Dynamic detection of computer worms
First Claim
1. A method for detecting malicious computer code in a host computer, said method comprising the steps of:
- determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and
when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer-readable media for detecting malicious computer code in a host computer (1). A method embodiment of the present invention comprises the steps of determining (32) whether data leaving the host computer (1) is addressed to exit a port (15) of the host computer (1) where outbound executable content normally does not appear; when the data is addressed to exit such a port (15), determining (33) whether a string (24) from a pre-established runtime database (9) of executable threads is present in said data; and when a string (24) from said runtime database (9) is present in said data, declaring (34) a suspicion of presence of malicious computer code in said data.
101 Citations
39 Claims
-
1. A method for detecting malicious computer code in a host computer, said method comprising the steps of:
-
determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and
when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computer-readable medium containing computer program instructions for detecting malicious computer code in data leaving a host computer, said computer program instructions performing the steps of:
-
determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and
when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.
-
-
36. Apparatus for detecting malicious computer code in a host computer, said apparatus comprising:
-
a filter adapted to determine whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
a runtime database containing strings from threads that have executed on said host computer; and
coupled to the filter and to the runtime database, a matching module for determining whether a string from the runtime database is present in said data. - View Dependent Claims (37, 38, 39)
-
Specification