Detection of a class of viral code

US 20020066024A1
Filed: 07/14/2001
Published: 05/30/2002
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a class of viral code, comprising:

heuristically analyzing a subject file to generate a set of flags along with statistical information;

using the set of flags with statistical information to perform at least one search for a scan string and/or a statement type in the subject file; and

triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting a class of viral code are provided. The apparatus comprises an heuristic analyzer and a search component. The heuristic analyzer heuristically analyzes a subject file and generates a set of flags along with statistical information. The search component uses the set of flags with statistical information to perform a search for a scan string and/or a statement type in the subject file. A positive detection alarm is triggered if the scan string and/or statement type is found at least a corresponding predetermined number of times. The heuristic analyzer may be rule-based and comprise an heuristic engine and heuristic rules. The search component also may be rule-based and comprise a search engine and viral code class rules.

Citations

19 Claims

1. A method of detecting a class of viral code, comprising:
- heuristically analyzing a subject file to generate a set of flags along with statistical information;
  
  using the set of flags with statistical information to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the subject file includes source code in a predetermined programming language.
  - 3. The method of claim 2, wherein the predetermined programming language is a script language.
  - 4. The method of claim 1, wherein the subject file includes a file for a predetermined word processor.
  - 5. The method of claim 1, wherein at least one flag in the set of flags corresponds to a copy operation associated with one of the class of viral code.
  - 6. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for adding data from a string to a target module.
  - 7. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for importing another code.
  - 8. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for disabling virus protection features in a target application.
  - 9. The method of claim 1, wherein the searched statement type corresponds to an operation for disabling functionalities in a target application.

11. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting a class of viral code, the method steps comprising:
- heuristically analyzing a subject file to generate a set of flags along with statistical information;
  
  using the set of flags with statistical information to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, wherein the heuristic analyzer is rule-based and comprises a heuristic engine and heuristic rules.
  - 16. The apparatus of claim 15, wherein the heuristics engine, using the heuristic rules, parses the subject file.
  - 17. The apparatus of claim 15, wherein the heuristics rules include sets of heuristic flags stored in a rules table.
  - 18. The apparatus of claim 14, wherein the search component is rule-based and comprises a search engine and viral code class rules.
  - 19. The apparatus of claim 14, wherein the search component is a neural network.

12. The method of claim 1, wherein the searched statement type corresponds to an operation for overwriting system macros.

12-1. A computer system, comprising:
- a processor; and
  
  a program storage device readable by the computer system, tangibly embodying a program of instructions executable by the processor to perform method steps for detecting a class of viral code, the method steps comprising;
  
  heuristically analyzing a subject file to generate a set of flags along with statistical information;
  
  using the set of flags with statistical information to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

13. A computer data signal embodied in a transmission medium which embodies instructions executable by a computer for detecting a class of viral code, comprising:
- a first segment including heuristic analyzer code to analyze a subject file to generate a set of flags along with statistical information;
  
  a second segment including scanner code using the set of flags with statistical information to perform at least one search for a scan string and/or a statement type in the subject file, and triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

14. An apparatus for detecting a class of viral code, comprising:
- an heuristic analyzer, wherein the heuristic analyzer analyzes a subject file to generate a set of flags along with statistical information;
  
  a search component, wherein the search component uses the set of flags with statistical information generated by the heuristic analyzer to perform at least one search for a scan string and/or a statement type in the subject file, and triggers a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Kwan, Tony, Schmall, Markus

Granted Patent

US 7,069,589 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/563 by source code analysis

Detection of a class of viral code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of a class of viral code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links