Method and system for virus detection using pattern matching techniques

US 20060161984A1
Filed: 01/14/2005
Published: 07/20/2006
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for virus detection, comprising:

segmenting a data stream into data frames;

generating a data frame image for each data frame;

comparing a first data frame image to a virus image;

generating a first pattern match value associated with the first data frame image based on the comparison; and

determining whether the generated first pattern match value exceeds a threshold to detect a virus associated with the virus image.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing virus detection. A virus detection system provides for the use of pattern matching techniques on data at a binary level for virus detection. Whenever an incoming data stream is received, the data stream is segmented into time-based data frames. The time-based data frames are processed to generate associated data frame images utilizing signal processing identification and filter techniques. One or more data frame images are compared to a stored virus image utilizing pattern analysis techniques. A pattern match value associated with each data frame image is generated based on the comparison and a determination is made as to whether or not the pattern match value exceeds a pattern match value threshold. When the pattern match value exceeds the pattern match value threshold, a pattern associated with the virus image is removed from the time-based frames to produce a filtered data stream.

118 Citations

20 Claims

1. A method for virus detection, comprising:
- segmenting a data stream into data frames;
  
  generating a data frame image for each data frame;
  
  comparing a first data frame image to a virus image;
  
  generating a first pattern match value associated with the first data frame image based on the comparison; and
  
  determining whether the generated first pattern match value exceeds a threshold to detect a virus associated with the virus image.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 further comprising removing a pattern associated with the virus image from the data frame used to generate the first data frame image when the pattern match value exceeds the threshold.
  - 3. The method of claim 1 wherein generating a data frame image for each data frame comprises performing a Fourier transform on at least one data frame.
  - 4. The method of claim 3, wherein the Fourier transform is a fast Fourier transform.
  - 5. The method of claim 1, wherein comparing a first data frame image to a stored virus image comprises performing a comparison of a plurality of pixels of the first data frame image to a plurality of pixels of the virus image.
  - 6. The method of claim 1, further comprising:
    - comparing a plurality of data frame images to the virus image; and
      
      generating a second pattern match value associated with the data frame images based on the comparison.
  - 7. The method of claim 1, wherein each virus image comprises a transform of a computer virus.
  - 8. The method of claim 1, further comprising comparing a modified data frame image with the virus image.
  - 9. A computer-readable medium having computer-executable instructions for performing the method of claim 1.
  - 10. The method of claim 1, further comprising:
    - requesting a virus detection system update; and
      
      receiving the virus detection system update.

11. A virus detection system, comprising:
- a communication interface;
  
  at least one processor; and
  
  at least one computer readable memory device for providing buffer memory, virus image pattern memory, and random access memory readable by the processor, the computer readable memory device having processor-executable instructions configured to cause the processor to segment a received data stream into data frames, generate a data frame image for each data frame, compare a data frame image to a virus image, generate a first pattern match value associated with the first data frame image based on the comparison, and determine whether the generated first pattern match value exceeds a threshold to detect a virus associated with the virus image.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11 wherein the virus detection system comprises an ASIC.
  - 13. The system of claim 12 wherein the ASIC communicates with an external computing system and a communication device.
  - 14. The system of claim 11 wherein the virus detection system comprises an ASIC integrated within a CPU motherboard.
  - 15. The system of claim 11 wherein the virus detection system comprises a CPU.
  - 16. The system of claim 11 wherein the computer readable memory device having processor-executable instructions comprises a series of computer executable steps configured to cause the processor to remove a pattern associated with the virus image from the data frame associated with the data frame image if the pattern match value exceeds the threshold.
  - 17. The system of claim 11, wherein the computer readable memory device having processor-executable instructions comprises a series of computer executable steps configured to cause the processor to perform a Fourier transform on at least one data frame.
  - 18. The system of claim 17 wherein the Fourier transform comprises a fast Fourier transform.
  - 19. The system of claim 11, wherein the computer readable memory device having processor-executable instructions comprises a series of computer executable steps configured to cause the processor to compare the first data frame image with the pixels of the virus image using a pattern matching technique.

20. A system for providing virus detection, comprising:
- means for segmenting a data stream into time-based data frames;
  
  means for processing the time-based data frames to generate associated data frame images;
  
  means for comparing a first data frame image to a stored virus image;
  
  means for generating a first pattern match value associated with the first data frame image based on the comparison;
  
  means for determining whether the generated pattern match value exceeds a threshold to detect a virus associated with the stored virus image; and
  
  means for removing a pattern associated with the stored virus image from the time-based frame associated with the first data frame image to produce a filtered data stream when the pattern match value exceeds the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Westerinen, William J., Phillips, Thomas G., Schoppa, Christopher A.

Granted Patent

US 7,546,471 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Method and system for virus detection using pattern matching techniques

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for virus detection using pattern matching techniques

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links