Method and System for Intrusion Detection

US 20100017879A1
Filed: 06/09/2007
Published: 01/21/2010
Est. Priority Date: 06/21/2006
Status: Active Grant

First Claim

Patent Images

1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key,wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, andwherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executingcomprising:

during execution of the protected software, searching for patterns of an intrusion into the protected softwaredetecting an intrusion into the protected software during the execution of the protected software wherein the intruding program uses a monitoring component for gaining unauthorized access; and

creating a signal on detection of an attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, and wherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executing comprises the following steps: during execution of the protected software, analyzing the behavior of the protected software and/or the execution environment of the protected software on the computer system, and searching for patterns of an intrusion or an intruding program, detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, and creating a signal on detection of an attack.

128 Citations

44 Claims

1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key,wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, andwherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executingcomprising:
- during execution of the protected software, searching for patterns of an intrusion into the protected softwaredetecting an intrusion into the protected software during the execution of the protected software wherein the intruding program uses a monitoring component for gaining unauthorized access; and
  
  creating a signal on detection of an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 34)
- - 2. Method according to claim 1, wherein the protected software comprises the original software code of an application program and software selected from the following group:
    - additional code special operation codes, a security engine and control program code.
  - 3. Method according to claim 2, wherein searching for patterns of intrusion into protected software is comprised of analyzing the executing of special operation codes in the protected software.
  - 4. Method according to claim 1, further comprising locking the license container by executing an arbitrary command in the protected software with predefined special values.
  - 5. Method according to claim 4, characterized in that the arbitrary command is a special encryption operation to lock the license container.
  - 6. Method according to claim 4, characterized in that locking of the license container is performed by setting a counter to a predetermined value, preferably zero, or in erasing the necessary cryptographic keys in the license container.
  - 7. Method according to claim 1, wherein analyzing the behavior of the protected software comprises analyzing the execution of Application Program Interfaces (APIs) and comparing the number of header-executions to the number of trailer-executions.
  - 8. Method according to claim 2, wherein the additional code in the protected software is a bait code being executed only in case of a disturbed mode caused by an intruding monitoring program and characterized by detecting the execution of the bait code.
  - 9. Method according to claim 8, wherein the bait code is referenced in unused parts of the Import Address Table (IAT) of the protected software.
  - 10. Method according to claim 8, characterized in that the bait code is part of the protected software that is never executed under undisturbed operation conditions.
  - 11. Method according to claim 1, wherein a protection device is attached to an interface of the computer system which includes the license container.
  - 12. Method according to claim 8, wherein the bait code locks the protection device using a specially designed API call.
  - 13. Method according to claim 11, characterized in that after detecting an attack of an intruding software, forensic data is created for memorizing an intrusion event and is stored in the protection device.
  - 14. Method according to claim 13, wherein the forensic data is stored in protected memory in the protection device.
  - 15. Method according to claim 13, wherein the forensic data is stored in encrypted form.
  - 16. Method according to claim 13, wherein the forensic data is stored in a memory region of the protection device that can be written only once.
  - 17. Method according to claim 13, wherein the forensic data is aggregated and evaluated to detect global patterns.
  - 18. Method according to claim 13, wherein the forensic data is sent to a license administrator and the cryptographic keys are contained in the license containers, the forensic data is sent for being collected by the license administrator for the purpose of eventually unlocking the protection device at a later time.
  - 19. Method according to claim 3, characterized in that measuring the timing used for the executing of the protected software includes evaluating the timing of processor exceptions.
  - 20. Method according to claim 3, wherein measuring the timing used for the executing of the protected software includes checking the overall clock consistency.
  - 21. Method according to claim 2, wherein analyzing the behavior of the protected software includes classifying execution threads as one of (a) authorized threads being created by the normal program execution and (b) unauthorized threads being created by an intruding program.
  - 22. Method according to claim 21, further comprising discovering unauthorized threads using TLS-procedures (Thread Local Storage-procedures).
  - 23. Method according to claim 21, further comprising discovering unauthorized threads by monitoring the execution of API-system-calls.
  - 24. Method according to claim 1, wherein analyzing the execution environment of the protected software on the computer system for identifying an intruding program includes examining other processes on the computer system for detecting predetermined patterns.
  - 25. Method according to claim 24, wherein window and class parameters or process and file names are inspected for detecting predetermined patterns of intruding programs.
  - 26. Method according to claim 24, wherein the process memory of other processes on the computer system is inspected in part or in whole.
  - 27. Method according to claim 4, wherein a protection device attached to an interface of the computer system comprises at least one license container characterized in that not the complete protection device is locked but only the license container assigned to the protected software, for which an intrusion has been detected, is locked.
  - 28. Method according to claim 4, wherein a protection device attached to an interface of the computer system comprises at least one license container, and the computer system is configured and arranged to communicate with a remote timestamp server;
    - andwherein locking the protection device is affected upon a communication between the computer system and the timestamp server required to continue the operation of the protection device.
  - 29. Method according to claim 13, further comprising transmitting the forensic data to a remote server of an intrusion prevention service and in unlocking the locked license container using a special command or code being sent from the remote server of an intrusion prevention service.
  - 31. Method according to claim 1 further comprising analyzing the behavior of protected software.
  - 32. Method according to claim 1, further comprising analyzing the behavior of the execution environment.
  - 33. Method according to claim 2, wherein analyzing the behavior of the protected software is comprised of analyzing the executing of special program parts or parts of the protected software code.
  - 34. Method according to claim 2, wherein analyzing the behavior of the protected software is comprised of measuring timing used for the executing of the protected software and evaluating the measured results.

30. Apparatus for providing intrusion detection for protected computer software on a computer system by using system components comprisingmeans for a monitor program executing on the computer system communicating with a control program executing on the computer system through messages containing audit information from the protected application program for programsaid control program in communication with a protection device attached to said computer system the protection device receiving an intrusion prevention specification from a remote intrusion protection service providerwhereinthe intrusion prevention specification specifies at least one target attribute to be recorded from a set of possible target attributes generated during a monitoring process by the monitor program;
- andthe intrusion prevention specification also specifies at least one monitoring criterion that triggers recording of at least one target attribute during the monitoring process;
  
  the monitor program record the at least one target attribute in response to detecting the at least one monitoring criterion produce an intrusion log by recording the at least one target attribute in response to detecting the at least one monitoring criterion.

35. A computer readable medium storing instructions for causing a computer to perform a process for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the computer software to be protected being at least partly encrypted and communicating with a license container containing at least one cryptographic key and using the at least one cryptographic key for decrypting the protected software for execution;
- the process comprising;
  
  during execution of the protected software, searching for patterns of an intrusion into the protected software;
  
  detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access; and
  
  creating a signal on detection of an attack.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 36. The computer readable medium of claim 35, wherein the protected software comprises the original software code of an application program and software selected from the following group of types of software:
    - additional code, special operation codes, a security engine and control program code.
  - 37. The computer readable medium of claim 35, further comprising locking the license container by executing an arbitrary command in the protected software with predefined special values.
  - 38. The computer readable medium of claim 35, wherein analyzing the behavior of the protected software comprises analyzing the execution of application program interfaces (APIs) and comparing the number of header-executions to the number of trailer-executions.
  - 39. The computer readable medium of claim 35, wherein a protection device is attached to an interface of the computer system which includes the license container.
  - 40. The computer readable medium of claim 35, wherein analyzing the execution environment of the protected software on the computer system for identifying an intruding program includes examining other processes on the computer system for detecting predetermined patterns.
  - 41. The computer readable medium of claim 35, further comprising analyzing the protected software.
  - 42. The computer readable medium of claim 35, further comprising analyzing the behavior of the execution environment.
  - 43. The computer readable medium of claim 35, wherein analyzing the behavior of the protected software is comprised of analyzing the executing of special program parts or parts of the protected software code.
  - 44. The computer readable medium of claim 35, wherein analyzing the behavior of the protected software is comprised of measuring the timing used for the executing of the protected software and evaluating the measured results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WIBU-Systems AG
Original Assignee
WIBU-Systems AG
Inventors
Kuegler, Ruediger, Buchheit, Marcellus, Winzenried, Oliver, Wichmann, Peer

Granted Patent

US 8,490,191 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/123   by using dedicated hardware...

G06F 21/14   against software analysis o...

G06F 21/54   by adding security routines...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2143   Clearing memory, e.g. to pr...

Method and System for Intrusion Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

128 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Intrusion Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links