WO2007076850A2 - Method and device for protecting a constantly changing data configuration - Google Patents
Method and device for protecting a constantly changing data configuration Download PDFInfo
- Publication number
- WO2007076850A2 WO2007076850A2 PCT/DE2007/000006 DE2007000006W WO2007076850A2 WO 2007076850 A2 WO2007076850 A2 WO 2007076850A2 DE 2007000006 W DE2007000006 W DE 2007000006W WO 2007076850 A2 WO2007076850 A2 WO 2007076850A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- data configuration
- data pattern
- pattern
- configuration
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Definitions
- the invention relates to a method and a device for protecting a constantly changing data configuration stored in a machine-readable memory, in particular an operating system, from undesired changes.
- data configuration is understood here as a configuration of any type of machine-readable data, which is continuously accessed, for example, during operation of a computer and which is continuously changed.
- data confi guration can be the operating system of a computer including its continuously changing parameters during operation.
- protection programs in the form of so-called firewalls and anti-virus programs are known, which are intended to prevent the intrusion of harmful software into a computer system or to remove any malicious software that has entered.
- the known protection programs must be continuously updated by so-called updating a virus database, as they regularly search for data strings (strings) that have already been recognized as part of malicious software. As a rule, they can not detect completely new viruses, but also systemic errors, since new viruses must first be recognized as viruses and the virus database must be supplemented accordingly.
- the invention has for its object to provide a method and an apparatus for protecting a constantly changing, stored in a machine-readable memory data configuration, such as in particular an operating system from unwanted changes that are not dependent on constantly updated virus information and rather harmful software, but also detect inherent malfunction, be self-sufficient and can initiate appropriate protective measures to protect the data configuration.
- the invention is based on the surprising finding that malicious software as well as system inherent misconduct lead to changes in the values of certain parameters characterizing a state of the data configuration and, if the
- Values in a particular data pattern can be detected by comparing this data pattern with at least one predetermined data pattern, so that appropriate protection operation can be performed.
- the invention thus advantageously permits the application, for example, of the image processing of known and reliable pattern recognition methods and algorithms, and can easily be self-learning such that a computer system becomes more stable through continued use and becomes more resistant to even completely new types of malicious software not listed in the databases of appropriate anti-virus programs. Further details and advantages of the invention will become apparent from the following, purely exemplary and non-limiting description of preferred embodiments.
- Step values of certain parameters characterizing a state of the data configuration (step a)).
- step b) Since modern operating systems include a plurality of parameters that form an N-dimensional parameter space, where N is a large number, different-dimensional vectors for a pattern classification can be easily filtered out of this parameter space, starting with a current data pattern from the values acquired in step a) is generated (step b)).
- the pattern classification can be viewed as a "dimensional reduction system” because it maps the very high-dimensional "operating system status space” to a limited-sized “action space”.
- action space is due to the fact that the operating system will perform various actions depending on which classes the detected status was mapped to.
- the data pattern generated in step b) is then compared to at least one predetermined data pattern (step c)) and based on the comparison of one of at least two different categories, at least one of which corresponds to at least one normal state of the data configuration and at least one other at least an abnormal state of the data configuration corresponding assigned (step d)).
- the predetermined data model (s) with which the current data pattern is compared can be learned by a normally behaving system by performing steps a) and b) at a time prior to the generation of the current data pattern.
- the method and corresponding apparatus may also be predicated by the operating system manufacturer.
- Customization can then be done automatically within the premises of the user.
- the operating system manufacturer can offer a service that enhances the value of its system, through which new data patterns can be downloaded.
- feedback messages may be provided such that e.g. a PC on which the method according to the invention is executed, when recognizing problems reports this to the operating system manufacturer or a database operator via a web service interface.
- the values detected in step a) can be values of at least one of the following parameters: utilization of a central processor unit, number of
- Read / write accesses to a memory unit in particular a RAM, ROM or CACHE memory, data of a register of an operating system, user data of the data configuration, status variables of a memory controller, status variables of a data connection, status variables of an operating system controller or scheduler and e.g. Values of the temporal variance of the parameters.
- the parameters used for pattern learning are selected from the system parameters, e.g. from the operating system registration, the process information, the memory usage, the user status variables, the dynamic operating status variables, etc. This information can be in tables.
- the protection operation may advantageously comprise at least one of the following operations: repairing the data configuration, issuing a warning message, disabling write and / or read access to the data configuration, switching a
- the protective operation issuing a warning message and requesting a User input regarding the further course of action, wherein the requested user input may in particular include the reassignment of the current data pattern to a category. This gives the user the option of deciding whether or not to allow him or her to make an unusual change to the configuration of the data, such as when installing a new program on a PC.
- the data pattern thus assigned to another category can advantageously be automatically added to a database with predetermined data patterns, which makes it possible, on renewed
- the comparison of the data pattern with at least one predetermined data pattern is preferably carried out using at least one pattern recognition algorithm such as, in particular, a self-organizing topological map and a learning vector quantization and other methods known in particular from image processing which are very mature and operate reliably.
- at least one pattern recognition algorithm such as, in particular, a self-organizing topological map and a learning vector quantization and other methods known in particular from image processing which are very mature and operate reliably.
- inventive method unlike most known anti-virus programs also allows a fuzzy classification, so not only knows yes / no divisions, but can decide based on the degree of similarity to a known data pattern, whether executed a protective operation or at least the user should be asked about the further procedure, or whether a data pattern is to be classified as non-hazardous.
- the user can specify or change the degree of similarity, for example in the form of a percentage itself, for example, can proceed so that the protection of highly sensitive data rather a Will issue a warning message when used as a pure gaming or multimedia computer PCs on which often new software is installed.
- the method may also be implemented to provide more than two different categories that correspond to at least one normal state of data operation not requiring protection operations and different states of the data configuration requiring different levels of protection operations requiring different protection operations. This then advantageously makes it possible to automatically execute a protection operation optimally adapted to the respective state. For example, if we detect a data configuration critical to system stability, it can automatically switch to a so-called safe mode of operation. When a virus is detected, certain data areas can be locked before read / write accesses and virus removal operations can be performed.
- the method may be continuous or e.g. be executed at predefined times. Such times may e.g. when used on a PC e.g. be: switching on the computer using the data configuration, entering predetermined boundary conditions such as increased in particular
- the method is carried out self-learning, ie that it learns automatically by continuous use, eg which data patterns are to be assigned to which category and / or which of the parameters characterizing a state of the data configuration has priority in recognizing abnormal states and / or which Protective operation upon detection of a particular abnormal state is executed.
- An apparatus for protecting a constantly changing data configuration stored in a machine-readable memory, such as an operating system, from unwanted changes comprises means for acquiring values of certain parameters characterizing a state of the data configuration, means for generating a current data pattern from the ones in FIG Values, means for storing at least one predetermined data pattern, means for comparing the generated data pattern with at least one stored predetermined data pattern, means for assigning the generated data pattern based on the comparison to one of at least two different categories, of which at least one at least one normal state Data configuration and at least one other corresponds to at least one abnormal state of the data configuration, and means for performing at least one protection operation when the generated data mus was assigned to a category corresponding to an abnormal state.
- the means for comparing the generated data pattern with at least one stored predetermined data pattern may comprise means for executing at least one pattern recognition algorithm such as, in particular, a self-organizing topological map and a learning vector quantification.
- the means for performing the protection operation may preferably perform at least one of the following operations: repairing the data configuration, issuing a warning message, disabling write and / or read access to the data configuration, switching an operating system to a safe mode, executing an antivirus program.
- means are provided for outputting a visual and / or audible warning message and requesting a user input regarding the further procedure, which are activated automatically when the generated data pattern is assigned to a category corresponding to an abnormal state.
- the means for detecting the values may preferably be designed such that they can detect at least values of one of the following parameters: utilization of a central processor unit, number of read / write accesses to a memory unit, in particular a RAM, ROM or CACHE memory , Data of a register of an operating system, user-specific data of the data configuration, status variables of a memory controller, status variables of a data connection, status variables of an operating system controller or scheduler.
- the device may advantageously be a computer, in particular a personal computer or a server, and further advantageously coupled via data line means with an external memory for predetermined data configurations.
- it may be self-learning and automatically learn by continuous use which data patterns are to be assigned to which category and / or which of the parameters characterizing a state of the data configuration has priority in recognizing abnormal states and / or which protection operation is to be performed upon detection of a particular abnormal state ,
- the invention advantageously allows the use of known cluster and pattern recognition algorithms that operate very fast, include self-learning algorithms and can make very fast pattern recognition decisions, such as self-organizing map neural networks and learning vector quantization.
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE112007000482T DE112007000482A5 (en) | 2005-12-31 | 2007-01-02 | Method and device for protecting a constantly changing data configuration |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102005063212.2 | 2005-12-31 | ||
DE102005063212 | 2005-12-31 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2007076850A2 true WO2007076850A2 (en) | 2007-07-12 |
WO2007076850A3 WO2007076850A3 (en) | 2007-11-22 |
Family
ID=38228571
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2007/000006 WO2007076850A2 (en) | 2005-12-31 | 2007-01-02 | Method and device for protecting a constantly changing data configuration |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE112007000482A5 (en) |
WO (1) | WO2007076850A2 (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5684875A (en) * | 1994-10-21 | 1997-11-04 | Ellenberger; Hans | Method and apparatus for detecting a computer virus on a computer |
WO1999031577A2 (en) * | 1997-12-18 | 1999-06-24 | Support.Com, Inc. | Automatic configuration generation |
GB2350704A (en) * | 1999-06-02 | 2000-12-06 | Nicholas Peter Carter | Security system |
US6477667B1 (en) * | 1999-10-07 | 2002-11-05 | Critical Devices, Inc. | Method and system for remote device monitoring |
US20040059920A1 (en) * | 2002-09-19 | 2004-03-25 | International Business Machines Corporation | Security health checking tool |
US20050132231A1 (en) * | 2003-12-11 | 2005-06-16 | Williamson Matthew M. | Administration of computing entities in a network |
-
2007
- 2007-01-02 DE DE112007000482T patent/DE112007000482A5/en not_active Withdrawn
- 2007-01-02 WO PCT/DE2007/000006 patent/WO2007076850A2/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5684875A (en) * | 1994-10-21 | 1997-11-04 | Ellenberger; Hans | Method and apparatus for detecting a computer virus on a computer |
WO1999031577A2 (en) * | 1997-12-18 | 1999-06-24 | Support.Com, Inc. | Automatic configuration generation |
GB2350704A (en) * | 1999-06-02 | 2000-12-06 | Nicholas Peter Carter | Security system |
US6477667B1 (en) * | 1999-10-07 | 2002-11-05 | Critical Devices, Inc. | Method and system for remote device monitoring |
US20040059920A1 (en) * | 2002-09-19 | 2004-03-25 | International Business Machines Corporation | Security health checking tool |
US20050132231A1 (en) * | 2003-12-11 | 2005-06-16 | Williamson Matthew M. | Administration of computing entities in a network |
Also Published As
Publication number | Publication date |
---|---|
WO2007076850A3 (en) | 2007-11-22 |
DE112007000482A5 (en) | 2008-11-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE112019001121B4 (en) | METHOD IMPLEMENTED ON A COMPUTER TO IDENTIFY MALWARE AND THE SYSTEM THEREOF | |
DE102017106016A1 (en) | System and method for detecting instruction sequences of interest | |
DE102018220711A1 (en) | Measuring the vulnerability of AI modules to attempts at deception | |
EP2362321A1 (en) | Method and system for detecting malware | |
WO2019052798A1 (en) | Method and device for detecting an attack on a serial communications system | |
EP0749613A1 (en) | Knowledge-based fuzzy selection for recognition system having several recognition units | |
DE112020007204T5 (en) | Device for creating a communication permission list, method for creating a communication permission list and program | |
WO2007076850A2 (en) | Method and device for protecting a constantly changing data configuration | |
WO2016169646A1 (en) | System and method for monitoring the integrity of a component delivered by a server system to a client system | |
EP3671576A1 (en) | Method and device for determining segments in received time series data of a system component | |
EP2210241A1 (en) | Data processing device and method for operating a data processing device | |
DE102019127622B4 (en) | Defense generator, method for preventing an attack on an AI unit and computer-readable storage medium | |
DE102021201833A1 (en) | Device for processing at least one input data set using a neural network and method | |
WO2020233991A1 (en) | Method for operating a deep neural network | |
EP3647943B1 (en) | Method for determining at least one characteristic of at least a change | |
WO2021122337A1 (en) | Method and apparatus for recognising removal of a sensor data domain from a reference data domain | |
DE102020209078A1 (en) | Automated process monitoring | |
EP2990941A1 (en) | Computer-implemented method for generating a control device program codes and related report management environment | |
EP4329243A1 (en) | Computer implemented method for automated securing of a computer system | |
DE102005034047A1 (en) | Data transmission method and data transmission system | |
DE102020006267A1 (en) | Method for generating a behavior model for a motor vehicle fleet by means of an electronic computing device external to the vehicle, and an electronic computing device external to the vehicle | |
EP4332807A1 (en) | Method for monitoring a control program of at least one functional unit of a machine system, computer program product, computer-readable storage medium and electronic computing device | |
EP4075220A1 (en) | Device and method for identifying changes in a machine arrangement | |
DE102020212988A1 (en) | Safe booting of a computer system | |
DE102020210874A1 (en) | Apparatus, system and method for preventing malicious attacks by program code on a vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
REF | Corresponds to |
Ref document number: 112007000482 Country of ref document: DE Date of ref document: 20081127 Kind code of ref document: P |
|
WWE | Wipo information: entry into national phase |
Ref document number: DE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07717684 Country of ref document: EP Kind code of ref document: A2 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07717684 Country of ref document: EP Kind code of ref document: A2 |