System, method and program product for detecting malicious software
First Claim
1. A method for detecting malicious software within or attacking a computer system, said method comprising the steps of:
- in response to a system call, executing a hook routine at a location of said system call to (a) determine a data flow or process requested by said call, (b) determine another data flow or process for data related to that of said call, (c) automatically generate a consolidated information flow diagram showing said data flow or process of said call and said other data flow or process, and after steps (a-c), (d) call a routine to perform said data flow or process requested by said call.
1 Assignment
0 Petitions
Accused Products
Abstract
System, method and program product for detecting malicious software within or attacking a computer system. In response to a system call, a hook routine is executed at a location of the system call to (a) determine a data flow or process requested by the call, (b) determine another data flow or process for data related to that of the call, (c) automatically generate a consolidated information flow diagram showing the data flow or process of the call and the other data flow or process. After steps (a-c), a routine is called to perform the data flow or process requested by the call. A user monitors the information flow diagram and compares the data flow or process of steps (a) and (b) with a data flow or process expected by said user. If there are differences, the user may investigate the matter or shut down the computer to prevent damage.
-
Citations
14 Claims
-
1. A method for detecting malicious software within or attacking a computer system, said method comprising the steps of:
in response to a system call, executing a hook routine at a location of said system call to (a) determine a data flow or process requested by said call, (b) determine another data flow or process for data related to that of said call, (c) automatically generate a consolidated information flow diagram showing said data flow or process of said call and said other data flow or process, and after steps (a-c), (d) call a routine to perform said data flow or process requested by said call. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system for detecting malicious software in a computer system, said system comprising:
-
means, responsive to a system call, for executing a hook routine at a location of said system call to (a) determine a data flow or process requested by said call, (b) determine another data flow or process for data related to that of said call, (c) automatically generate a consolidated information flow diagram showing said data flow or process of said call and said other data flow or process, and after steps (a-c), (d) call a routine to perform said data flow or process requested by said call; and
means for displaying said information flow diagram. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer program product for detecting malicious software in a computer system, said computer program product comprising:
-
a computer readable medium;
program instructions, responsive to a system call, for executing a hook routine at a location of said system call to (a) determine a data flow or process requested by said call, (b) determine another data flow or process for data related to that of said call, (c) automatically generate a consolidated information flow diagram showing said data flow or process of said call and said other data flow or process, and after steps (a-c), (d) call a routine to perform said data flow or process requested by said call; and
whereinsaid program instructions are recorded on said medium.
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsLuke, James S., Chess, David M.
-
Application NumberUS10/696,200Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current714/38.13CPC Class CodesG06F 21/53 by executing in a restricte...G06F 21/54 by adding security routines...G06F 21/566 Dynamic detection, i.e. det...
