SYSTEM FOR AUTOMATIC DETECTION OF SPYWARE

US 20100071063A1
Filed: 11/28/2007
Published: 03/18/2010
Est. Priority Date: 11/29/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting spyware on a computer comprising the steps of(a) in a computer having a known clean state, identifying a set of standard output packets generated by the computer in response to a given set of user inputs;

(b) in a computer having an unknown state, monitoring output packets in response to the given set of user inputs to identify differences between the standard output packets and those output packets; and

(c) based on the differences, assess likelihood that the computer having an unknown state is infected with spyware.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automatic system for spyware detection and signature generation compares packets of output from a computer in response to standard user inputs, to packets of a standard output set derived from a known clean machine. Differences between these two packet sets are analyzed with respect to whether they relate to unknown web servers and whether they incorporate user-derived information. This analysis is used to provide an automatic detection of and signature generation for spyware infecting the machine.

37 Citations

View as Search Results

24 Claims

1. A method of detecting spyware on a computer comprising the steps of(a) in a computer having a known clean state, identifying a set of standard output packets generated by the computer in response to a given set of user inputs;
- (b) in a computer having an unknown state, monitoring output packets in response to the given set of user inputs to identify differences between the standard output packets and those output packets; and
  
  (c) based on the differences, assess likelihood that the computer having an unknown state is infected with spyware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein step (c) determines whether the differences in output packets include output packets having an unknown server addresses.
  - 3. The method of claim 1 wherein step (c) determines whether the differences in output packets include output packets that have data correlated with the given set of user inputs.
  - 4. The method of claim 3 wherein step (c) determines whether the differences in output packets include output packets that have data correlated with the given set of user inputs;
    - and;
      
      including the step of assessing a threat level based on whether the differences in outputpackets include both one or none of an unknown server address and data correlated with the given set of user inputs.
  - 5. The method of claim 1 wherein the user inputs are automatically generated by a program running on the computer.
  - 6. The method of claim 1 wherein the given set of user inputs is selected from a set of common server addresses.
  - 7. The method of claim 1 wherein the given set is obtained by analyzing executable programs on the computer for URL values.
  - 8. The method of claim 1 wherein the computer having a known clean state and the computer having an unknown state are the same computer hardware at different times with different loaded programs.
  - 9. The method of claim 1 wherein the computer having a known clean state and the computer having an unknown state are the same computer hardware simultaneously running different instances of a program.
  - 10. The method of claim 9 wherein the different instances of a program include two instances of a browser where one instance provides no packet outputs and will not accept plug in programs.
  - 11. The method of claim 1 wherein the computer having a known clean state and the computer having an unknown state are different computer hardware initialized with the same software before step (b).
  - 12. The method of claim 1 further including the step of extracting a signature from the differences and providing it to a monitoring program.
  - 13. The method of claim 12 wherein the signature is a longest common subsequence of the differences.
  - 14. The method of claim 1 further including the step of performing steps (b) and (c) periodically according to time.
  - 15. The method of claim 1 further including the step of performing steps (b) and (c) upon a loading of new programs into the computer of unknown state.
  - 16. At least one computer executing a stored program to perform the method of claim 1.

17. A method automatically generating signatures of spyware comprising the steps of:
- (a) in a computer having a known clean state, identifying a set of standard output packets generated by the computer in response to a given set of user inputs;
  
  (b) in a computer having an unknown state, monitoring output packets in response to thegiven set of user inputs to identify differences between the standard output packets those output packets; and
  
  (c) extracting a signature based on the differences for use in a network monitor.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method of claim 17 wherein step (c) extracts signatures depending on whether the differences in output packets include output packets having an unknown server address.
  - 19. The method of claim 17 wherein step (c) extracts signatures depending on whether the differences in output packets include output packets that have data correlated with the given set of user inputs.
  - 20. The method of claim 19 wherein step (c) determines whether the differences in output packets include output packets that have data correlated with the given set of user inputs;
    - andwherein step (c) extracts signatures depending on when whether the differences in outputpackets include output packets that have data correlated with the given set of user inputs and whether output packets include output packets having an unknown server address.
  - 21. The method of claim 17 wherein the user inputs are automatically generated by a program running on the computer.
  - 22. The method of claim 17 wherein the given set of user inputs is selected from a set of common server addresses.
  - 23. The method of claim 17 wherein the signature is a longest common subsequence of the differences.
  - 24. At least one computer executing a stored program to perform the method of claim 17.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wisconsin Alumni Research Foundation (University of Wisconsin System)
Original Assignee
Wisconsin Alumni Research Foundation (University of Wisconsin System)
Inventors
Ganapathy, Vinod, Wang, Hao, Jha, Somesh

Application Number

US12/515,843
Publication Number

US 20100071063A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0236   Filtering by address, proto...

H04L 63/145   the attack involving the pr...

SYSTEM FOR AUTOMATIC DETECTION OF SPYWARE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM FOR AUTOMATIC DETECTION OF SPYWARE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links