Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
First Claim
1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed to the Low Level engine as API'"'"'s (application Program Interfaces) for N-code compiled programs, where a virtual central processing unit and virtual memory perform the actual processing;
virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE;
analyzing behavior of the target program following virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and
terminating the AVPE after the analyzing process, thereby removing from the host computer system a copy of the target program that was contained within the AVPE.
4 Assignments
0 Petitions
Accused Products
Abstract
An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.
-
Citations
27 Claims
-
1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed to the Low Level engine as API'"'"'s (application Program Interfaces) for N-code compiled programs, where a virtual central processing unit and virtual memory perform the actual processing;
virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE;
analyzing behavior of the target program following virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and
terminating the AVPE after the analyzing process, thereby removing from the host computer system a copy of the target program that was contained within the AVPE. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing a virtual engine within the computer system, the virtual engine comprising software simulating functionality of a central processing unit, memory and an operating system including application program interface (API) calls to the virtual operating system;
virtually executing a target program within the virtual engine so that the target program interacts with the virtual operating system and the virtual central processing unit through the virtual engine;
monitoring behavior of the target program during virtual execution to identify presence of malicious code and indicating in a behavior pattern the occurrence of malicious code behavior; and
terminating the virtual engine, leaving behind a record of the behavior pattern characteristic of the analyzed target program. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE simulating functionality of a P-code interpreter, the AVPE interacting with a virtual central processing unit that provides processing and virtual memory management functions;
virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE and the virtual central processing unit;
analyzing behavior of the target program generated during virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and
terminating the AVPE, thereby removing from the host computer system a copy of the target program that was contained within the AVPE. - View Dependent Claims (24, 25, 26, 27)
-
Specification