl the act of self replication and prevents it from infecting the host system. The virus cannot escape the emulation box 48 because the box exists in a foreign operating l-VUUIUI.~ t with no access to critical files, keyboard, screen, etc. Access to the real world is completely blocked.
W0 95133237 2 1 9 ~ 2 ~ ~ 1 2 Upon startup of the trapping device 10, the emulation software is read from EPROM 14 and executed. When a user turns on his worhstation 38, a cnnnPctinn is . ~ l.r.(1 between ~he workstation 38 and the file server 30 (or 42). A ~ IIF~ II session,is~created in the RAM 16 of the CPU 12. In like fashion, a session is created for each user.
As the user at a workstation 38 runs cnmmqnrl~ and moves file about, data is ultimately written to and read from the file server 30. The trapping device 10 splits the data mto two paths. One path commects directly to the protected computer system 28 without mnrlifirAtinn Data over the other path is written mto the emulation box or virLual world created for each user. The wrik is performed m this box iust as it would have been performed on the file server 30, protected computer 28 or wulh~lhuull 38. Changes in data amd time are simulated to trigger time sensitive viruses, fooling then as to the actual data and time. If the ~ hul~ul~llL changes, it is checked to determine whether simply data was written or whether executable code was written.
Once the executable in mside the emulation box, a Cyclic R~ l y Check (CRC) is made of the Interrupt Request table (IRQ) Also, CRCs are generated on all files that are placed in the emulation box The CRC is an error detechon and correction code widely used in the computer and ' ~ Fr ;~C
fields. Other aspects of the ~l~vUulUll~llL, such as available memory, are savedtoo. All ;,,r~.,,,,AI;,,~ saved is stored outside of the emulation box where it calmot be altered by a virus. The ~At,,ulhblF is forced to run If absolutely nothing happens, a self replicating virus does not exist. If anytbing withm the ~,IIVil~ chamges (i.e. size of files, sudden attempts to write to other r ~ in the emulation box, etc.) it is d~ ";I.rd that a virus does exist amd is ~qttr mrtin~ to self replicate itself.
The first step is to deterniine whether the IRQ table was modified. The second step is to determine if another program was written to. Many programs attach Lll~..lsel~;, to IRQs (i.e. network shell programs, mouse drivers, some ~ WO95133u7 1 3 21~1205 r~ 5~
print drivers, c: Oll and fax drivers). However, none of these programs will try to write code to other PY~cllt~hl~ No legitimate program will attempt direct changes to the File Allocation Table (FAT) or other irlternal OS
disk area. They typically pass their chamges (or writes) through standard well behaved DOS interrupts (INTs) (i e. INT 21). Or, for example, in the case of file repair programs (i.e. Norton Utilities) which do at times write directly to the FAT, they will also not grab IRQs. It is the cnmhin:ilion of grabbing one or more IRQs arld ~ttrnnrtin~ changes to either the FAT or ~ c that allows virus activity to be detected.
In the ~ of the IBM PC, for example, IRQs are prioritized and have different dedicated purposes. IRQ 0 is the system clock, IRQ 1 is the keyboard, etc. Almost no program needs to grab IRQ 0 havmg the highest priority, however a virus must. A virus must grab the highest priority IRQ
because if it had a lower IRQ, then a conventiorlal anti-virus program can get in at a higher priority and make the virus more ~,lh.~ to detection. Mamy viruses grab several IRQs, allowing a virus to be detected by its 'signature'. In addition, most programs except viruses return to DOS about 95% or more of the memory they used for execution upon exiting or receiving an unload i~llu~liull.
Therefore the following activities, monitored in the vi~tual CllVilUll~ created in the emulation box, can be used to detect viruses~ "~ ~ to IRQs, which IRQs have been attached, whether multiple IRQs have been attached, changes to the FAT, changes to .~ , changes to the ~ dlu~.,ll., changes to memory and any Terrrlinate and Stay Resident (TSR) activity after the unload command has been issued and the program should have i In addition a further series of checks can then be initiated: check the "hard drive" and look for additional sectors or blocks being marked "bad" which were good before or vice versa. Has the program attached itself to the internal clock and is it ill~ .~lg its own internal clock? Have any of the error-checking algorithm results chamged?
_ _ _ _ _ _ _ , _ wo gs/33237 2 1 9 1 2 ~ ~ 1 4 ~ C
Upon detection of a virus by the analysis and detection means ~0, response/alarm means 52 can execute any number of user definable optional commands such as messaging or beièping a system adl~ ul, notifying the sender and receiver of the file, ~r~program, deleting the file, writing to a specially prepared floppy drive, calling a pager with a virus message or shutting down a network segment. A logic flow diagram showing t_e operating steps the trap device 10 performs is shown in Figures 6A to 6C.
A high level logic diagram of the software is shown in Figure 5. The imput data stream is generated by r nn links 24. Linlc adapters 20 convert the data input stre~m from a hardware and software protocol specific to ~e particular ~ .., link (i.e. X.25, Novell IPX/SPX, Microsoft NetBEUI, etc.) to a common protocol lln~1Prctan~iahle by the CPU 12. After protocol conversion, the data packets are ~ r."l,lrd into a data stream having a common data format the CPU 12 is ahle to l ' ~ .The data is then processed and analyzed for the presence of virus activity. Following IJIU~ g, data packets are re-assembled and converted to its origmal hardware and software protocol by the I/O Interface 18 before being output to the protected computer system 28.
The trap device 10 passes data directly through to the host system in addition to ~imlllf~nPml~ly IJlU.,C~illg it. T_is is to reduce the processing delays associated with sending large data files to the host system and having the trap device 10 process this data before the host receives it. The entire contents of a large file except for the final write command or the fiIe close command is .";llrd to the host. If no virus is detected, the write or close command is issued. If a virus is detected, the write or close is never issued amd the -,;,luullse/alarm meams 52 takes ~JlU~Jli.lt~ action.
It is clear that the above description of the preferred embodiment in no way limits the scope of the present invention which is defined by the following claims.
Claims (6)
1. A computer virus trapping device comprising:
link adapter means connected to a source of data input for converting external protocols into a data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system that simulates the architecture of said protected computer system whereby a computer virus is coaxed into performing its intended activity; and detection means for monitoring said emulation means and determining when said computer virus either has performed or is performing its said intended activity.
link adapter means connected to a source of data input for converting external protocols into a data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system that simulates the architecture of said protected computer system whereby a computer virus is coaxed into performing its intended activity; and detection means for monitoring said emulation means and determining when said computer virus either has performed or is performing its said intended activity.
2. The device of claim 1, whereby said emulation means comprises processing means suitably programmed to create a virtual world for said computer virus that simulates said protected computer system.
3. The device of claim 2, whereby said processing means comprises a microcomputer circuit, temporary and permanent data storage and an I/O
interface.
interface.
4. A computer virus trapping device comprising:
link adapter means connected to a source of data input for converting external protocols into a data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system that simulates the architecture of said protected computer system whereby a computer virus is coaxed into performing its intended activity;
detection means for monitoring said emulation means and determining when said computer-virus either has performed or is performing its said intended activity; and response means responsive to said detection means to take action according to preset user instructions upon said detection means determining said computer virus exists.
link adapter means connected to a source of data input for converting external protocols into a data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system that simulates the architecture of said protected computer system whereby a computer virus is coaxed into performing its intended activity;
detection means for monitoring said emulation means and determining when said computer-virus either has performed or is performing its said intended activity; and response means responsive to said detection means to take action according to preset user instructions upon said detection means determining said computer virus exists.
5. A computer virus trapping device comprising:
link adapter means connected to a source of data input for bidirectionally converting external protocols into a converted data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system and simulating the architecture of said protected computer system so as to coax a computer virus into performing its intended activity;
detection means for monitoring said emulation means and determining when said computer virus either has performed or is performing its said intended activity;
response means responsive to said detection means to take action according to preset user instructions upon said detection means determisaid computer virus exists; and I/O buffer means for reassembling said converted data back into said external data stream protocol and delivering said data stream to said protected computer system.
link adapter means connected to a source of data input for bidirectionally converting external protocols into a converted data format understood by said trapping device;
emulation means connected to said link adapter means for accepting said data stream from said link adapter means; said emulation means providing an environment isolated from a protected computer system and simulating the architecture of said protected computer system so as to coax a computer virus into performing its intended activity;
detection means for monitoring said emulation means and determining when said computer virus either has performed or is performing its said intended activity;
response means responsive to said detection means to take action according to preset user instructions upon said detection means determisaid computer virus exists; and I/O buffer means for reassembling said converted data back into said external data stream protocol and delivering said data stream to said protected computer system.
6. The device of claim 5, whereby said emulation means comprises microprocessor means programmed to simulate the environment of said protected computer system.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US25262294A | 1994-06-01 | 1994-06-01 | |
US08/252,622 | 1994-06-01 |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2191205A1 true CA2191205A1 (en) | 1995-12-07 |
Family
ID=22956818
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002191205A Abandoned CA2191205A1 (en) | 1994-06-01 | 1995-05-30 | Computer virus trap |
Country Status (7)
Country | Link |
---|---|
US (1) | US5842002A (en) |
EP (1) | EP0769170B1 (en) |
JP (1) | JPH10501354A (en) |
AT (1) | ATE183592T1 (en) |
CA (1) | CA2191205A1 (en) |
DE (1) | DE69511556D1 (en) |
WO (1) | WO1995033237A1 (en) |
Families Citing this family (315)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6067410A (en) * | 1996-02-09 | 2000-05-23 | Symantec Corporation | Emulation repair system |
JP3763903B2 (en) * | 1996-10-29 | 2006-04-05 | 株式会社日立製作所 | Information processing device |
US8079086B1 (en) | 1997-11-06 | 2011-12-13 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US7058822B2 (en) | 2000-03-30 | 2006-06-06 | Finjan Software, Ltd. | Malicious mobile code runtime monitoring system and methods |
US9219755B2 (en) | 1996-11-08 | 2015-12-22 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US6802028B1 (en) * | 1996-11-11 | 2004-10-05 | Powerquest Corporation | Computer virus detection and removal |
DE19734585C2 (en) * | 1997-08-09 | 2002-11-07 | Brunsch Hans | Method and device for monitoring information flows in computer systems |
US5978917A (en) * | 1997-08-14 | 1999-11-02 | Symantec Corporation | Detection and elimination of macro viruses |
US6357008B1 (en) * | 1997-09-23 | 2002-03-12 | Symantec Corporation | Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases |
US6081894A (en) * | 1997-10-22 | 2000-06-27 | Rvt Technologies, Inc. | Method and apparatus for isolating an encrypted computer system upon detection of viruses and similar data |
US6108799A (en) * | 1997-11-21 | 2000-08-22 | International Business Machines Corporation | Automated sample creation of polymorphic and non-polymorphic marcro viruses |
US5987610A (en) * | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
AUPP514198A0 (en) * | 1998-08-07 | 1998-09-03 | Compucat Research Pty Limited | Data transfer |
US20010039624A1 (en) * | 1998-11-24 | 2001-11-08 | Kellum Charles W. | Processes systems and networks for secured information exchange using computer hardware |
WO2003012614A1 (en) * | 1998-11-24 | 2003-02-13 | Cyberdfnz, Inc. | A multi-system architecture using general purpose active-backplane and expansion-bus compatible single board computers and their peripherals for secure exchange of information and advanced computing |
US20020040439A1 (en) * | 1998-11-24 | 2002-04-04 | Kellum Charles W. | Processes systems and networks for secure exchange of information and quality of service maintenance using computer hardware |
WO2000034867A1 (en) | 1998-12-09 | 2000-06-15 | Network Ice Corporation | A method and apparatus for providing network and computer system security |
MXPA01007044A (en) * | 1998-12-11 | 2002-09-18 | Rvt Technologies Inc | Method and apparatus for isolating a computer system upon detection of viruses and similar data. |
US7117532B1 (en) | 1999-07-14 | 2006-10-03 | Symantec Corporation | System and method for generating fictitious content for a computer |
US6981155B1 (en) | 1999-07-14 | 2005-12-27 | Symantec Corporation | System and method for computer security |
AU5935400A (en) | 1999-07-14 | 2001-01-30 | Recourse Technologies, Inc. | System and method for protecting a computer network against denial of service attacks |
US7346929B1 (en) | 1999-07-29 | 2008-03-18 | International Business Machines Corporation | Method and apparatus for auditing network security |
US7203962B1 (en) | 1999-08-30 | 2007-04-10 | Symantec Corporation | System and method for using timestamps to detect attacks |
US7406603B1 (en) * | 1999-08-31 | 2008-07-29 | Intertrust Technologies Corp. | Data protection systems and methods |
US6976258B1 (en) | 1999-11-30 | 2005-12-13 | Ensim Corporation | Providing quality of service guarantees to virtual hosts |
US6851057B1 (en) * | 1999-11-30 | 2005-02-01 | Symantec Corporation | Data driven detection of viruses |
US8006243B2 (en) | 1999-12-07 | 2011-08-23 | International Business Machines Corporation | Method and apparatus for remote installation of network drivers and software |
US6954858B1 (en) | 1999-12-22 | 2005-10-11 | Kimberly Joyce Welborn | Computer virus avoidance system and mechanism |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US7293087B2 (en) | 2000-01-21 | 2007-11-06 | Scriptlogic Corporation | Event-based application for performing configuration changes in a networked environment |
US6529985B1 (en) | 2000-02-04 | 2003-03-04 | Ensim Corporation | Selective interception of system calls |
US6711607B1 (en) | 2000-02-04 | 2004-03-23 | Ensim Corporation | Dynamic scheduling of task streams in a multiple-resource system to ensure task stream quality of service |
US6560613B1 (en) | 2000-02-08 | 2003-05-06 | Ensim Corporation | Disambiguating file descriptors |
US6754716B1 (en) | 2000-02-11 | 2004-06-22 | Ensim Corporation | Restricting communication between network devices on a common network |
US7343421B1 (en) | 2000-02-14 | 2008-03-11 | Digital Asset Enterprises Llc | Restricting communication of selected processes to a set of specific network addresses |
GB2359908B (en) * | 2000-03-04 | 2004-09-15 | Motorola Inc | Communication system architecture and method of controlling data download to subscriber equipment |
US6948003B1 (en) | 2000-03-15 | 2005-09-20 | Ensim Corporation | Enabling a service provider to provide intranet services |
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
US7574740B1 (en) | 2000-04-28 | 2009-08-11 | International Business Machines Corporation | Method and system for intrusion detection in a computer network |
AU2001257400A1 (en) | 2000-04-28 | 2001-11-12 | Internet Security Systems, Inc. | System and method for managing security events on a network |
US6985937B1 (en) | 2000-05-11 | 2006-01-10 | Ensim Corporation | Dynamically modifying the resources of a virtual server |
US6907421B1 (en) | 2000-05-16 | 2005-06-14 | Ensim Corporation | Regulating file access rates according to file type |
US6973577B1 (en) * | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
US20020035696A1 (en) * | 2000-06-09 | 2002-03-21 | Will Thacker | System and method for protecting a networked computer from viruses |
US6901519B1 (en) | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
US7913078B1 (en) | 2000-06-22 | 2011-03-22 | Walter Mason Stewart | Computer network virus protection system and method |
US7162649B1 (en) | 2000-06-30 | 2007-01-09 | Internet Security Systems, Inc. | Method and apparatus for network assessment and authentication |
US7143024B1 (en) | 2000-07-07 | 2006-11-28 | Ensim Corporation | Associating identifiers with virtual processes |
US7093239B1 (en) * | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US8341743B2 (en) * | 2000-07-14 | 2012-12-25 | Ca, Inc. | Detection of viral code using emulation of operating system functions |
US7350235B2 (en) * | 2000-07-14 | 2008-03-25 | Computer Associates Think, Inc. | Detection of decryption to identify encrypted virus |
US6909691B1 (en) | 2000-08-07 | 2005-06-21 | Ensim Corporation | Fairly partitioning resources while limiting the maximum fair share |
US6981279B1 (en) * | 2000-08-17 | 2005-12-27 | International Business Machines Corporation | Method and apparatus for replicating and analyzing worm programs |
GB2368233B (en) * | 2000-08-31 | 2002-10-16 | F Secure Oyj | Maintaining virus detection software |
US6732211B1 (en) | 2000-09-18 | 2004-05-04 | Ensim Corporation | Intercepting I/O multiplexing operations involving cross-domain file descriptor sets |
US7178166B1 (en) | 2000-09-19 | 2007-02-13 | Internet Security Systems, Inc. | Vulnerability assessment and authentication of a computer by a local scanner |
US9027121B2 (en) * | 2000-10-10 | 2015-05-05 | International Business Machines Corporation | Method and system for creating a record for one or more computer security incidents |
US7086090B1 (en) * | 2000-10-20 | 2006-08-01 | International Business Machines Corporation | Method and system for protecting pervasive devices and servers from exchanging viruses |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US6996845B1 (en) | 2000-11-28 | 2006-02-07 | S.P.I. Dynamics Incorporated | Internet security analysis system and process |
US7130466B2 (en) | 2000-12-21 | 2006-10-31 | Cobion Ag | System and method for compiling images from a database and comparing the compiled images with known images |
US7219354B1 (en) | 2000-12-22 | 2007-05-15 | Ensim Corporation | Virtualizing super-user privileges for multiple virtual processes |
AU2002243763A1 (en) | 2001-01-31 | 2002-08-12 | Internet Security Systems, Inc. | Method and system for configuring and scheduling security audits of a computer network |
US7010698B2 (en) * | 2001-02-14 | 2006-03-07 | Invicta Networks, Inc. | Systems and methods for creating a code inspection system |
US7797251B2 (en) * | 2001-02-14 | 2010-09-14 | 5th Fleet, L.L.C. | System and method providing secure credit or debit transactions across unsecure networks |
US6618736B1 (en) | 2001-03-09 | 2003-09-09 | Ensim Corporation | Template-based creation and archival of file systems |
CN1147795C (en) * | 2001-04-29 | 2004-04-28 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
US6931552B2 (en) * | 2001-05-02 | 2005-08-16 | James B. Pritchard | Apparatus and method for protecting a computer system against computer viruses and unauthorized access |
US7392541B2 (en) * | 2001-05-17 | 2008-06-24 | Vir2Us, Inc. | Computer system architecture and method providing operating-system independent virus-, hacker-, and cyber-terror-immune processing environments |
US7237264B1 (en) | 2001-06-04 | 2007-06-26 | Internet Security Systems, Inc. | System and method for preventing network misuse |
US20020188649A1 (en) * | 2001-06-12 | 2002-12-12 | Ron Karim | Mechanism for safely executing an untrusted program |
US7657419B2 (en) | 2001-06-19 | 2010-02-02 | International Business Machines Corporation | Analytical virtual machine |
US7000250B1 (en) * | 2001-07-26 | 2006-02-14 | Mcafee, Inc. | Virtual opened share mode system with virus protection |
US7356736B2 (en) * | 2001-09-25 | 2008-04-08 | Norman Asa | Simulated computer system for monitoring of software performance |
US20030093689A1 (en) * | 2001-11-15 | 2003-05-15 | Aladdin Knowledge Systems Ltd. | Security router |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
JP3914757B2 (en) | 2001-11-30 | 2007-05-16 | デュアキシズ株式会社 | Apparatus, method and system for virus inspection |
US20030115479A1 (en) * | 2001-12-14 | 2003-06-19 | Jonathan Edwards | Method and system for detecting computer malwares by scan of process memory after process initialization |
WO2003058451A1 (en) | 2002-01-04 | 2003-07-17 | Internet Security Systems, Inc. | System and method for the managed security control of processes on a computer system |
US7269851B2 (en) * | 2002-01-07 | 2007-09-11 | Mcafee, Inc. | Managing malware protection upon a computer network |
US9652613B1 (en) * | 2002-01-17 | 2017-05-16 | Trustwave Holdings, Inc. | Virus detection by executing electronic message code in a virtual machine |
US7607171B1 (en) * | 2002-01-17 | 2009-10-20 | Avinti, Inc. | Virus detection by executing e-mail code in a virtual machine |
FR2835132B1 (en) * | 2002-01-24 | 2004-05-14 | Ercom Engineering Reseaux Comm | METHOD, SYSTEM AND DEVICE FOR SECURING ACCESS TO A SERVER |
CA2480867A1 (en) * | 2002-04-13 | 2003-10-30 | Computer Associates Think, Inc. | System and method for detecting malicious code |
DE10218429A1 (en) * | 2002-04-25 | 2003-11-06 | Strothmann Rolf | Computer virus detection system, comprises a security arrangement consisting of a computer, protective software and quarantine means arranged between an external network and a local network or computer |
US7155741B2 (en) * | 2002-05-06 | 2006-12-26 | Symantec Corporation | Alteration of module load locations |
US7370360B2 (en) | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US7487543B2 (en) * | 2002-07-23 | 2009-02-03 | International Business Machines Corporation | Method and apparatus for the automatic determination of potentially worm-like behavior of a program |
US20040064722A1 (en) * | 2002-10-01 | 2004-04-01 | Dinesh Neelay | System and method for propagating patches to address vulnerabilities in computers |
US7188369B2 (en) * | 2002-10-03 | 2007-03-06 | Trend Micro, Inc. | System and method having an antivirus virtual scanning processor with plug-in functionalities |
US7412723B2 (en) * | 2002-12-31 | 2008-08-12 | International Business Machines Corporation | Method and system for morphing honeypot with computer security incident correlation |
US7383578B2 (en) * | 2002-12-31 | 2008-06-03 | International Business Machines Corporation | Method and system for morphing honeypot |
US7013483B2 (en) * | 2003-01-03 | 2006-03-14 | Aladdin Knowledge Systems Ltd. | Method for emulating an executable code in order to detect maliciousness |
US7913303B1 (en) | 2003-01-21 | 2011-03-22 | International Business Machines Corporation | Method and system for dynamically protecting a computer system from attack |
JP3835421B2 (en) * | 2003-03-28 | 2006-10-18 | コニカミノルタビジネステクノロジーズ株式会社 | Control program and control device |
US8838950B2 (en) * | 2003-06-23 | 2014-09-16 | International Business Machines Corporation | Security architecture for system on chip |
WO2005032042A1 (en) | 2003-09-24 | 2005-04-07 | Infoexpress, Inc. | Systems and methods of controlling network access |
US7657938B2 (en) | 2003-10-28 | 2010-02-02 | International Business Machines Corporation | Method and system for protecting computer networks by altering unwanted network data traffic |
US7587765B2 (en) * | 2003-12-23 | 2009-09-08 | International Business Machines Corporation | Automatic virus fix |
US7950059B2 (en) * | 2003-12-30 | 2011-05-24 | Check-Point Software Technologies Ltd. | Universal worm catcher |
US7730530B2 (en) * | 2004-01-30 | 2010-06-01 | Microsoft Corporation | System and method for gathering exhibited behaviors on a .NET executable module in a secure manner |
US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8539582B1 (en) | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US9027135B1 (en) | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US8793787B2 (en) * | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8549638B2 (en) * | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8375444B2 (en) | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US7757287B2 (en) * | 2004-04-19 | 2010-07-13 | Computer Associates Think, Inc. | Systems and methods for computer security |
US8407792B2 (en) * | 2004-05-19 | 2013-03-26 | Ca, Inc. | Systems and methods for computer security |
EP1766494B1 (en) | 2004-05-19 | 2018-01-03 | CA, Inc. | Method and system for isolating suspicious objects |
US7761919B2 (en) * | 2004-05-20 | 2010-07-20 | Computer Associates Think, Inc. | Intrusion detection with automatic signature generation |
US8042180B2 (en) * | 2004-05-21 | 2011-10-18 | Computer Associates Think, Inc. | Intrusion detection based on amount of network traffic |
US7908653B2 (en) * | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
US20060112430A1 (en) * | 2004-11-19 | 2006-05-25 | Deisenroth Jerrold M | Method and apparatus for immunizing data in computer systems from corruption |
US8131804B2 (en) * | 2004-11-19 | 2012-03-06 | J Michael Greata | Method and apparatus for immunizing data in computer systems from corruption |
US20060137013A1 (en) * | 2004-12-06 | 2006-06-22 | Simon Lok | Quarantine filesystem |
KR100599084B1 (en) * | 2005-02-24 | 2006-07-12 | 삼성전자주식회사 | Method for protecting virus on mobile communication network |
WO2006106527A1 (en) * | 2005-04-04 | 2006-10-12 | Trinity Future-In Private Limited | An electro-mechanical system for filtering data |
US20060259971A1 (en) * | 2005-05-10 | 2006-11-16 | Tzu-Jian Yang | Method for detecting viruses in macros of a data stream |
WO2007022454A2 (en) | 2005-08-18 | 2007-02-22 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media protecting a digital data processing device from attack |
US7590733B2 (en) * | 2005-09-14 | 2009-09-15 | Infoexpress, Inc. | Dynamic address assignment for access control on DHCP networks |
US7739740B1 (en) | 2005-09-22 | 2010-06-15 | Symantec Corporation | Detecting polymorphic threats |
US7845005B2 (en) * | 2006-02-07 | 2010-11-30 | International Business Machines Corporation | Method for preventing malicious software installation on an internet-connected computer |
US20090133124A1 (en) * | 2006-02-15 | 2009-05-21 | Jie Bai | A method for detecting the operation behavior of the program and a method for detecting and clearing the virus program |
US20070192500A1 (en) * | 2006-02-16 | 2007-08-16 | Infoexpress, Inc. | Network access control including dynamic policy enforcement point |
US20070192858A1 (en) * | 2006-02-16 | 2007-08-16 | Infoexpress, Inc. | Peer based network access control |
WO2007107766A1 (en) * | 2006-03-22 | 2007-09-27 | British Telecommunications Public Limited Company | Method and apparatus for automated testing software |
US8640235B2 (en) * | 2006-03-31 | 2014-01-28 | Symantec Corporation | Determination of malicious entities |
US8316439B2 (en) * | 2006-05-19 | 2012-11-20 | Iyuko Services L.L.C. | Anti-virus and firewall system |
EP1876728B1 (en) | 2006-07-07 | 2014-01-01 | E-Blink | Synchronisation method for two electronic devices over a wireless connection, in particular over a mobile telephone network, as well as a system to implement said procedure |
US20080016572A1 (en) * | 2006-07-12 | 2008-01-17 | Microsoft Corporation | Malicious software detection via memory analysis |
KR100833958B1 (en) | 2006-07-28 | 2008-05-30 | 고려대학교 산학협력단 | Recording medium storing program for detecting malignant code, and method therefor |
US20080101223A1 (en) * | 2006-10-30 | 2008-05-01 | Gustavo De Los Reyes | Method and apparatus for providing network based end-device protection |
US20080115215A1 (en) * | 2006-10-31 | 2008-05-15 | Jeffrey Scott Bardsley | Methods, systems, and computer program products for automatically identifying and validating the source of a malware infection of a computer system |
US8407160B2 (en) * | 2006-11-15 | 2013-03-26 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and/or generating sanitized anomaly detection models |
US20080229416A1 (en) * | 2007-01-09 | 2008-09-18 | G. K. Webb Services Llc | Computer Network Virus Protection System and Method |
US8856782B2 (en) | 2007-03-01 | 2014-10-07 | George Mason Research Foundation, Inc. | On-demand disposable virtual work system |
US20080271025A1 (en) * | 2007-04-24 | 2008-10-30 | Stacksafe, Inc. | System and method for creating an assurance system in a production environment |
US20080270104A1 (en) * | 2007-04-24 | 2008-10-30 | Stratton Robert J | System and Method for Creating an Assurance System in a Mixed Environment |
US8402529B1 (en) | 2007-05-30 | 2013-03-19 | M86 Security, Inc. | Preventing propagation of malicious software during execution in a virtual machine |
US8160847B2 (en) * | 2007-07-07 | 2012-04-17 | Neal Solomon | Hybrid multi-layer artificial immune system |
CN101359356B (en) * | 2007-08-03 | 2010-08-25 | 联想(北京)有限公司 | Method and system for deleting or isolating computer virus |
KR100945247B1 (en) * | 2007-10-04 | 2010-03-03 | 한국전자통신연구원 | The method and apparatus for analyzing exploit code in non-executable file using virtual environment |
US8276200B2 (en) * | 2008-01-09 | 2012-09-25 | International Business Machines Corporation | Systems and methods for securely processing sensitive streams in a mixed infrastructure |
EP2157525B1 (en) * | 2008-08-21 | 2018-01-10 | Unify GmbH & Co. KG | Method for recognising malware |
US9098698B2 (en) | 2008-09-12 | 2015-08-04 | George Mason Research Foundation, Inc. | Methods and apparatus for application isolation |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8839422B2 (en) | 2009-06-30 | 2014-09-16 | George Mason Research Foundation, Inc. | Virtual browsing environment |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
FR2956934B1 (en) | 2010-02-26 | 2012-09-28 | Blink E | METHOD AND DEVICE FOR TRANSMITTING / RECEIVING ELECTROMAGNETIC SIGNALS RECEIVED / EMITTED ON ONE OR MORE FIRST FREQUENCY BANDS. |
KR101122650B1 (en) * | 2010-04-28 | 2012-03-09 | 한국전자통신연구원 | Apparatus, system and method for detecting malicious code injected with fraud into normal process |
JP5739182B2 (en) | 2011-02-04 | 2015-06-24 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Control system, method and program |
JP5731223B2 (en) | 2011-02-14 | 2015-06-10 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Abnormality detection device, monitoring control system, abnormality detection method, program, and recording medium |
JP5689333B2 (en) * | 2011-02-15 | 2015-03-25 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Abnormality detection system, abnormality detection device, abnormality detection method, program, and recording medium |
CN102298681B (en) * | 2011-06-22 | 2013-07-31 | 西北大学 | Software identification method based on data stream sliced sheet |
RU2014112261A (en) | 2011-09-15 | 2015-10-20 | Зе Трастис Оф Коламбия Юниверсити Ин Зе Сити Оф Нью-Йорк | SYSTEMS, METHODS AND INFORMATION CARRIERS FOR DETECTION OF USEFUL LOADS OF RETURN-ORIENTED PROGRAMMING |
WO2013082437A1 (en) | 2011-12-02 | 2013-06-06 | Invincia, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
US9519782B2 (en) | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
FR2990315B1 (en) | 2012-05-04 | 2014-06-13 | Blink E | METHOD FOR TRANSMITTING INFORMATION BETWEEN A TRANSMITTING UNIT AND A RECEIVING UNIT |
CN103679015A (en) * | 2012-09-04 | 2014-03-26 | 江苏中科慧创信息安全技术有限公司 | Attacking control method for protecting kernel system |
KR101244731B1 (en) * | 2012-09-11 | 2013-03-18 | 주식회사 안랩 | Apparatus and method for detecting malicious shell code by using debug event |
US8850581B2 (en) | 2012-11-07 | 2014-09-30 | Microsoft Corporation | Identification of malware detection signature candidate code |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US10089461B1 (en) | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9292686B2 (en) | 2014-01-16 | 2016-03-22 | Fireeye, Inc. | Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9860208B1 (en) | 2014-09-30 | 2018-01-02 | Palo Alto Networks, Inc. | Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network |
US9495188B1 (en) | 2014-09-30 | 2016-11-15 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
US10044675B1 (en) | 2014-09-30 | 2018-08-07 | Palo Alto Networks, Inc. | Integrating a honey network with a target network to counter IP and peer-checking evasion techniques |
US9716727B1 (en) | 2014-09-30 | 2017-07-25 | Palo Alto Networks, Inc. | Generating a honey network configuration to emulate a target network environment |
US9882929B1 (en) | 2014-09-30 | 2018-01-30 | Palo Alto Networks, Inc. | Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US9742796B1 (en) | 2015-09-18 | 2017-08-22 | Palo Alto Networks, Inc. | Automatic repair of corrupt files for a detonation engine |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10824367B2 (en) | 2017-10-19 | 2020-11-03 | Seagate Technology Llc | Adaptive intrusion detection based on monitored data transfer commands |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11265346B2 (en) | 2019-12-19 | 2022-03-01 | Palo Alto Networks, Inc. | Large scale high-interactive honeypot farm |
US11271907B2 (en) | 2019-12-19 | 2022-03-08 | Palo Alto Networks, Inc. | Smart proxy for a large scale high-interaction honeypot farm |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5144660A (en) * | 1988-08-31 | 1992-09-01 | Rose Anthony M | Securing a computer against undesired write operations to or read operations from a mass storage device |
US5121345A (en) * | 1988-11-03 | 1992-06-09 | Lentz Stephen A | System and method for protecting integrity of computer data and software |
US5274815A (en) * | 1991-11-01 | 1993-12-28 | Motorola, Inc. | Dynamic instruction modifying controller and operation method |
DK170490B1 (en) * | 1992-04-28 | 1995-09-18 | Multi Inform As | Data Processing Plant |
US5278901A (en) * | 1992-04-30 | 1994-01-11 | International Business Machines Corporation | Pattern-oriented intrusion-detection system and method |
US5359659A (en) * | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5379414A (en) * | 1992-07-10 | 1995-01-03 | Adams; Phillip M. | Systems and methods for FDC error detection and prevention |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5398196A (en) * | 1993-07-29 | 1995-03-14 | Chambers; David A. | Method and apparatus for detection of computer viruses |
-
1995
- 1995-05-30 JP JP8501048A patent/JPH10501354A/en active Pending
- 1995-05-30 AT AT95922114T patent/ATE183592T1/en not_active IP Right Cessation
- 1995-05-30 CA CA002191205A patent/CA2191205A1/en not_active Abandoned
- 1995-05-30 WO PCT/US1995/006659 patent/WO1995033237A1/en active IP Right Grant
- 1995-05-30 EP EP95922114A patent/EP0769170B1/en not_active Expired - Lifetime
- 1995-05-30 DE DE69511556T patent/DE69511556D1/en not_active Expired - Lifetime
-
1997
- 1997-05-30 US US08/865,786 patent/US5842002A/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
WO1995033237A1 (en) | 1995-12-07 |
EP0769170B1 (en) | 1999-08-18 |
EP0769170A4 (en) | 1997-07-30 |
DE69511556D1 (en) | 1999-09-23 |
US5842002A (en) | 1998-11-24 |
EP0769170A1 (en) | 1997-04-23 |
JPH10501354A (en) | 1998-02-03 |
ATE183592T1 (en) | 1999-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2191205A1 (en) | Computer virus trap | |
EP0636977B1 (en) | Method and apparatus for detection of computer viruses | |
US7010698B2 (en) | Systems and methods for creating a code inspection system | |
Embleton et al. | SMM rootkits: a new breed of OS independent malware | |
US7908653B2 (en) | Method of improving computer security through sandboxing | |
Kolbitsch et al. | Effective and efficient malware detection at the end host. | |
JP4741782B2 (en) | Computer immune system and method for detecting undesirable codes in a computer system | |
US7900258B2 (en) | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
US20030115479A1 (en) | Method and system for detecting computer malwares by scan of process memory after process initialization | |
US20120060220A1 (en) | Systems and methods for computer security employing virtual computer systems | |
WO1994006096A2 (en) | Restricting and auditing the operation of a computer via a trusted path mechanism | |
JP2008152776A (en) | Method for processing secure data on computer with safety operating system | |
Quynh et al. | A novel approach for a file-system integrity monitor tool of Xen virtual machine | |
Sun et al. | A praise for defensive programming: Leveraging uncertainty for effective malware mitigation | |
Landwehr et al. | A taxonomy of computer program security flaws, with examples | |
Ortolani et al. | KLIMAX: Profiling memory write patterns to detect keystroke-harvesting malware | |
Neugschwandtner et al. | d Anubis–Dynamic Device Driver Analysis Based on Virtual Machine Introspection | |
Caillat et al. | Prison: Tracking process interactions to contain malware | |
Cohen | Current best practices against computer viruses with examples from the DOS operating system | |
Costa et al. | Stopping internet epidemics | |
Nelson | Combating viruses on microcomputers and LANs | |
Kim et al. | Behavior-Based Tracer to Monitor Malicious Features of Unknown Executable File | |
Singh et al. | Malware Detection and Removal Techniques | |
Xu | Study of buffer overflow attacks and microarchitectural defenses |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |