WO2007037640A1 - Method for detecting modification of internal time in computer system - Google Patents

Method for detecting modification of internal time in computer system Download PDF

Info

Publication number
WO2007037640A1
WO2007037640A1 PCT/KR2006/003902 KR2006003902W WO2007037640A1 WO 2007037640 A1 WO2007037640 A1 WO 2007037640A1 KR 2006003902 W KR2006003902 W KR 2006003902W WO 2007037640 A1 WO2007037640 A1 WO 2007037640A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
computer system
timer
standard
internal
Prior art date
Application number
PCT/KR2006/003902
Other languages
French (fr)
Inventor
Ho Woong Lee
Hee An Park
Hang Hoon Ko
Soon Keun Kim
Deok Young Jung
Original Assignee
Ahn Lab, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020050090603A external-priority patent/KR100653545B1/en
Application filed by Ahn Lab, Inc. filed Critical Ahn Lab, Inc.
Publication of WO2007037640A1 publication Critical patent/WO2007037640A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/04Generating or distributing clock signals or signals derived directly therefrom
    • G06F1/14Time supervision arrangements, e.g. real time clock

Definitions

  • the present invention relates to a method for detecting modification of internal time in a computer system. More particularly, the present invention relates to the method for detecting modification of internal time in a computer system by detecting that the information about internal time in computer system is modified by an external program which modifies time.
  • speed hacking or speed hack programs Programs that make either faster or slower the programs working in a computer system by modifying the time related information, are generally called speed hacking or speed hack programs.
  • the speed hack programs are classified into two groups; one is a method which returns abnormal values when API (Application Programming Interface) is called by hooking time related API, and the other is a method which manipulates the period of the timer used as the time related information in an actual system by manipulating PIT (Programmable Interrupt Timer).
  • API Application Programming Interface
  • This kind of speed hack program is mainly used in the client system which interfaces with the online game server. More particularly, the speed hack program is used to beat other users who are playing game simultaneously by making the time of the game client go faster or slower. Further, the speed hack programs cause the game client to transmit lots of data for a short period of time and thereby gives heavy loads to the game server. As a result, the number of the users of online game decreases and therefore a problem arises that game businesses are directly done harm in sales. The online game business companies perceive the use of the speed hack programs by the following methods.
  • a first method for detecting modification of internal time in computer system is a method for sensing the speed hack programs by hooking API.
  • the method is to diagnose whether or not the speed hack programs are used by examining the use of hooking, for example checking if the addresses of IAT (Import Address Table) for API are modified or if jump code is inserted in the very first part of each real API code.
  • IAT International Port Address Table
  • a second method for detecting modification of internal time in computer system is a most generally used way for detecting all the speed hack programs by the method comprising the steps of collecting speed hack program samples as much as possible and thereby diagnosing by using the patterns of the program on the basis of the collection of the samples as in the way similar to the method of virus check.
  • a third method for detecting modification of internal time in computer system is a method for diagnosing the use of speed hack programs by comparing the packet amount which is transmitted from the game server for a certain period of time.
  • the method may not perceive the speed hack program due to misperception except the time when the speed hack program changes time a lot and therefore the amount of packet which comes to the server is much different from the packet amount in a normal condition.
  • An objective of the present invention is to provide a method of detecting a modification of internal time in computer system by the speed hack programs.
  • Another objective of the present invention is to provide the method of detecting the modification of internal time in the computer system solely based on changes in time, and thereby a modification of internal time is not detected although a program hooks time related API in a normal way.
  • a further objective of the present invention is to provide the method of detecting modification of internal time in computer system wherein it does not take long when diagnosing all the areas where jump code may be inserted.
  • Still a further objective of the present invention is to provide the method for detecting modification of internal time in computer system wherein a small change in time may be detected by using accurate TSC (Time Stamp Counter) information and further wherein modification of internal time by any speed hack program may be detected by examining changes in real time regardless of the operational routines of the speed hack program.
  • TSC Time Stamp Counter
  • a method for detecting modification of internal time in computer system comprises the following steps of: [19] detecting a standard time through the chip providing time information at the kernel level of computer system;
  • a recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [24] setting a timer having first period at the kernel level of the computer system; storing variation data in TSC (Time Stamp Counter) if the timer is called every the first period and thereafter calling signal of the timer is detected; [25] deciding whether it passed a certain time with RCT (Real Time Clock) if the timer is called and setting a standard time by calculating a mean value of the variations for a certain period of time;
  • TSC Time Stamp Counter
  • the recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [32] setting RTC (Real Time Clock) as a standard time at kernel level of the computer system; [33] detecting an inner time of a program at user level of the computer system from PIT
  • Fig. 1 is general inner block diagram of computer system according to one embodiment of the present invention.
  • Fig. 2 is flow chart for illustrating a method of calculating standard time according to one embodiment of the present invention.
  • Fig. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention.
  • Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system based on a calculated standard time according to one embodiment of the present invention.
  • Best embodiment of the present invention will be described in detail with reference to appended drawings in the following. [42]
  • FIG. 1 is general inner block diagram of computer system according to one embodiment of the present invention.
  • computer system is categorized into User Level 100 and
  • Kernel Level 200 Whether or not internal time of computer system is modified is decided by the method comprising following steps of: time modification detecting module 140 retrieving standard time calculated at device driver 220, drawing out the inner time by calling for the time related API of the operating program 120 driving at user level, and comparing the standard time and the internal time.
  • time modification detecting module 140 retrieves standard time calculated at device driver 220, drawing out the inner time by calling for the time related API of the operating program 120 driving at user level, and comparing the standard time and the internal time.
  • TSC Time Stamp Counter
  • RTC Real Time Counter
  • BIOS Basic Input Output
  • Fig. 2 is flow chart for illustrating how standard time is calculated according to one embodiment of the present invention.
  • TSC Time Stamp Counter
  • RCT Real Time Clock
  • the mean value of the variation of the TSC per 1 sec. is set up as standard time to be used by storing the data of variation of TSC per 10 ms and storing the mean value of the data of variation of the TSC per 1 sec (S240,
  • FIG. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention.
  • a timer of a second period not affecting the performance of operating program is set for diagnosing periodically the time modification by the speed hack program
  • the second period is 200 ms, and whether or not internal time in computer system is modified is sensed by the timer every 200 ms.
  • time modification detecting module 140 detects internal time from the time related API (Application
  • a variation in time is calculated by using the time related API, and thereafter TSC variation according to the variation in time is calculated (S320).
  • TSC variation according to the variation in time is calculated (S320).
  • One example of the time related API in the online game is GetTickCount(), timeGetTime(), QueryPerformanceCounter(), or the like. Where the speed hack program is concerned, the speed hack program hooks the API of the one example, and thereby it is possible to use API.
  • the time modification detecting module 140 retrieves the TSC variation data according to the standard time illustrated with reference to the flow chart in Fig. 2 and thereafter the TSC variation data is compared with the other TSC variation data calculated at the prior step S320 for deciding whether internal time in computer system is modified by the activities of the speed hack program (S330).
  • the time modification detecting module 140 calculates the difference between the
  • TSC variation calculated at the prior step S320 and the other TSC variation set up on the basis of the standard time stores the difference in the Detect Window wherein the differences between the two have been stored during late a few seconds.
  • the oldest data is replaced with new data in the Detect Window as a simple disposition space where current TSC variations in late a few sections are stored.
  • a few of TSC variations are stored in the Direct Window, and thereafter it has to be decided whether the number of the stored TSC variations in the Detect Window is in the critical range (S340).
  • a multiple of 5 and more preferably 5 or 10 is set up for N value if the second period is 200 ms. Accordingly, if the N is 5 or 10 diagnosis period becomes 1 sec. or 2 sec.
  • the present invention minimizes the rate of mistaken diagnosis caused by temporary problems in computer system by adopting the concept of Detect Window which does not diagnose right after TSC variation is out of the scope of the critical range once but detects an occasion that the TSC variations are out of the scope of the critical range consecutive times.
  • a computer system has a CPU of 1 GHz, and that a timer used in a time modification detecting module has a period of 200 ms, and further that a time related API used in game is GetTickCount().
  • TSC variations are placed in the critical range.
  • the critical range is defined to be 10% (more or less than 1.1 times)
  • the method of detecting modification of time remains the same even when time is modified twice slower.
  • a method for detecting modification of internal time when time is modified twice faster by changing PIT Programmable Interrupt Timer
  • PIT Programmable Interrupt Timer
  • a method for detecting the speed hack program being active by changing PIT period is used for examining whether or not the speed hack program is used by comparing the variation in standard time and the other variation in real time based on the time information that is not affected by PIT, for example the RTC (Real Time
  • Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention based on the calculated standard time.
  • RTC Real Time Clock
  • S400 kernel level 200 in computer system
  • a minimum unit of the standard time of the RTC is 1 sec.

Abstract

A method for detecting modification of internal time in computer system according to the present invention comprises the following steps of: detecting standard time through the chip which provides time information at kernel level of computer system; detecting internal time of a program at user level of the computer system; comparing the detected standard time and the internal time; and deciding whether time of the computer system is modified on the basis of the result of the comparison.

Description

Description
METHOD FOR DETECTING MODIFICATION OF INTERNAL
TIME IN COMPUTER SYSTEM
Technical Field
[1] The present invention relates to a method for detecting modification of internal time in a computer system. More particularly, the present invention relates to the method for detecting modification of internal time in a computer system by detecting that the information about internal time in computer system is modified by an external program which modifies time.
[2]
Background Art
[3] Programs that make either faster or slower the programs working in a computer system by modifying the time related information, are generally called speed hacking or speed hack programs. The speed hack programs are classified into two groups; one is a method which returns abnormal values when API (Application Programming Interface) is called by hooking time related API, and the other is a method which manipulates the period of the timer used as the time related information in an actual system by manipulating PIT (Programmable Interrupt Timer).
[4] This kind of speed hack program is mainly used in the client system which interfaces with the online game server. More particularly, the speed hack program is used to beat other users who are playing game simultaneously by making the time of the game client go faster or slower. Further, the speed hack programs cause the game client to transmit lots of data for a short period of time and thereby gives heavy loads to the game server. As a result, the number of the users of online game decreases and therefore a problem arises that game businesses are directly done harm in sales. The online game business companies perceive the use of the speed hack programs by the following methods.
[5] A first method for detecting modification of internal time in computer system is a method for sensing the speed hack programs by hooking API. The method is to diagnose whether or not the speed hack programs are used by examining the use of hooking, for example checking if the addresses of IAT (Import Address Table) for API are modified or if jump code is inserted in the very first part of each real API code.
[6] A second method for detecting modification of internal time in computer system is a most generally used way for detecting all the speed hack programs by the method comprising the steps of collecting speed hack program samples as much as possible and thereby diagnosing by using the patterns of the program on the basis of the collection of the samples as in the way similar to the method of virus check. A third method for detecting modification of internal time in computer system is a method for diagnosing the use of speed hack programs by comparing the packet amount which is transmitted from the game server for a certain period of time.
[7] However, as for the first method for diagnosing whether or not the speed hack programs are used by examining the use of hooking, there are difficulties in diagnosing due to the fact that the area where real jump code can be inserted may be diversified such as in User Level API, Native API, and SDT (Service Descriptor Table) in the structure of Windows OS (Operating System). Further, there is another problem in which the other programs that hook API in a normal way with a specific and good purpose may be confused with the speed hack programs and perceived as a speed hack program, for the reason that this method simply examines the use of hooking unlike a method to be used when time is really modified by the real speed hack programs.
[8] Further, where the second method for detecting the speed hack programs by collecting speed hack program samples as many as possible and thereby diagnose computer system on the basis of the collection of the samples is concerned, the method cannot be a fundamental solution due to the difficulties in collecting samples since hacking tools as opposed to virus sample are used in a covert way.
[9] Lastly, where the third method of comparing the packet amount that comes from the game server for a certain period time is concerned, the method may not perceive the speed hack program due to misperception except the time when the speed hack program changes time a lot and therefore the amount of packet which comes to the server is much different from the packet amount in a normal condition.
[10] Accordingly, the present inventors have researched to overcome the conventional problems thereby have developed a method for detecting modification of internal time in computer system wherein if an internal time is modified the speed hack programs may be sensed only with variation in time and therefore the above mentioned problems can be solved.
[H]
Disclosure of Invention Technical Problem
[12] An objective of the present invention is to provide a method of detecting a modification of internal time in computer system by the speed hack programs.
[ 13] Another objective of the present invention is to provide the method of detecting the modification of internal time in the computer system solely based on changes in time, and thereby a modification of internal time is not detected although a program hooks time related API in a normal way. [14] A further objective of the present invention is to provide the method of detecting modification of internal time in computer system wherein it does not take long when diagnosing all the areas where jump code may be inserted.
[15] Still a further objective of the present invention is to provide the method for detecting modification of internal time in computer system wherein a small change in time may be detected by using accurate TSC (Time Stamp Counter) information and further wherein modification of internal time by any speed hack program may be detected by examining changes in real time regardless of the operational routines of the speed hack program.
[16] The above and other objects, features, and advantages of the present invention will become more apparent from the following description in which a preferred embodiment of the invention is shown by way of illustrative example.
[17]
Technical Solution
[18] A method for detecting modification of internal time in computer system according to the present invention comprises the following steps of: [19] detecting a standard time through the chip providing time information at the kernel level of computer system;
[20] detecting internal time of a program at user level of the computer system;
[21] comparing the detected standard time and the internal time; and
[22] deciding whether the time of the computer system is modified on the basis of the result of the comparison. [23] Further, a recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [24] setting a timer having first period at the kernel level of the computer system; storing variation data in TSC (Time Stamp Counter) if the timer is called every the first period and thereafter calling signal of the timer is detected; [25] deciding whether it passed a certain time with RCT (Real Time Clock) if the timer is called and setting a standard time by calculating a mean value of the variations for a certain period of time;
[26] setting a timer having a second period at the user level of the computer system;
[27] detecting a inner time from a time related API (Application Programming Interface) used in a program at the computer system by using the timer; [28] calculating variation in time from the inner time detected from the time related API and calculating TSC according to the variation in time; [29] comparing TSC according to the standard time and TSC according to the variation in time; and [30] deciding whether or not time of the computer system is modified on the basis of the result of comparison. [31] Still further, the recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [32] setting RTC (Real Time Clock) as a standard time at kernel level of the computer system; [33] detecting an inner time of a program at user level of the computer system from PIT
(Programmable Interrupt Timer);
[34] comparing the detected standard time and the inner time; and
[35] deciding whether or not time of the computer system is modified on the basis of the result of the comparison. [36]
Brief Description of the Drawings [37] Fig. 1 is general inner block diagram of computer system according to one embodiment of the present invention. [38] Fig. 2 is flow chart for illustrating a method of calculating standard time according to one embodiment of the present invention. [39] Fig. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention. [40] Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system based on a calculated standard time according to one embodiment of the present invention. [41] Best embodiment of the present invention will be described in detail with reference to appended drawings in the following. [42]
Best Mode for Carrying Out the Invention [43] Fig. 1 is general inner block diagram of computer system according to one embodiment of the present invention. [44] With reference to Fig. 1, computer system is categorized into User Level 100 and
Kernel Level 200. Whether or not internal time of computer system is modified is decided by the method comprising following steps of: time modification detecting module 140 retrieving standard time calculated at device driver 220, drawing out the inner time by calling for the time related API of the operating program 120 driving at user level, and comparing the standard time and the internal time. [45] The present invention uses system information called TSC (Time Stamp Counter) for calculating the standard time. The TSC is a counter of 64 bits in size which is reset
0 (null) when the system boots and increase in number by one every clock cycle of processor. For example, the value of TSC increases by 150,000,000 in the CPU of 1.5
GHz in speed. [46] RTC (Real Time Counter) 240 is another chip used for calculating the standard time. The RTC as a clock run by battery stores its value in memory at kernel level 200, and thereafter a basic system for input and output, that is, BIOS (Basic Input Output
System) reads the stored time. [47] Fig. 2 is flow chart for illustrating how standard time is calculated according to one embodiment of the present invention. [48] With regard to calculating standard time, TSC (Time Stamp Counter) is converted to be used as standard time by calculating mean value of the variations in TSC per 1 sec. of RCT (Real Time Clock) at device driver in kernel level. Firstly at this moment, a timer having first period has to be set at kernel level 200 (S200). [49] The timer is called every the first period, and thereafter it is examined whether it takes 1 sec. of RTC whenever the timer is called (S210, S220, S230). [50] For example, the timer is called 100 times for that it takes 1 sec. in RTC if the first period is 10 ms, and at the same time the mean value of the variation of the TSC per 1 sec. is set up as standard time to be used by storing the data of variation of TSC per 10 ms and storing the mean value of the data of variation of the TSC per 1 sec (S240,
S260). [51] At this time, if a mean value as standard time has already been stored at a memory in the computer system, a new mean value between the existed mean value and new mean value is calculated and set up as a new TSC data, that is, a new standard time
(S250, S270). [52] Fig. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention. [53] A timer of a second period not affecting the performance of operating program is set for diagnosing periodically the time modification by the speed hack program
(S300). [54] For example, the second period is 200 ms, and whether or not internal time in computer system is modified is sensed by the timer every 200 ms. [55] In other words, if the timer is called every the second period, time modification detecting module 140 detects internal time from the time related API (Application
Programming Interface) used in the operating program (S 310). [56] At this time, a variation in time is calculated by using the time related API, and thereafter TSC variation according to the variation in time is calculated (S320). [57] One example of the time related API in the online game is GetTickCount(), timeGetTime(), QueryPerformanceCounter(), or the like. Where the speed hack program is concerned, the speed hack program hooks the API of the one example, and thereby it is possible to use API.
[58] Subsequent to the step S320, the time modification detecting module 140 retrieves the TSC variation data according to the standard time illustrated with reference to the flow chart in Fig. 2 and thereafter the TSC variation data is compared with the other TSC variation data calculated at the prior step S320 for deciding whether internal time in computer system is modified by the activities of the speed hack program (S330).
[59] The time modification detecting module 140 calculates the difference between the
TSC variation calculated at the prior step S320 and the other TSC variation set up on the basis of the standard time, and thereafter stores the difference in the Detect Window wherein the differences between the two have been stored during late a few seconds. Whenever the timer of the second period is called out, the oldest data is replaced with new data in the Detect Window as a simple disposition space where current TSC variations in late a few sections are stored. A few of TSC variations are stored in the Direct Window, and thereafter it has to be decided whether the number of the stored TSC variations in the Detect Window is in the critical range (S340).
[60] Although the TSC variation is out of the scope of the critical range according to the decision S340 it is not decided that there was a modification of time, so long as the TSC variations are placed in the critical range N consecutive times (S350, S355).
[61] For example, a multiple of 5 and more preferably 5 or 10 is set up for N value if the second period is 200 ms. Accordingly, if the N is 5 or 10 diagnosis period becomes 1 sec. or 2 sec.
[62] The present invention minimizes the rate of mistaken diagnosis caused by temporary problems in computer system by adopting the concept of Detect Window which does not diagnose right after TSC variation is out of the scope of the critical range once but detects an occasion that the TSC variations are out of the scope of the critical range consecutive times.
[63] A method for detecting modification of time in computer system in a case when a standard time of computer system is calculated by TSC is described in the examples 1 and 2 in the following.
[64] Assume here that a computer system has a CPU of 1 GHz, and that a timer used in a time modification detecting module has a period of 200 ms, and further that a time related API used in game is GetTickCount().
[65]
Mode for the Invention
[66] Example 1
[67] A method for detecting modification of time according to the present invention when time is modified twice faster by hooking a time related API is described in the Example 1. [68] First of all, assume standard time as TSC variation data per 1 sec. of RTC is
100,000,000 since CPU of IGHz was used in example 1. [69] The timer is called every 200 ms, and thereafter the time modification detecting module 140 calls GetTickCount() as a time related API. [70] Time variation calculated based on the GetTickCount() called is 0.4, and TSC calculated according to the time variation 0.4 is 40,000,000. [71] Nevertheless, the TSC variation data according to the standard time is 20,000,000, and therefore the difference between the two is 20,000,000, that is, 100%. This value is stored in Detect Window, but if more than a certain number is not yet stored in the
Detect Window, the result of the performance through the above described diagnosis after 200 ms is stored in the Detect Window. [72] Subsequent to that a certain number of TSC difference are stored in the Detect
Window after a certain period of time passes, it has to be examined whether or not the
TSC variations are placed in the critical range. [73] If the critical range is defined to be 10% (more or less than 1.1 times), it is decided that time was modified given that the TSC variation stored in the Detect Window is more than 10%. The method of detecting modification of time remains the same even when time is modified twice slower. [74]
[75] Example 2
[76] A method for detecting modification of internal time when time is modified twice faster by changing PIT (Programmable Interrupt Timer) is described in the example 2. [77] A method for detecting the speed hack program being active by changing PIT period is used for examining whether or not the speed hack program is used by comparing the variation in standard time and the other variation in real time based on the time information that is not affected by PIT, for example the RTC (Real Time
Clock) managed at BIOS. [78] Based on a result of the comparison, it is possible to take cognizance of the fact that the speed hack program was used in the PIT and the fact that the time of PIT was modified twice faster. [79] Further, it is assumed that standard time, as TSC variation data per 1 sec. of RTC, is
100,0000,000 since CPU of 1 GHz is used in example 2. [80] If the speed hack program which modifies time by changing the period of the PIT is used, the real period comes to be 100 ms since the timer of the period of 200 ms set up at User Level gets faster. [81] If time of the 200 ms comes, the time modification detecting module 140 in the computer system calls GetTickCountQ, that is, a time related API and calculate variation in time which happens to be 0.2. Accordingly, variation data of the TSC per the variation in time becomes 20,000,000. [82] However, variation in real time is 100 ms and variation data of the TSC per 100 ms becomes 10,000,000; the difference between the two becomes 10,000,000, that is, 100
%. [83] When a certain number of the difference of the TSC are stored in the Detect
Window as a certain amount of time passes, the differences of the TSC have to be checked whether they fall within the scope of the critical range. [84] If the critical range is defined to be 10 % (more or less than 1.1 times), it is diagnosed that time was modified given that all the data stored in the Detect Window is more than 10%. A method for detecting modification of time remains the same even when time is changed to be twice slower on the contrary. [85] Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention based on the calculated standard time. [86] RTC (Real Time Clock) is set up as a standard time at the kernel level 200 in computer system (S400). A minimum unit of the standard time of the RTC is 1 sec. [87] Whether internal time is modified is decided through an operating program 120 run at user level 100 in computer system wherein the internal time of the operating program is detected from PIT (Programmable Interrupt Timer) (S410). [88] In comparison between the standard time and the internal time, if the time difference is more than 2 seconds, internal counter increases (S420, S430, S440). [89] If the accumulated value of the internal counter is more than a certain value it is decided that time was modified and thereafter the modification of time is reported to the time modification detecting module 140 of the operating program 120. [90] The present invention detects the modification of time by any methods for minimum required short period of time no matter variation in size, and therefore the present invention is applicable to all the programs including online game which is damaged by the modification of time. [91] The above-described method according to the present invention is programmed and stored in a data recording medium readable by computer, for example CD-ROM,
RAM, ROM, floppy disc, hard disc, optic disc, or the like. [92] [93] The present invention can be easily carried out by an ordinary skilled person in the art. Many modifications and changes may be deemed to be with the scope of the present invention as defined in the following claims. [94]

Claims

Claims
[1] A method for detecting modification of internal time in computer system comprising: detecting a standard time through a chip providing time information at the kernel level of a computer system; detecting an internal time of a program at the user level of the computer system; comparing the detected standard time with the internal time; and determining whether the time of the computer system is modified on the basis of the result of the comparison. [2] The method as defined in claim 1, wherein the step of detecting the standard time comprises: setting a timer having a first period at the kernel level of the computer system; storing one of the variation data in a TSC (Time Stamp Counter) if the timer is called every the first period and thereafter a calling signal of the timer is detected; and determining whether it took a certain time from a RCT (Real Time Clock) if the timer is called, and setting a standard time by calculating a mean value of the variations for a certain period of time. [3] The method as defined in claim 2, further comprising the step of resetting a standard time by calculating a mean value of the two standard times if a standard time has already existed. [4] The method as defined in claim 2 or 3, wherein the step of detecting the internal time comprises the steps of: setting a timer having a second period at the user level of the computer system; and detecting an internal time from a time related API (Application Programming
Interface) used in a program at the computer system by using the timer. [5] The method as defined in claim 4, wherein the step of comparing the standard time with the internal time comprises the following steps of: calculating a variation in the internal times detected from the time related API; calculating a TSC according to the variation; and comparing the TSC according to the standard time and the other TSC according to the variation. [6] The method as defined in claim 5, wherein the step of determining whether time of the computer system is modified comprises determining that time is modified if a difference between the two times is more than a certain time span. [7] The method as defined in claim 1, wherein the chip which provides the time in- formation is a RTC (Real Time Clock) and wherein a standard time is detected from the RTC. [8] The method as defined in claim 7, wherein the internal time is detected from a
PIT (Programmable Interrupt Timer). [9] The method as defined in claim 8, wherein a counter shall be increased if a difference between the standard time and the internal time detected from the PIT is found out to be more than a certain time span as a result of the comparison between the standard time and the internal time, and wherein it is determined that time is modified if accumulated value of the counter is more than a certain value. [10] A recording medium readable by computer having a program to embody a method comprising the steps of: setting a timer having a first period at the kernel level of the computer system; storing a variation data in a TSC (Time Stamp Counter) if the timer is called every the first period and thereafter a calling signal of the timer is detected; determining whether it took a certain time from a RCT (Real Time Clock) if the timer is called, and setting a standard time by calculating a mean value of the variations for a certain period of time; setting a timer having a second period at the user level of the computer system; detecting a internal time from a time related API (Application Programming
Interface) used in a program at the computer system by using the timer; calculating a variation in the internal time detected from the time related API and calculating a TSC according to the variation in the internal time; comparing the TSC according to the standard time and the TSC according to the variation in the internal time; and determining whether or not time of the computer system is modified on the basis of the result of the comparison. [11] The recording medium as defined in claim 10, further comprising the step of resetting a standard time by calculating a mean value of two standard times if a standard time has already existed. [12] A recording medium readable by computer having a program to embody a method comprising the steps of: setting a RTC (Real Time Clock) as a standard time at the kernel level of a computer system; detecting an internal time of a program at the user level of the computer system from a PIT (Programmable Interrupt Timer); comparing the detected standard time and the internal time; and determining whether or not time of the computer system is modified on the basis of the result of the comparison. [13] The recording medium readable by computer having a program to embody the method as defined in Claim 12, wherein a counter shall be increased if a difference between the standard time and the internal time detected from the PIT is found out to be more than a certain time span as a result of the comparison between the standard time and the internal time, and wherein it is determined that time is modified if the accumulated value of the counter is more than a certain value.
PCT/KR2006/003902 2005-09-28 2006-09-28 Method for detecting modification of internal time in computer system WO2007037640A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2005-0090603 2005-09-28
KR1020050090603A KR100653545B1 (en) 2004-11-29 2005-09-28 Method of sensing time modification of internal time by a computer program

Publications (1)

Publication Number Publication Date
WO2007037640A1 true WO2007037640A1 (en) 2007-04-05

Family

ID=37900008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/003902 WO2007037640A1 (en) 2005-09-28 2006-09-28 Method for detecting modification of internal time in computer system

Country Status (1)

Country Link
WO (1) WO2007037640A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2241953A1 (en) * 2009-04-17 2010-10-20 Siemens Aktiengesellschaft Method and device for realising an error-proof time function
JP2012524325A (en) * 2009-04-17 2012-10-11 エヌエイチエヌ ビジネス プラットフォーム コーポレーション Method and apparatus for providing computer security service using hook, and computer-readable recording medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023103A1 (en) * 1998-04-21 2002-02-21 Rejean Gagne System and method for accessing and manipulating time-based data using meta-clip objects
US20020064096A1 (en) * 2000-08-03 2002-05-30 Yoshitaka Ukita Reproduction apparatus and reproduction method
KR100457405B1 (en) * 2003-12-08 2004-11-16 주식회사 잉카인터넷 Method of detecting whether speed hack is in use

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023103A1 (en) * 1998-04-21 2002-02-21 Rejean Gagne System and method for accessing and manipulating time-based data using meta-clip objects
US20020064096A1 (en) * 2000-08-03 2002-05-30 Yoshitaka Ukita Reproduction apparatus and reproduction method
KR100457405B1 (en) * 2003-12-08 2004-11-16 주식회사 잉카인터넷 Method of detecting whether speed hack is in use

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2241953A1 (en) * 2009-04-17 2010-10-20 Siemens Aktiengesellschaft Method and device for realising an error-proof time function
JP2012524325A (en) * 2009-04-17 2012-10-11 エヌエイチエヌ ビジネス プラットフォーム コーポレーション Method and apparatus for providing computer security service using hook, and computer-readable recording medium
US8615674B2 (en) 2009-04-17 2013-12-24 Siemens Aktiegesellschaft Method and apparatus for the realization of a failsafe time function

Similar Documents

Publication Publication Date Title
US8151141B1 (en) Resolution of computer operations problems using fault trend analysis
EP2590081B1 (en) Method, computer program, and information processing apparatus for analyzing performance of computer system
US8850172B2 (en) Analyzing performance of computing devices in usage scenarios
US20080016412A1 (en) Performance metric collection and automated analysis
US20090241095A1 (en) Call Stack Sampling for Threads Having Latencies Exceeding a Threshold
US20090178036A1 (en) Method and Apparatus for Call Stack Sampling Using a Virtual Machine
JP5119994B2 (en) Performance monitoring program, performance monitoring method, performance monitoring device
US20100017583A1 (en) Call Stack Sampling for a Multi-Processor System
JP2010267128A (en) Analysis system, analysis device, detection method, analysis method and program
CN114328102B (en) Equipment state monitoring method, equipment state monitoring device, equipment and computer readable storage medium
JP2013533553A (en) System test method
US20210182039A1 (en) Apparatus and method for source code optimisation
JP2010257150A (en) Device and method for detection of fraudulence processing, and program
JP2003263342A (en) Monitoring device and monitoring method and program for information processor
US20180337817A1 (en) Performance evaluation of applications that access external resources
US8214693B2 (en) Damaged software system detection
WO2007037640A1 (en) Method for detecting modification of internal time in computer system
US11422916B2 (en) Usage amount monitoring method and monitoring unit of electronic control unit for vehicle
JP2020524344A (en) Adaptive application performance analysis
CN114327963A (en) Anomaly detection method and device
US11244235B2 (en) Data analysis device and analysis method
CN109992511B (en) Device and method for obtaining code test coverage rate
CN111124791A (en) System testing method and device
CN115168159A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
KR100653545B1 (en) Method of sensing time modification of internal time by a computer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06798985

Country of ref document: EP

Kind code of ref document: A1