Method and system for detecting rogue software

US 20040039921A1
Filed: 07/28/2003
Published: 02/26/2004
Est. Priority Date: 10/17/2000
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting rogu software including the steps of:

(a) creating a first database containing pre-calculated fingerprints for each file relating to typical operating systems and application software, wherein the pre-calculated fingerprints are calculated using one or more cryptographic formulae;

(b) using the one or more cryptographic formulae to calculate fingerprints of files on a computer system which is to be scanned for rogue software;

(c) comparing the fingerprints calculated for the files on the computer system with the fingerprints which are contained in the first database of pre-calculated fingerprints;

(d) identifying files on the computer system which may contain rogue software by identifying files the calculated fingerprints of which do not correspond to the pre-calculated fingerprints which are stored in the first database.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting rogue software includes the step of creating a first database containing pre-calculated fingerprints for each file relating to typical operating systems and application software, wherein the pre-calculated fingerprints are calculated using one or more cryptographic formulae. The one or more cryptographic formulae are then used to calculate fingerprints of files on a computer system which is to be scanned for rogue software. The fingerprints calculated for the files on the computer system are compared with the fingerprints which are contained in the first database of pre-calculated fingerprints. Files on the computer system which may contain rogue software are identified by identifying files the calculated fingerprints of which do not correspond to the pre-calculated fingerprints which are stored in the first database.

170 Citations

26 Claims

1. A method of detecting rogu software including the steps of:
- (a) creating a first database containing pre-calculated fingerprints for each file relating to typical operating systems and application software, wherein the pre-calculated fingerprints are calculated using one or more cryptographic formulae;
  
  (b) using the one or more cryptographic formulae to calculate fingerprints of files on a computer system which is to be scanned for rogue software;
  
  (c) comparing the fingerprints calculated for the files on the computer system with the fingerprints which are contained in the first database of pre-calculated fingerprints;
  
  (d) identifying files on the computer system which may contain rogue software by identifying files the calculated fingerprints of which do not correspond to the pre-calculated fingerprints which are stored in the first database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method according to claim 1 including the further step of generating a list of questionable files on the computer system for which the calculated fingerprints do not correspond to pre-calculated fingerprints stored in the first database.
  - 3. A method according to claim 1, wherein the cryptographic formulae used in the pre-calculation of fingerprints which are stored in the first database and in the calculation of fingerprints for files on the computer system, use one or more hash functions to generate hash values for each file.
  - 4. A method according to claim 1, wherein cryptographic formulae used in the pre-calculation of fingerprints which are stored in the first database and in the calculation of fingerprints for files on the computer system, use one or more asymmetric cryptographic functions to generate digital signatures for each file.
  - 5. A method according to claim 2 wherein questionable files are considered by a system administrator and may be marked by the system administrator as acceptable.
  - 6. A method according to claim 5 wherein the fingerprints for questionable files which are accepted by the system administrator are stored in a second database.
  - 7. A method according to claim 6 which includes the step of calculating the probability that a questionable file has been corrupted by rogue software, by comparing its fingerprint with fingerprints for similar files that have previously been accepted by the system administrator and stored in the second database.
  - 8. A method according to claim 7 wherein the system provides statistical information regarding. (a) the number of fingerprints in the second database which represent files with the same characteristics as the questionable file;
    - (b) the number of fingerprints in the second database which are identical to the fingerprint of the questionable file;
      
      (c) the number of fingerprints in the second database which are different to the fingerprint of the questionable file.
  - 9. A method according to claim 5 wherein files that are not acceptable are replaced or reinstalled.
  - 10. A method according to claim 6 wherein the step of calculating fingerprints for files on the computer system and the step of comparing fingerprints on the computer system with corresponding pre-calculated fingerprints stored on the first database are both implemented by the computer system and wherein verification of questionable files takes place before fingerprints from the computer system are added to the second database.
  - 11. A method according to claim 10 wherein the computer system is physically remote from the first database and communication between the computer system and the first database takes place over a network such as the Internet.
  - 12. A method according to any one of claims 6 to 8 wherein the step of calculating fingerprints for the files on the computer system is implemented by the computer system and the step of comparing the fingerprints which represent files on the client system with corresponding pre-calculated fingerprints stored in the database is implemented by a server, and wherein verification of questionable files takes place between the computer system and the server before the corresponding fingerprints are transferred from the computer system to the second database.
  - 13. A method according to claim 12 wherein the computer system is physically remote from the server and communication between them takes place over a communications network such as the Internet.

14. A system for detecting rogue software including:
- (a) a first database containing pre-calculated fingerprints for each file relating to typical operating systems and application software, the fingerprints having been calculated using one or more cryptographic formulae;
  
  (b) a software component which uses one or more cryptographic formulae to calculate fingerprints for files on a computer system; and
  
  (c) a software component which compares the calculated fingerprints for the files on the computer system with corresponding pre-calculated fingerprints stored in the first database, such that files on the computer system which may contain rogue software are identified by identifying files the calculated fingerprints of which do not correspond to the pre-calculated fingerprints which are stored in the first database.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. A system according to claim 14 including a software component which generates a list of questionable files for which the calculated fingerprints do not correspond to the pre-calculated fingerprints which are stored in the first database.
  - 16. A system according to claim 14 or 15 wherein the software components are installed on the computer system.
  - 17. A system according to claim 14 wherein the pre-calculation of fingerprints which are stored in the first database and calculation of fingerprints for files on the computer system use one or more hash functions to generate hash values for each file.
  - 18. A system according to claim 14 wherein the pre-calculation of fingerprints which are stored in the database and calculation of fingerprints for files on the computer system use one or more asymmetric cryptographic functions to generate digital signatures for each file.
  - 19. A system according to claim 15 further including a second database in which fingerprints of questionable files which are found to be acceptable by a system administrator are stored.
  - 20. A system according to claim 15 wherein the system calculates the probability that a questionable file is a file that has been corrupted by rogue software, by comparing its fingerprint with fingerprints for similar files that have been verified and stored in the second database.
  - 21. A system according to claim 20 wherein the system produces statistical information regarding:
    - (a) the number of fingerprints in the second database which represent files with the same characteristics as the questionable file;
      
      (b) the number of fingerprints in the second database which are identical to the fingerprint of the questionable file;
      
      (c) the number of fingerprints in the second database which are different to the fingerprint of the questionable file.
  - 22. A system according to claim 19 wherein files that are not acceptable are replaced or reinstalled.
  - 23. A system according to any one of claims 14 to 22 wherein the step of calculating fingerprints of files on the computer system and the step of comparing the fingerprints on the computer system with corresponding pre-calculated fingerprints stored on the database are both implemented by the computer system and wherein verification of questionable files takes place before fingerprints from the computer system are added to the second database.
  - 24. A system according to claim 23 wherein the computer system is physically remote from the first database and communication between the computer system and the first database takes place over a network such as the Internet.
  - 25. A system according to any one of claims 14 to 20 wherein the step of calculating fingerprints for the files on the computer system is implemented by the computer system and the step of comparing the fingerprints which represent files on the computer system with corresponding pre-calculated fingerprints stored in the first database is implemented by a server and wherein verification of questionable files takes place between the computer system and the server before the corresponding fingerprints are transferred between them.
  - 26. A system according to claim 25 wherein the computer system is physically remote from the server and communication between them takes place over a communication network suck as the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shyne-Song Chuang
Original Assignee
Shyne-Song Chuang
Inventors
Chuang, Shyne-Song

Application Number

US10/399,540
Publication Number

US 20040039921A1
Time in Patent Office

Days
Field of Search
US Class Current

713/187
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/565 by checking file integrity

Method and system for detecting rogue software

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting rogue software

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links