Discrimination of malicious changes to digital information using multiple signatures

US 5,572,590 A
Filed: 04/12/1994
Issued: 11/05/1996
Est. Priority Date: 04/12/1994
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for determining whether changes to a set of digital information are innocent or malicious, comprising the steps of:

using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time;

using a reference selection algorithm, selecting a plurality of the reference subsets;

using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset;

storing the derived characteristic reference subset information;

using a test separation algorithm, separating the set of digital information into a plurality of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time;

using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset;

using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset;

comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and

analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified stake either a malicious conclusion or an innocent conclusion.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system and method uses information about digital information (objects) to determine whether or not changes to the objects were caused by a normal system operation or by a malicious program. The invention uses a reference separation algorithm to separate, at a reference time, one or more digital objects into a plurality of reference subsets of information that describe the object contents. A plurality of these reference subsets are then selected by a selection algorithm and information associated with each selected reference subset is stored. At some later time, called the test time, a test separation algorithm is used to separate the digital signatures of the object into a plurality of test subsets of information that describe the object contents at test time. A plurality of these test subsets are then selected by the test selection algorithm. A test information algorithm that is associated with each selected test subset then develops test subset information about the respective a test subset. The test subset information and the reference subset information is then compared to develop a set of differences. Rules are applied to the set of differences to determine whether the digital information at test time was changed (maliciously) from the digital information at reference time.

175 Citations

14 Claims

1. A computer implemented method for determining whether changes to a set of digital information are innocent or malicious, comprising the steps of:
- using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time;
  
  using a reference selection algorithm, selecting a plurality of the reference subsets;
  
  using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset;
  
  storing the derived characteristic reference subset information;
  
  using a test separation algorithm, separating the set of digital information into a plurality of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time;
  
  using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset;
  
  using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset;
  
  comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and
  
  analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified stake either a malicious conclusion or an innocent conclusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method, as in claim 1, where the information generated by the reference information algorithm and the test information algorithm includes information about the structure of the reference and test subsets.
  - 3. A method, as in claim 1, where the information generated by the reference information algorithm and the test information algorithm includes other system-maintained information about the reference and test subsets.
  - 4. A method, as in claim 2, where the reference information algorithm and the test information algorithm are the same for each respective reference and test subset.
  - 5. A method, as in claim 1, where the information generated by the reference information algorithm and the test information algorithm comprises signature information about the reference and test subsets.
  - 6. A method, as in claim 5, where the reference information algorithm and the test information algorithm are the same for each respective reference and test subset.
  - 7. A method, as in claim 1, where the reference and test subsets include the entire set of digital information.
  - 8. A method, as in claim 1, where the rules establish that the change is malicious if the set of differences indicates that the entry point to the set of digital information has been moved, but that most of the information has remained the same.
  - 9. A method, as claim 1, where the rules establish that a simple patch has occurred and the change is not malicious if the set of differences indicates that the size of the set of information has remained the same and the entrypoint information has not changed but that one area of the set of information has changed.
  - 10. A method, as in claim 1, where the digital information is a structured object and the separation algorithms separate the object into reference and test subsets comprising fixed-sized blocks.
  - 11. A method, as in claim 1, where the digital information is a file with multiple resource forks and the separation algorithms separate the forks into separate subsets.
  - 12. A method, as in claim 1, where the test separation algorithm uses information from the stored reference subset information to determine how to separate the digital data at test time.

13. A computer implemented system for determining whether changes to a set of digital information are innocent or malicious, comprising:
- a computer having a data storage element and a platform for executing one or more application programs; and
  
  an application program comprising means for implementing the steps of;
  
  using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time;
  
  using a reference selection algorithm, selecting a plurality of the reference subsets;
  
  using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset;
  
  storing the derived characteristic reference subset information;
  
  using a test separation algorithm, separating the set of digital information into a plurality Of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time;
  
  using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset;
  
  using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset;
  
  comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and
  
  analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified state either a malicious conclusion or an innocent conclusion.
- View Dependent Claims (14)
- - 14. A system, as in claim 13, further comprising:
    - a link connecting the system to one or more other computers, whereby the application program determines whether or not digital information sent to the computer system over the link has been changed maliciously.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation, Misonix Incorporated (Smith & Nephew PLC)
Original Assignee
International Business Machines Corporation
Inventors
Chess, David M.
Primary Examiner(s)
Tarcza, Thomas H.
Assistant Examiner(s)
SAYADIAN, HRAYR

Application Number

US08/226,610
Time in Patent Office

938 Days
Field of Search

380/4, 380/3, 380/5, 380/23, 380/24, 380/25, 395/186, 371/40.1, 371/51.1
US Class Current

726/22
CPC Class Codes

G06F 21/565   by checking file integrity

G06F 21/64   Protecting data integrity, ...

G06F 2211/007   Encryption, En-/decode, En-...

G11B 20/00086   Circuits for prevention of ...

Discrimination of malicious changes to digital information using multiple signatures

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Discrimination of malicious changes to digital information using multiple signatures

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links