Detection of computer viruses spanning multiple data streams

US 6,006,329 A
Filed: 08/11/1997
Issued: 12/21/1999
Est. Priority Date: 08/11/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for detecting a computer virus, the method comprising:

identifying a plurality of data streams to be scanned;

scanning the plurality of data streams to detect the presence of components of the computer virus;

producing a scan result indicating which of the components of the computer virus were detected;

evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression; and

in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system (100) and method detect computer viruses spanning multiple data streams. A virus signature is written in the form of a Boolean expression, where the operands of the Boolean expression are signatures of components of the virus. A processor (110) identifies data streams to be scanned and scans the identified data streams for components of viruses. Using the scan results, the processor (110) then evaluates the virus signatures, and, for any Boolean expression satisfied, the processor (110) determines that the virus corresponding to the expression exists in the scanned data streams.

129 Citations

18 Claims

1. A method for detecting a computer virus, the method comprising:
- identifying a plurality of data streams to be scanned;
  
  scanning the plurality of data streams to detect the presence of components of the computer virus;
  
  producing a scan result indicating which of the components of the computer virus were detected;
  
  evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression; and
  
  in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - in response to the Boolean expression not being satisfied, determining that the computer virus does not exist in the plurality of data streams.
  - 3. The method of claim 1, wherein the Boolean expression includes an operand which is a signature of one of the components.
  - 4. The method of claim 1, wherein the Boolean expression includes operands selectively combined by Boolean operators, each of the operands being a signature of a different one of the components.
  - 5. The method of claim 1, wherein the Boolean expression includes at least one operand, wherein each operand is a signature of a different one of the components, and wherein, in response to there being more than one operand, the Boolean expression includes at least one Boolean operator to selectively combine the operands.
  - 6. The method of claim 5, wherein the step of evaluating a Boolean expression includes performing a Boolean operation, specified by the Boolean operator, on at least one operand.
  - 7. The method of claim 5, wherein the step of evaluating a Boolean expression comprises:
    - (a) identifying a first operand from the Boolean expression;
      
      (b) determining whether the first operand was detected during the scanning step;
      
      (c) in response to the first operand being detected during the scanning step, pushing a true indication onto an evaluation stack;
      
      (d) in response to the first operand not being detected during the scanning step, pushing a false indication onto the evaluation stack;
      
      (e) determining whether a next item in the Boolean expression is an operand, a Boolean operator or an end indication;
      
      (f) in response to the next item being an operand, repeat steps (b) through (d) using the next item instead of the first operand;
      
      (g) in response to the next item being a Boolean AND operator, performing a Boolean AND operation on the top two values of the evaluation stack;
      
      (h) in response to the next item being a Boolean OR operation, performing a Boolean OR operation on the top two values of the evaluation stack;
      
      (i) in response to the next item being a Boolean NOT operation, performing a Boolean NOT operation on the top value of the evaluation stack;
      
      (j) in response to having performed a Boolean operation in steps (g), (h) or (i), returning to step (e);
      
      (k) in response to the next item being the end indication, checking the top value of the evaluation stack;
      
      (l) in response top value being a TRUE indication, determining that the Boolean expression is satisfied; and
      
      (m) in response to the top value being a FALSE indication, determining that the Boolean expression is not satisfied.
  - 8. A computer program embodied in a tangible medium and capable of being read by a computer for performing the method of claim 1.

9. A method for detecting a computer virus, the method comprising:
- scanning a plurality of data streams to detect the presence of components of the computer virus;
  
  producing a scan result indicating which of the components of the computer virus were detected;
  
  evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression, wherein the Boolean expression includes an indication of an absence of a component not present in the computer virus and wherein evaluating the Boolean expression includes determining whether the component not present in the computer virus was detected during the scanning step; and
  
  in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams.

10. A method for creating a signature of a computer virus, the method comprising:
- dividing a computer virus into at least two components;
  
  creating a signature for each of a select number of the components;
  
  selectively combining the signatures of the select components to create the signature of the computer virus;
  
  identifying a component not present in the computer virus but present in another computer virus;
  
  creating an indication of an absence of the component not present in the computer virus but present in another computer virus; and
  
  adding the indication of the absence to the virus signature.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, wherein the signature of the computer virus is in the form of a Boolean expression and wherein the operands of the Boolean expression are the signatures of the select components.
  - 12. The method of claim 10, wherein the computer virus spans at least two data streams and wherein each component spans a different data stream.
  - 13. The method of claim 10, further comprising:
    - scanning a plurality of data streams to detect the presence of the select components;
      
      producing a scan result indicating which of the select components were detected;
      
      evaluating the virus signature to determine whether the scan results satisfy the virus signature; and
      
      determining that the computer virus exists in response to the scan results satisfying the virus signature.

14. A method for creating a signature of a computer virus, the method comprising:
- dividing the computer virus into at least two components;
  
  determining whether one of the components is unique to the computer virus with respect to other computer viruses;
  
  in response to determining that one of the components is unique to the computer virus with respect to other computer viruses, determining whether the probability is low that the unique component will exist without the computer virus existing;
  
  in response to determining that the probability is low, creating a signature for the unique component; and
  
  in response to determining that the probability is low and in response to creating a signature for the unique component, using the signature of the unique component as the signature for the computer virus.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 wherein, in response to determining that the probability is not low, the method further comprises:
    - creating a signature for the unique component and a signature for another one of the components; and
      
      selectively combining the signature of the unique component and the signatures of the other component to create the signature of the computer virus.
  - 16. The method of claim 14 further comprising:
    - in response to determining that there is not a component unique to the computer virus with respect to other computer viruses, determining whether there is a combination of at least two of the components that is unique to the computer virus with respect to other computer viruses;
      
      in response to determining that there is a combination of at least two of the components that is unique to the computer virus with respect to other computer viruses, determining whether the probability is low that the combination will exist without the computer virus existing;
      
      in response to determining that the probability is low, creating a signature for each of the components in the combination; and
      
      in response to creating a signature for each of the components in the combination, combining the signatures to create the signature of the computer virus.
  - 17. The method of claim 16, wherein, in response to determining that the probability is not low, the method further comprises:
    - expanding the combination by adding other ones of the components to the combination until the probability is low that the combination exists without the computer virus existing;
      
      creating a signature for each of the components of the of the expanded combination; and
      
      selectively combining the signatures of each of the components of the expanded combination to create a signature for the computer virus.
  - 18. The method according to claim 16 wherein the components of the computer virus form a set of components and wherein the method further comprises:
    - in response to there not being a combination of at least two of the components that is unique to the computer virus with respect to other computer viruses, creating a signature for the computer virus that represents a combination of signatures of each of the components of the computer virus and that indicates a component which is not part of the computer virus, the component that is not part of the computer virus being part of another computer virus that has a set of components which is a superset of the set of components in the computer virus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chi, Darren
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Shaw, Brian H.

Application Number

US08/909,203
Time in Patent Office

862 Days
Field of Search

713/200, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Detection of computer viruses spanning multiple data streams

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of computer viruses spanning multiple data streams

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links