Method and apparatus for the automatic determination of potentially worm-like behavior of a program

US 20040019832A1
Filed: 07/23/2002
Published: 01/29/2004
Est. Priority Date: 07/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method for the automatic determination of potentially worm-like behavior of a program, comprising:

determining a behavioral profile of the program in an environment that does not emulate the operation of a network;

comparing the determined behavioral profile against a profile indicative of worm-like behavior; and

providing an indication of potentially worm-like behavior based on the result of the comparison.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics includes analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment. A logged record of the observed behavior is analyzed to determine if the behavior is indicative of the program having worm-like characteristics. The non-network environment may simulate the appearance of a network to the program, without emulating the operation of the network.

325 Citations

45 Claims

1. A method for the automatic determination of potentially worm-like behavior of a program, comprising:
- determining a behavioral profile of the program in an environment that does not emulate the operation of a network;
  
  comparing the determined behavioral profile against a profile indicative of worm-like behavior; and
  
  providing an indication of potentially worm-like behavior based on the result of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method as in claim 1, where the behavioral profile is determined by determining what system resources are required by the program.
  - 3. A method as in claim 1, where the behavioral profile is determined by determining what system resources are referred to by the program.
  - 4. A method as in claim 1, where the determination of the behavioral profile comprises:
    - executing the program in at least one known non-network environment, using an automated method for examining the environment and determining what changes, if any, have occurred in the environment; and
      
      recording any determined changes as said behavioral profile.
  - 5. A method as in claim 4, where the known non-network environment has an ability to appear to exhibit network-related capabilities.
  - 6. A method as in claim 5 where, in response to the program seeking to determine if the environment has network capabilities, providing a network address to the program as an inducement for the program to display worm-like behavior.
  - 7. A method as in claim 4, where the known non-network environment exhibits at least one of non-existent local network-related resources and local network-related objects to the program.
  - 8. A method as in claim 4 where, in response to the program seeking to determine information about a file, responding as if the file exists as an inducement for the program to display worm-like behavior.
  - 9. A method as in claim 4 where, in response to the program seeking to determine information about a file, creating the file before returning the file to the program as an inducement for the program to display worm-like behavior.
  - 10. A method as in claim 4 where, in response to the program seeking to determine information about an electronic mail program, returning the information to the program as an inducement for the program to display worm-like behavior.
  - 11. A method as in claim 4 where, in response to the program seeking to determine information about an electronic mail address book, returning the information to the program as an inducement for the program to display worm-like behavior.
  - 12. A method as in claim 1, where determining the behavioral profile of the program includes exercising the program in a plurality of ways.
  - 13. A method as in claim 1, where determining the behavioral profile of the program comprises determining a dynamic link library usage of the program.
  - 14. A method as in claim 1, where determining the behavioral profile of the program comprises determining the identities of methods imported by the program from a library.
  - 15. A method as in claim 1, where determining the behavioral profile of the program comprises determining what resources are requested by the program.
  - 16. A method as in claim 15, where said resources comprise at least one of dynamic link libraries for network access, methods imported from dynamic link libraries that indicate a possible attempt to send electronic mail, and dynamic link libraries and methods indicating an automation of an electronic mail program.
  - 17. A method as in claim 1, where determining the behavioral profile of the program comprises determining if system resources requested by the program match certain predetermined system resources and, if so, executing the program in a controlled environment, determining if system changes made during execution of the program match certain predetermined system changes and, if so, declaring the program to be a possible worm, and if not, determining if activities reported by a program behavior monitor match certain predetermined activities and, if so, declaring the program to be a possible worm.

18. A method for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics, comprising analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment.
- View Dependent Claims (19)
- - 19. A method as in claim 18, where the non-network environment simulates the appearance of a network to the program, without emulating the operation of the network.

20. A computer program embodied on a computer readable medium for implementing a method for the automatic determination of the behavioral profile of a sample program suspected of having worm-like characteristics, where the execution of the computer program causes a computer to analyze computer system resources required by the sample program and, if the required resources are not indicative of the sample program having worm-like characteristics, further execution of the computer program causes the computer to run the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment.
- View Dependent Claims (21)
- - 21. A computer program as in claim 20, where said further execution of the computer program causes the computer to simulate the appearance of a network to the sample program, without emulating the operation of the network.

22. A data processing system comprising at least one computer for executing a stored program for making an automatic determination of potentially worm-like behavior of a program, comprising:
- means for determining a behavioral profile of the program in an environment that does not emulate the operation of a network;
  
  means for comparing the determined behavioral profile against a stored profile indicative of worm-like behavior; and
  
  means for providing an indication of potentially worm-like behavior based on the result of the comparison.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 23. A data processing system as in claim 22, where said determining means determines said behavioral profile by determining what system resources are required by the program.
  - 24. A data processing system as in claim 22, where said determining means determines said behavioral profile by determining what system resources are referred to by the program.
  - 25. A data processing system as in claim 22, where said determining means comprises:
    - means for executing the program in at least one known non-network environment, means for examining the environment and determining what changes, if any, have occurred in the environment; and
      
      means for recording any determined changes as said behavioral profile.
  - 26. A data processing system as in claim 25, where the known non-network environment has an ability to appear to exhibit network-related capabilities.
  - 27. A data processing system as in claim 26 where, in response to the program seeking to determine if the environment has network capabilities, said executing means provides a network address to the program as an inducement for the program to display worm-like behavior.
  - 28. A data processing system as in claim 25, where the known non-network environment exhibits local resources or objects to the program that do not exist.
  - 29. A data processing system as in claim 28 where, in response to the program seeking to determine information about a file, said executing means responds as if the file exists as an inducement for the program to display worm-like behavior.
  - 30. A data processing system as in claim 28 where, in response to the program seeking to determine information about a file, said executing means creates the file before returning the file to the program as an inducement for the program to display worm-like behavior.
  - 31. A data processing system as in claim 28 where, in response to the program seeking to determine information about an electronic mail program, said executing means returns the information to the program as an inducement for the program to display worm-like behavior.
  - 32. A data processing system as in claim 28 where, in response to the program seeking to determine information about an electronic mail address book, said executing means returns the information to the program as an inducement for the program to display worm-like behavior.
  - 33. A data processing system as in claim 22, where said determining means exercises the program in a plurality of ways.
  - 34. A data processing system as in claim 22, where said determining means determines a dynamic link library usage of the program.
  - 35. A data processing system as in claim 22, where said determining means determines the identities of methods imported by the program from a library.
  - 36. A data processing system as in claim 22, where said determining means determines what resources are requested by the program.
  - 37. A data processing system as in claim 36, where said resources comprise at least one of dynamic link libraries for network access, methods imported from dynamic link libraries that indicate a possible attempt to send electronic mail, and dynamic link libraries and methods indicating an automation of an electronic mail program.
  - 38. A data processing system as in claim 22, where said determining means determines if system resources requested by the program match certain predetermined system resources and, if so, executing means executes the program in a controlled environment, determines if system changes made during execution of the program match certain predetermined system changes and, if so, declares the program to be a possible worm, and if not, determines if activities reported by a program behavior monitor match certain predetermined activities and, if so, declares the program to be a possible worm.

39. A computer program embodied on a computer readable medium for implementing a method for the automatic determination of potentially worm-like behavior of a program, where the execution of the computer program causes a computer to determine a behavioral profile of the program in an environment that does not emulate the operation of a network;
- to compare the determined behavioral profile against a profile indicative of worm-like behavior; and
  
  to provide an indication of potentially worm-like behavior based on the result of the comparison.
- View Dependent Claims (40, 41, 42, 43, 44, 45)
- - 40. A computer program as in claim 39, where the behavioral profile is determined by determining at least one of what system resources are required by the program and what system resources are referred to by the program.
  - 41. A computer program as in claim 39, where the determination of the behavioral profile comprises executing the program in at least one known non-network environment;
    - using an automated method for examining the environment and determining what changes, if any, have occurred in the environment; and
      
      recording any determined changes as said behavioral profile.
  - 42. A computer program as in claim 41, where the known non-network environment is made to exhibit network-related capabilities.
  - 43. A computer program as in claim 39, where determining the behavioral profile of the program comprises determining what resources are requested by the program.
  - 44. A computer program as in claim 43, where said resources comprise at least one of dynamic link libraries for network access, methods imported from dynamic link libraries that indicate a possible attempt to send electronic mail, and dynamic link libraries and methods indicating an automation of an electronic mail program.
  - 45. A computer program as in claim 39, where determining the behavioral profile of the program comprises determining if system resources requested by the program match certain predetermined system resources and, if so, executing the program in a controlled environment, determining if system changes made during execution of the program match certain predetermined system changes and, if so, declaring the program to be a possible worm, and if not, determining if activities reported by a program behavior monitor match certain predetermined activities and, if so, declaring the program to be a possible worm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Whalley, Ian N., Morar, John F., Arnold, William C., Segal, Alla, Chess, David M., White, Steve R.

Granted Patent

US 7,487,543 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/38
CPC Class Codes

G06F 21/51 at application loading time...

Method and apparatus for the automatic determination of potentially worm-like behavior of a program

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

325 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for the automatic determination of potentially worm-like behavior of a program

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

325 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links