Computer immune system and method for detecting unwanted code in a computer system
2 Assignments
0 Petitions
Accused Products
Abstract
An automated analysis system detects malicious code within a computer system by generating and subsequently analyzing a behavior pattern for each computer program introduced to the computer system. Generation of the behavior pattern is accomplished by a virtual machine invoked within the computer system. An initial analysis may be performed on the behavior pattern to identify infected programs on initial presentation of the program to the computer system. The analysis system also stores behavior patterns and sequences with their corresponding analysis results in a database. Newly infected programs can be detected by analyzing a newly generated behavior pattern for the program with reference to a stored behavior pattern to identify presence of an infection or payload pattern.
-
Citations
37 Claims
-
1-17. -17. (canceled)
-
18. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
virtually executing a target program within a virtual PC of a physical computer so that the target program interacts with a virtual operating system of the virtual PC;
analyzing behavior of the target program upon completion of virtual execution to identify an occurrence of malicious code behavior based upon an evaluation by the virtual PC of a behavior pattern; and
generating the behavior pattern for the target program by tracking functions performed by the target program with flags in a behavior pattern field and by tracking a sequence in which the functions are called by the target program with the behavior pattern field. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 32)
-
-
27. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
virtually executing a target program within a virtual machine so that the target program interacts with a virtual operating system of the virtual machine;
generating a behavior pattern for the target program by tracking functions performed by the target program with flags in a behavior pattern field and by tracking a sequence in which the functions are called by the target program with the behavior pattern field to track functions simulated by the target program during virtual execution; and
storing a record of the behavior pattern that represents operations of the target program with the computer system - View Dependent Claims (28, 29, 30, 31)
-
-
33. A computer implemented method for identifying the presence of malicious code in program code, comprising:
-
generating a behavior pattern, wherein generating a behavior pattern further comprises;
completing virtual execution of a target program within a virtual PC;
tracking functions performed and not performed by the target program with flags in a behavior pattern field;
tracking a sequence in which the functions are called by the target program; and
upon completion of virtual execution, operating the virtual PC to compare the behavior pattern generated by virtual execution of the target program to a behavior pattern representative of operations by the malicious code to identify an occurrence of malicious code behavior. - View Dependent Claims (34, 35, 36, 37)
-
Specification