Method and system for real-time tamper evidence gathering for software
First Claim
1. A method for verifying integrity of a computing process, comprising:
- determining a trait associated with the computing process;
determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition;
determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;
comparing the pattern statistic to the prototype statistic; and
if the comparison indicates abnormal behavior the computing process, performing a predetermined action.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system are directed to differentiating between normal characteristics and abnormal characteristics within a software process, such that tampering of the software process may be identified programmatically. The identification of behavior that may be defined as normal may vary. Such behavior may include a sequence of selected system level calls that may access resources considered relevant, and the like. Data on the selected behavior is gathered, and when a sufficient amount of abnormal behavior has been detected, a signal may be provided such that an action may be performed. Samples of the gathered data are assigned a unique value. Statistical information is determined from the collected behavior, including trend data. Such trend data is compared to trends identified as normal for the software process, and a determination is made whether the sampled behavior is non-normal.
96 Citations
22 Claims
-
1. A method for verifying integrity of a computing process, comprising:
-
determining a trait associated with the computing process;
determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition;
determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;
comparing the pattern statistic to the prototype statistic; and
if the comparison indicates abnormal behavior the computing process, performing a predetermined action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus encoded with computer-executable components for determining tamper evidence of a client process, comprising:
-
a transceiver arranged to receive and forward data;
an interface, coupled to the transceiver, and arranged to perform actions, including;
determining a trait associated with the client process;
receiving a first set of data associated with the trait based in part on execution of the client process in a normal condition;
receiving a second set of data associated with the trait based in part on another execution of the client process in another condition;
determining a pattern statistic associated with the first set of data;
determining a prototype statistic associated with the second set of data;
comparing the pattern statistic to the prototype statistic; and
if the comparison indicates abnormal behavior of the client process, performing a predetermined action. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for determining tamper evidence of a computing process, comprising:
-
a client that includes the computing process, and is configured to communicate trait data associated with an execution of the computing process; and
a server, coupled to the client, and arranged to perform actions, including;
receiving a first set of data associated with the trait based in part on execution of the computing process in a normal condition;
receiving a second set of data associated with the trait based in part on another execution of the computing process in another condition;
determining a pattern statistic associated with the first set of data;
determining a prototype statistic associated with the second set of data;
comparing the pattern statistic to the prototype statistic; and
if the comparison indicates abnormal behavior of the computing process, performing a predetermined action. - View Dependent Claims (21)
-
-
22. An apparatus for verifying integrity of a computing process, comprising:
-
a means for determining a trait associated with the computing process;
a means for determining a pattern statistic associated with the trait based in part on execution of the computing process in a normal condition;
a means for determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;
a means for comparing the pattern statistic to the prototype statistic, and if the comparison indicates abnormal behavior, a means for performing a predetermined action
-
Specification