NULLIFICATION OF MALICIOUS CODE BY DATA FILE TRANSFORMATION

US 20080313735A1
Filed: 10/31/2007
Published: 12/18/2008
Est. Priority Date: 10/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method of nullifying malicious code potentially contained within a data file received by a computing platform, the method comprising:

selecting, at random, a transformation to be applied to the received data file from at least two available transformations, each transformation being such as to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file'"'"'s semantic content to a user, andapplying the selected transformation to the received data file to generate a transformed file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To nullify any malicious code potentially contained within a data file. a transformation engine randomly selects a transformation from a number of available file transformations each arranged to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file'"'"'s semantic content to a user. The selected transformation is then applied to the data file to produce a transformed file. Preferably, the transformation engine runs in a dedicated virtual machine of a computing platform.

Citations

22 Claims

1. A method of nullifying malicious code potentially contained within a data file received by a computing platform, the method comprising:
- selecting, at random, a transformation to be applied to the received data file from at least two available transformations, each transformation being such as to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file'"'"'s semantic content to a user, andapplying the selected transformation to the received data file to generate a transformed file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein application of the selected transformation takes place within a client computer at which the transformed file is to be manifested to a user.
  - 3. A method according to claim 2, wherein the client computer provides multiple virtual machines, a first said virtual machine applying the selected transformation to the received file and passing the transformed file to a second said virtual machine for manifestation to the user.
  - 4. A method according to claim 3, wherein the received file is received from the file system of a storage device, this file being retrieved from the storage device by the first virtual machine in response to a request received from a filesystem driver of the second virtual machine.
  - 5. A method according to claim 1, wherein application of the selected transformation takes place within a computer remote from a client computer at which the transformed file is to be manifested to a user, the method further comprising sending the transformed file to the client computer.
  - 6. A method according to claim 1, wherein at least one further transformation, additional to said at least two available transformations and comprising a combination of elements of said at least two available transformations, is also available for random selection.
  - 7. A method according to claim 1, further comprising:
    - receiving data from a user regarding a use to which he/she is intending to put the received file, andusing the data provided by the user to form a candidate set of multiple transformations from the available transformations on the basis of which transformations will produce transformed files capable of manifesting semantic content relevant the intended said use, the random selection being effected from the candidate set.
  - 8. A method according to claim 1, further comprising selecting a length in bits (N bits), of a minimum length of malicious code against which a transformation is to be effective and transforming the received data file by disrupting its bit pattern with a frequency of 1/(N−
    - 1) bits or greater.
  - 9. A method according to claim 1, further comprising initial operations of:
    - detecting occurrence of an event indicative of receipt of said data file by the computing platform; and
      
      determining whether, in accordance with a predetermined policy, the received file requires transformation.
  - 10. A method according to claim 1, wherein multiple transformations are selected and applied to the received file to generate a final transformed file.

11. A transformation engine for nullifying malicious code potentially contained within a data file, the transformation engine comprising:
- a library of available transformations each arranged to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file'"'"'s semantic content to a user;
  
  a selection arrangement for selecting, at random, a transformation to be applied to the data file from said available transformations; and
  
  an arrangement for applying the selected transformation to the data file to generate a transformed file.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 12. A transformation engine according to claim 11, arranged to create at least one further transformation, additional to said available transformations, by combining of elements of the available transformations, said at least one further transformation being also available for random selection.
  - 13. A transformation engine according to claim 11, wherein the selection arrangement is arranged to receive input from a user regarding a use to which he/she is intending to put the received file, and to use the user-input data to form a candidate set of multiple transformations from the available transformations on the basis of which transformations will produce transformed files capable of manifesting semantic content relevant the intended said use, the random selection being effected from the candidate set.
  - 14. A transformation engine according to claim 11, wherein each said available transformation is operative to disrupt the bit pattern of the data file with a frequency of 1/(N−
    - 1) bits or greater where N is a predetermined minimum length, in bits, of malicious code against which the transformation is to be effective.
  - 15. A transformation engine according to claim 11, further comprising a policy-application arrangement for determining whether, in accordance with a predetermined policy, the data file requires transformation.
  - 16. A computing platform including a transformation engine according to claim 11, the computing platform being a client computer at which the transformed file is to be manifested to a user.
  - 17. A computing platform according to claim 16, wherein the client computer is arranged to provide multiple virtual machines, a first said virtual machine serving to apply the selected transformation to the data file and to pass the transformed file to a 30 second said virtual machine for manifestation to the user.
  - 18. A computing platform according to claim 17, including a storage device for storing said data file, the first virtual machine being arranged to retrieve the data file from the storage device in response to a request received from the second virtual machine.
  - 19. A computing platform comprising:
    - a transformation engine according to claim 11, the computing platform being a computer remote from a client computer at which the transformed file is to be manifested to a user,a communication arrangement for sending the transformed file to the client computer.
  - 20. A computing platform having a transformation engine according to claim 11, wherein the platform is adapted to provide multiple distinct virtual machines, the said transformation engine being arranged to run in one said virtual machine.
  - 21. A computing platform according to claim 20, wherein creation of the transformation-engine virtual machine is performed in accordance with a VM policy that specifies the basis upon which the transformation-engine virtual machine is utilised for transformations.
  - 22. A computing platform according to claim 21, wherein the VM policy includes, as alternatives, that transformation-engine virtual machine is utilised:
    - (a) for a predetermined number of file transformations;
      
      (b) for all file transformations occurring within a predetermined interval of time;
      
      (c) for certain classes of file transformation;
      
      (d) only for a single file transformation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Harrison, Keith Alexander, Smith, Richard

Granted Patent

US 8,051,482 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/1441   Countermeasures against mal...

NULLIFICATION OF MALICIOUS CODE BY DATA FILE TRANSFORMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

NULLIFICATION OF MALICIOUS CODE BY DATA FILE TRANSFORMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links