Andromeda strain hacker analysis system and method

US 20050257263A1
Filed: 05/13/2004
Published: 11/17/2005
Est. Priority Date: 05/13/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method, in a data processing system, for identifying a point of immunity to a computer based attack, comprising:

generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;

generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;

comparing the first call trace to the second call trace; and

determining a point of immunity based on results of the comparison of the first call trace to the second call trace.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for determining a point of immunity of a computing system to a computer virus are provided. A trace of the calls of a process, that processes a data packet which is suspected of having a computer virus, in both an infected computing system and an immune computing system are obtained. Differences in the call traces are used to pinpoint a point in the series of calls at which the processing by the two processes diverge. The process corresponding to this point of divergence is then determined and version information of the version of the corresponding process on the infected computing system and the immune computing system are determined. Differences in the version information are identified and immunization recommendations are made based on the identified differences in the version information.

Citations

20 Claims

1. A method, in a data processing system, for identifying a point of immunity to a computer based attack, comprising:
- generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
  
  generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
  
  comparing the first call trace to the second call trace; and
  
  determining a point of immunity based on results of the comparison of the first call trace to the second call trace.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first process and the second process are a same process but in different computer systems.
  - 3. The method of claim 1, wherein determining a point of immunity based on the results of the comparison includes:
    - identifying a process associated with a difference between the first call trace and the second call trace to thereby generate an identified process;
      
      retrieving first process information about the identified process from the infectable computer system;
      
      retrieving second process information about the identified process from the immune computer system; and
      
      identifying differences between the first process information and the second process information.
  - 4. The method of claim 3, wherein the first process information and the second process information include version information for the identified process.
  - 5. The method of claim 3, wherein the first process information and second process information include a compile time for the identified process.
  - 6. The method of claim 3, wherein the first process information and second process information include detailed version information about processes called by the identified process.
  - 7. The method of claim 6, wherein the detailed version information about the processes called by the identified process is obtained using a “
    - what”
      
      command.
  - 8. The method of claim 1, wherein the first call trace and the second call trace are obtained using a kernel debugger on the infectable computer system and the immune computer system, respectively.
  - 9. The method of claim 1, further comprising:
    - generating an output to a workstation identifying the point of immunity.
  - 10. The method of claim 9, wherein the output includes a recommendation for replicating the point of immunity in other computer systems.

11. A computer program product in a computer readable medium for identifying a point of immunity to a computer based attack, comprising:
- first instructions for generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
  
  second instructions for generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
  
  third instructions for comparing the first call trace to the second call trace; and
  
  fourth instructions for determining a point of immunity based on results of the comparison of the first call trace to the second call trace.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer program product of claim 11, wherein the first process and the second process are a same process but in different computer systems.
  - 13. The computer program product of claim 11, wherein the fourth instructions for determining a point of immunity based on the results of the comparison include:
    - instructions for identifying a process associated with a difference between the first call trace and the second call trace to thereby generate an identified process;
      
      instructions for retrieving first process information about the identified process from the infectable computer system;
      
      instructions for retrieving second process information about the identified process from the immune computer system; and
      
      instructions for identifying differences between the first process information and the second process information.
  - 14. The computer program product of claim 13, wherein the first process information and the second process information include version information for the identified process.
  - 15. The computer program product of claim 13, wherein the first process information and second process information include a compile time for the identified process.
  - 16. The computer program product of claim 13, wherein the first process information and second process information include detailed version information about processes called by the identified process.
  - 17. The computer program product of claim 16, wherein the detailed version information about the processes called by the identified process is obtained using a “
    - what”
      
      command.
  - 18. The computer program product of claim 11, wherein the first call trace and the second call trace are obtained using a kernel debugger on the infectable computer system and the immune computer system, respectively.
  - 19. The computer program product of claim 11, further comprising:
    - fifth instructions for generating an output to a workstation identifying the point of immunity.

20. A system for identifying a point of immunity to a computer based attack, comprising:
- means for generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
  
  means for generating a second call trace of a second process, comparable to the fist process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
  
  means for comparing the first call trace to the second call trace; and
  
  means for determining a point of immunity based on results of the comparison of the first call trace to the second call trace.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Keohane, Susann Marie, McBrearty, Gerald Francis, Shieh, Johnny Meng-Han, Murillo, Jessica Kelley, Mullen, Shawn Patrick

Application Number

US10/845,538
Publication Number

US 20050257263A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 63/145 the attack involving the pr...

Andromeda strain hacker analysis system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Andromeda strain hacker analysis system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links