Discrimination of malicious changes to digital information using multiple signatures
First Claim
1. A computer implemented method for determining whether changes to a set of digital information are innocent or malicious, comprising the steps of:
- using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time;
using a reference selection algorithm, selecting a plurality of the reference subsets;
using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset;
storing the derived characteristic reference subset information;
using a test separation algorithm, separating the set of digital information into a plurality of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time;
using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset;
using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset;
comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and
analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified stake either a malicious conclusion or an innocent conclusion.
4 Assignments
0 Petitions
Accused Products
Abstract
The present system and method uses information about digital information (objects) to determine whether or not changes to the objects were caused by a normal system operation or by a malicious program. The invention uses a reference separation algorithm to separate, at a reference time, one or more digital objects into a plurality of reference subsets of information that describe the object contents. A plurality of these reference subsets are then selected by a selection algorithm and information associated with each selected reference subset is stored. At some later time, called the test time, a test separation algorithm is used to separate the digital signatures of the object into a plurality of test subsets of information that describe the object contents at test time. A plurality of these test subsets are then selected by the test selection algorithm. A test information algorithm that is associated with each selected test subset then develops test subset information about the respective a test subset. The test subset information and the reference subset information is then compared to develop a set of differences. Rules are applied to the set of differences to determine whether the digital information at test time was changed (maliciously) from the digital information at reference time.
175 Citations
14 Claims
-
1. A computer implemented method for determining whether changes to a set of digital information are innocent or malicious, comprising the steps of:
-
using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time; using a reference selection algorithm, selecting a plurality of the reference subsets; using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset; storing the derived characteristic reference subset information; using a test separation algorithm, separating the set of digital information into a plurality of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time; using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset; using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset; comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified stake either a malicious conclusion or an innocent conclusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer implemented system for determining whether changes to a set of digital information are innocent or malicious, comprising:
-
a computer having a data storage element and a platform for executing one or more application programs; and an application program comprising means for implementing the steps of; using a reference separation algorithm, separating the set of digital information into a plurality of reference subsets of digital information, the step of separating the set of digital information into reference subsets being done at a reference time; using a reference selection algorithm, selecting a plurality of the reference subsets; using a reference information algorithm associated with each respective selected reference subset, deriving characteristic reference subset information from the respective selected reference subset; storing the derived characteristic reference subset information; using a test separation algorithm, separating the set of digital information into a plurality Of test subsets of digital information, the step of separating the set of digital information into test subsets being done at a test time, the test time being later than the reference time; using a test selection algorithm, selecting a plurality of the test subsets, each selected test subset corresponding to a selected reference subset; using a test information algorithm associated with each respective selected test subset, deriving characteristic test subset information from the respective selected test subset; comparing the derived characteristic test subset information to the derived characteristic reference subset information to produce a set of differences; and analyzing the set of differences in accordance with a set of rules to determine whether the set of digital information at test time is changed from the set of digital information at reference time and if changed to determine whether the change is considered malicious or innocent, each of said rules specifying a particular combination of the selected test subsets, and specifying a state for the characteristic information of each selected test subset of each said particular combination relative to the characteristic information of each corresponding selected reference subset, and specifying for each said particular combination having its selected test subsets in said specified state either a malicious conclusion or an innocent conclusion. - View Dependent Claims (14)
-
Specification