METHOD AND APPARATUS FOR DETECTING MALICIOUS CODE IN AN INFORMATION HANDLING SYSTEM

US 20100095379A1
Filed: 02/27/2009
Published: 04/15/2010
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1-50. -50. (canceled)

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.

Citations

72 Claims

1-50. -50. (canceled)

51. One or more computer-readable media storing program instructions executable by an information handling system to:
- scan a plurality of programs currently running on the information handling system, wherein each of the plurality programs is scanned while running on the information handling system in a manner that permits infection of the information handling system;
  
  wherein the scan includes, for each of the plurality of programs, executing a plurality of detection routines usable to categorize that program with respect to the likelihood of that program compromising the security of the information handling system.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 52. The computer-readable media of claim 51, wherein at least one of the plurality of programs currently running on the information system is a thread.
  - 53. The computer-readable media of claim 51, wherein the program instructions are executable, upon completion of the execution of the plurality of detection routines for a given one of the plurality of programs, to categorize the given program into one of a set of categories indicative of the likelihood of that program compromising the security of the information handling system, wherein the set of categories includes a first category indicative of malicious code and a second category indicative of valid code.
  - 54. The computer-readable media of claim 53, wherein the plurality of detection routines include a first set of detection routines that determine whether the program being scanned has at least one of characteristics and behaviors typically associated with malicious code and wherein the plurality of detection routines include a second set of detection routines that determine whether the program being scanned has at least one of characteristics and behaviors typically associated with valid code.
  - 55. The computer-readable media of claim 54, wherein the program instructions are executable to calculate, for the current program being scanned:
    - a first score using weights associated with those ones of the first set of detection routines that have results indicating that the current program has at least one of characteristics and behaviors typically associated with malicious code; and
      
      a second score using weights associated with those ones of the second set of detection routines that have results indicating that the current program has at least one of characteristics and behaviors typically associated with valid code;
      
      wherein the first and second scores are usable to categorize the current program being scanned into one of the set of categories.
  - 56. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines that examine a binary image of the current program being scanned for one or more signatures.
  - 57. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines that access an operating system of the information handling system on which the plurality of programs are running to determine information relating to the current program being scanned, wherein the access is made via one or more APIs of the operating system.
  - 58. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines that access a memory of the information handling system to determine information relating to the current program being scanned.
  - 59. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines that access a network connection of the information handling system to determine information relating to the current program being scanned.
  - 60. The computer-readable media of claim 51, wherein at least one of the plurality of programs is running in a kernel mode.
  - 61. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines that interface with a device driver of the information handling system to determine information relating to the current program being scanned.
  - 62. The computer-readable media of claim 51, wherein the program instructions are executable by the information handling system to determine whether the current program being scanned is a Trojan horse.
  - 63. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines to determine whether the current program being scanned is logging keystrokes of a user of the information handling system.
  - 64. The computer-readable media of claim 51, wherein the plurality of detection routines include one or more detection routines to determine whether the current program being scanned is uploading/downloading files from/to the information handling system.
  - 65. The computer-readable media of claim 51, wherein the program instructions are executable to perform a scan of currently running programs on an event-driven basis.

66. A method, comprising:
- scanning a plurality of programs currently running on an information handling system, wherein each of the plurality of programs is scanned while running on the information handling system in a manner that permits infection of the information handling system, wherein the scanning includes, for each of the currently running programs, executing a plurality of detection routines usable to categorize the potential security threat presented by that program; and
  
  upon completion of execution of the plurality of detection routines for a given one of the plurality of programs, using results of the plurality of detection routings to categorize the given program into one of a set of categories, wherein the set of categories includes at least two categories indicative of malicious and valid code, respectively.
- View Dependent Claims (67, 68, 69)
- - 67. The method of claim 66, wherein the scanning includes calculating, for the current program being scanned:
    - a first score determined using weights associated with those ones of the plurality of detection routines whose results indicate that the current program has at least one of characteristics and behaviors typically associated with malicious code; and
      
      a second score determined using weights associated with those ones of the plurality of detection routines whose results indicate that the current program has at least one of characteristics and behaviors typically associated with valid code.
  - 68. The method of claim 66, further comprising performing the scanning on an event-driven basis.
  - 69. The method of claim 66, wherein the plurality of detection routines include one or more detection routines that examine a binary image of the current program being scanned for one or more signatures, and include one or more detection routines that access an operating system of the information handling system on which the plurality of programs are running to determine information relating to the current program being scanned.

70. An information handling system, comprising:
- a central processing unit (CPU);
  
  a memory storing program instructions executable by the CPU to;
  
  scan a plurality of programs currently running on the information handling system, wherein each of the plurality of programs is scanned while running on the information handling system in a manner that permits infection of the information handling system;
  
  wherein the scan includes, for each of the currently running programs, executing a plurality of detection routines usable to categorize that program with respect to the likelihood of that program compromising the security of the information handling system.
- View Dependent Claims (71, 72)
- - 71. The information handling system of claim 70, wherein the scan includes calculating, for the current program being scanned:
    - a first score calculated using weights associated with those ones of the plurality of detection routines that return results indicating that the current program has at least one of characteristics and behaviors typically associated with malicious code; and
      
      a second score calculated using weights associated with those ones of the plurality of detection routines that return results indicating that the current program has at least one of characteristics and behaviors typically associated with valid code;
      
      wherein the program instructions are further executable to use the first and second scores to categorize the current program being scanned into one of a set of categories including a first category indicative of malicious code and a second category indicative of valid code.
  - 72. The information handling system of claim 70, wherein the information handling system is configurable to perform a scan of currently running programs on an event-driven basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Andy Payne, Mark Obrecht, Michael Tony Alagna
Original Assignee
Andy Payne, Mark Obrecht, Michael Tony Alagna
Inventors
Alagna, Michael Tony, Obrecht, Mark, Payne, Andy

Granted Patent

US 7,930,751 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

METHOD AND APPARATUS FOR DETECTING MALICIOUS CODE IN AN INFORMATION HANDLING SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

72 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING MALICIOUS CODE IN AN INFORMATION HANDLING SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

72 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links