Method, System, and Computer Program Product for Malware Detection, Analysis, and Response

US 20110047618A1
Filed: 10/18/2007
Published: 02/24/2011
Est. Priority Date: 10/18/2006
Status: Abandoned Application

First Claim

Patent Images

1. A computerized method for detecting malware by observing behavior of a computer system in actual program execution from outside of a host operating system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for detecting malware from outside the host operating system using a disk, virtual machine, or combination of the two. The method, system, and computer program product detects malware at the disk level while computer files in the host operating system are in actual program execution by identifying characteristic malware properties and behaviors associated with the disk requests made. The malware properties and behaviors are identified by using rules that can reliably detect file-infecting viruses. The method, system, and computer program product also uses the disk processor to provide accelerated scanning of virus signatures, which substantially decreases overhead incurred on the host operating system by existing malware detection techniques. In the event that malware is detected, the method, system, and computer program product can respond by limiting the negative effects caused by the malware and help the system recover to its normal state.

119 Citations

63 Claims

1. A computerized method for detecting malware by observing behavior of a computer system in actual program execution from outside of a host operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein said observing of the behavior comprises:
    - intercepting requests that are destined for computer disk; and
      
      inferring corresponding file system actions.
  - 3. The method of claim 2, wherein said intercepting disk requests comprises viewing the read and write operations sent from the host to the disk.
  - 4. The method of claim 3, wherein said inferring file system actions comprises analyzing said intercepted disk requests to identify malware behaviors.
  - 5. The method if claim 4, wherein said analyzing comprises applying predetermined screening rules.
  - 6. The method of claim 5, wherein said application of predetermined screening rules comprises at least one of the following:
    - rules for detecting infections of Windows executable files based on the known structure of executable files and the steps needed to successfully infect an executable file, rules for detecting suspicious modifications to core system files and other critical files, and rules recognizing behavior of known malicious programs based on their disk access patterns, or any combination thereof.
  - 7. The method of claim 1, further comprising responding to said malware detection.
  - 8. The method of claim 7, wherein said response comprises the halting of the intercepted disk request.
  - 9. The method of claim 8, wherein said halting comprises disallowing writes that are determined to be malicious.
  - 10. The method of claim 7, wherein said response comprises providing notification to host operating system, remote system, or a user, producing a log file, changing behavior of the disk, sending messages over the network, or any combination thereof.
  - 11. The malware detection system of claim 1 wherein the computerized method is implemented on the said computer disk.
  - 12. The method of claim 11 wherein said implementation is executed by a processor on said computer disk.
  - 13. The malware detection system of claim 1 wherein the computerized method is implemented on a virtual machine outside of the operating system.
  - 14. The malware detection system of claim 1 wherein the computerized method is implemented on both a virtual machine outside of the operating system and on the said computer disk.
  - 15. The method of claim 1, wherein said malware comprises at least one of the following:
    - Computer viruses, worms, Trojan horses, spyware, dishonest adware, and other malicious and unwanted software, or combinations thereof.
  - 16. The method of claim 1, wherein said computer disk comprises any digital storage system such as a hard disk, USB disk, network disk, disk array controller, or storage appliance.

17. A computerized detection system for detecting malware, wherein said computerized detection system observes behavior of a host computer system in actual program execution from outside of a host operating system of the host computer system.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The computerized detection system of claim 17, wherein said observing of the behavior comprises:
    - intercepting requests that are destined for computer disk; and
      
      inferring corresponding file system actions.
  - 19. The computerized detection system of claim 18, wherein said intercepting disk requests comprises viewing the read and write operations sent from the host to the disk.
  - 20. The computerized detection system of claim 19, wherein said inferring file system actions comprises analyzing said intercepted disk requests to identify malware behaviors.
  - 21. The computerized detection system of claim 20, wherein said analyzing comprises:
    - applying predetermined screening rules.
  - 22. The computerized detection system of claim 21, wherein said application of predetermined screening rules comprises at least one of the following:
    - rules for detecting infections of Windows executable files based on the known structure of executable files and the steps needed to successfully infect an executable file, rules for detecting suspicious modifications to core system files and other critical files, and rules recognizing behavior of known malicious programs based on their disk access patterns, or any combination thereof.
  - 23. The computerized detection system of claim 17, further comprising responding to said malware detection.
  - 24. The computerized detection system of claim 23, wherein said response comprises:
    - the halting of the intercepted disk request.
  - 25. The computerized detection system of claim 24, wherein said halting comprises disallowing writes that are determined to be malicious.
  - 26. The computerized detection system of claim 23, wherein said response comprises providing notification to host operating system, remote system, or a user, producing a log file, changing behavior of the disk, sending messages over the network, or any combination thereof.
  - 27. The computerized detection system of claim 17, wherein said computerized system comprises a computer disk.
  - 28. The computerized detection system of claim 27, wherein said computerized system comprises a processor on a computer disk.
  - 29. The computerized detection system of claim 17 wherein the computerized detection system comprises a virtual machine outside of the operating system.
  - 30. The computerized detection system of claim 17 wherein the computerized detection system comprises both a virtual machine outside of the host operating system and a computer disk.
  - 31. The computerized detection system of claim 17, wherein said malware comprises at least one of the following:
    - Computer viruses, worms, Trojan horses, spyware, dishonest adware, and other malicious and unwanted software, or combinations thereof.
  - 32. The computerized detection system of claim 17, wherein said computer disk comprises any digital storage system such as a hard disk, USB disk, network disk, disk array controller, or storage appliance.

33. A computer program product comprising a computer useable medium having a computer program logic for enabling one processor to detect malware, said computer program logic comprising:
- observing behavior of a computer system in actual program execution from outside of a host operating system.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 34. The computer program product of claim 33, wherein said observing of the behavior comprises:
    - intercepting requests that are destined for computer disk; and
      
      inferring corresponding file system actions.
  - 35. The computer program product of claim 34, wherein said intercepting disk requests comprises viewing the read and write operations sent from the host to the disk.
  - 36. The computer program product of claim 35, wherein said inferring file system actions comprises analyzing said intercepted disk requests to identify malware behaviors.
  - 37. The computer program product code if claim 36, wherein said analyzing comprises applying predetermined screening rules.
  - 38. The computer program product of claim 37, wherein said application of predetermined screening rules comprises at least one of the following:
    - rules for detecting infections of Windows executable files based on the known structure of executable files and the steps needed to successfully infect an executable file, rules for detecting suspicious modifications to core system files and other critical files, and rules recognizing behavior of known malicious programs based on their disk access patterns, or any combination thereof.
  - 39. The computer program product of claim 33, further comprising responding to said malware detection.
  - 40. The computer program product of claim 39, wherein said response comprises the halting of the intercepted disk request.
  - 41. The computer program product of claim 40, wherein said halting comprises disallowing writes that are determined to be malicious.
  - 42. The computer program product of claim 39, wherein said response comprises providing notification to host operating system, remote system, or a user, producing a log file, changing behavior of the disk, sending messages over the network, or any combination thereof.
  - 43. The computer program product of claim 33 wherein the computer program product code utilizes the said computer disk.
  - 44. The computer program product of claim 43 wherein said utilization involves execution by a processor on said computer disk.
  - 45. The computer program product of claim 33 wherein the computer program product code utilizes a virtual machine outside of the operating system.
  - 46. The computer program product of claim 33 wherein the computer program product code is utilized on both a virtual machine outside of the operating system and on the said computer disk.
  - 47. The computer program product of claim 33, wherein said malware comprises at least one of the following:
    - computer viruses, worms, trojan horses, spyware, dishonest adware, and other malicious and unwanted software, or combinations thereof.
  - 48. The computer program product of claim 33, wherein said computer disk comprises any digital storage system such as a hard disk, USB disk, network disk, disk array controller, or storage appliance.

49. A computerized method for detecting malware by using a computer disk to accelerate malware signature scanning from outside of a host operating system.
- View Dependent Claims (50, 51, 52, 53)
- - 50. The method of claim 49, wherein accelerated scanning procedures are implemented on the computer disk to filter said intercepted disk requests.
  - 51. The method of claim 50, wherein said filtering comprises any type of algorithm that can be used in malware detection.
  - 52. The method of claim 51, wherein said algorithm comprises an RE-tree application.
  - 53. The method of claim 52, wherein said RE-trees comprise hierarchical tree-based data structures that provide efficient indexing for regular expressions.

54. A computerized detection system for detecting malware, wherein said computerized detection system using a computer disk to accelerate malware signature scanning from outside of a host operating system of the host computer system.
- View Dependent Claims (55, 56, 57, 58)
- - 55. The computerized detection system of claim 54, wherein accelerated scanning procedures are implemented on the computer disk to filter said intercepted disk requests.
  - 56. The computerized detection system of claim 55, wherein said filtering comprises any type of algorithm that can be used in malware detection.
  - 57. The computerized detection system of claim 56, wherein said algorithm comprises an RE-tree application.
  - 58. The computerized detection system of claim 57, wherein said RE-trees comprise hierarchical tree-based data structures that provide efficient indexing for regular expressions.

59. A computer program product Comprising a computer useable medium having a computer program logic for enabling one processor to detect malware, said computer program logic comprises:
- using a computer disk to accelerate malware signature scanning from outside of a host operating system.
- View Dependent Claims (60, 61, 62, 63)
- - 60. The computer program product of claim 59, wherein accelerated scanning procedures are implemented on the computer disk to filter said intercepted disk requests.
  - 61. The computer program product of claim 60, wherein said filtering comprises any type of algorithm that can be used in malware detection.
  - 62. The computer program product code of claim 61, wherein said algorithm comprises an RE-tree application.
  - 63. The computer program product of claim 62, wherein said RE-trees comprise hierarchical tree-based data structures that provide efficient indexing for regular expressions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Virginia Patent Foundation (University of Virginia)
Original Assignee
University of Virginia Patent Foundation (University of Virginia)
Inventors
Felt, Adrienne P., Gurumurthi, Sudhanva, Paul, Nathanael R., Evans, David E.

Application Number

US12/445,889
Publication Number

US 20110047618A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method, System, and Computer Program Product for Malware Detection, Analysis, and Response

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

119 Citations

63 Claims

Specification

Solutions

Use Cases

Quick Links

Method, System, and Computer Program Product for Malware Detection, Analysis, and Response

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

63 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links