Detection of computer viruses spanning multiple data streams
First Claim
Patent Images
1. A method for detecting a computer virus, the method comprising:
- identifying a plurality of data streams to be scanned;
scanning the plurality of data streams to detect the presence of components of the computer virus;
producing a scan result indicating which of the components of the computer virus were detected;
evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression; and
in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer system (100) and method detect computer viruses spanning multiple data streams. A virus signature is written in the form of a Boolean expression, where the operands of the Boolean expression are signatures of components of the virus. A processor (110) identifies data streams to be scanned and scans the identified data streams for components of viruses. Using the scan results, the processor (110) then evaluates the virus signatures, and, for any Boolean expression satisfied, the processor (110) determines that the virus corresponding to the expression exists in the scanned data streams.
129 Citations
18 Claims
-
1. A method for detecting a computer virus, the method comprising:
-
identifying a plurality of data streams to be scanned; scanning the plurality of data streams to detect the presence of components of the computer virus; producing a scan result indicating which of the components of the computer virus were detected; evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression; and in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for detecting a computer virus, the method comprising:
-
scanning a plurality of data streams to detect the presence of components of the computer virus; producing a scan result indicating which of the components of the computer virus were detected; evaluating a Boolean expression representing the computer virus to determine whether the scan result satisfies the Boolean expression, wherein the Boolean expression includes an indication of an absence of a component not present in the computer virus and wherein evaluating the Boolean expression includes determining whether the component not present in the computer virus was detected during the scanning step; and in response to the Boolean expression being satisfied, determining that the computer virus exists in the plurality of data streams.
-
-
10. A method for creating a signature of a computer virus, the method comprising:
-
dividing a computer virus into at least two components; creating a signature for each of a select number of the components; selectively combining the signatures of the select components to create the signature of the computer virus; identifying a component not present in the computer virus but present in another computer virus; creating an indication of an absence of the component not present in the computer virus but present in another computer virus; and adding the indication of the absence to the virus signature. - View Dependent Claims (11, 12, 13)
-
-
14. A method for creating a signature of a computer virus, the method comprising:
-
dividing the computer virus into at least two components; determining whether one of the components is unique to the computer virus with respect to other computer viruses; in response to determining that one of the components is unique to the computer virus with respect to other computer viruses, determining whether the probability is low that the unique component will exist without the computer virus existing; in response to determining that the probability is low, creating a signature for the unique component; and in response to determining that the probability is low and in response to creating a signature for the unique component, using the signature of the unique component as the signature for the computer virus. - View Dependent Claims (15, 16, 17, 18)
-
Specification