Histogram-based virus detection

US 6,971,019 B1
Filed: 03/14/2000
Issued: 11/29/2005
Est. Priority Date: 03/14/2000
Status: Expired due to Term

First Claim

Patent Images

1. A virus detection system for detecting whether a computer file is infected by a computer virus, the system comprising:

an emulation module for emulating instructions in the computer file;

a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and

an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data (410) for holding P-code, a virus definition file (VDF) (412) for holding signature of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating instructions in the file. The emulating module (426) contains a histogram generation module (HGM) (436) for generating a histogram of characteristics of instructions emulated by the emulating module (426) and a histogram definition module (HDF) (438) for specifying the characteristics to be included in the generated histogram. The emulating module (426) uses the generated histogram (500) to determine how many of the instructions of the computer file (100) to emulate. The emulating module (426) emulates (712) instructions and the HGM (436) generates a histogram of the instructions until active instructions are note detected. When active instructions are not detected (714), a P-code module is executed (722) to analyze the histogram (500) and determine whether a the file (100) contains a virus. The P-code can also decide to extend (728) emulation. The HGM (436) is also used to detect (822) the presence of dummy loops during virus decryption.

Citations

28 Claims

1. A virus detection system for detecting whether a computer file is infected by a computer virus, the system comprising:
- an emulation module for emulating instructions in the computer file;
  
  a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
  
  an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The virus detection system of claim 1, wherein the emulation module comprises:
    - a module for detecting a decryption instruction, wherein a number of instructions emulated by the emulating module is determined responsive to the detection of the decryption instruction.
  - 3. The virus detection system of claim 1, wherein a number of instructions emulated by the emulation module is dynamically determined responsive to the comparison performed by the evaluation module.
  - 4. The virus detection system of claim 1, further comprising:
    - a data module coupled to the record generation module for specifying characteristics to be tracked by the record.
  - 5. The virus detection system of claim 4, wherein the characteristics comprise at least one characteristics selected from the group consisting of:
    - instruction opcodes;
      
      instructions matching a specified bit pattern;
      
      instructions matching a regular expression;
      
      instructions calling an operating system function;
      
      occurrence of groupings of certain instructions; and
      
      values of emulated registers.
  - 6. The virus detection system of claim 1, wherein the record generation module generates a loop record counting occurrences of the instructions matching the specified characteristics inside a loop emulated by the emulation module.
  - 7. The virus detection system of claim 6, wherein the evaluation module evaluates the loop record to determine whether the loop is a dummy loop.

8. A method for detecting the presence of a dummy loop in a computer file infected by a computer virus, the method comprising the steps of:
- emulating instructions in the computer file;
  
  generating a histogram of the characteristics of the emulated instructions;
  
  tracking emulations of loop instructions in the emulated instructions; and
  
  responsive to a tracked loop instruction being emulated a number of times, analyzing the histogram to determine whether the loop is a dummy loop.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising the step of:
    - responsive to emulating an active instruction, clearing the tracked loop instructions.
  - 10. The method of claim 8, wherein an active instruction is emulated responsive to emulating two pairs of fetch and writ instructions directed to related memory locations.
  - 11. The method of claim 8, wherein the analyzing step comprises the substep of:
    - comparing the histogram with instruction use characteristics of known viruses to detect the presence of a dummy loop in a known virus.
  - 12. The method of claim 8, wherein the analyzing step comprises the substep of:
    - comparing the histogram with known dummy loop characteristics to detect the presence of a dummy loop in an unknown virus.
  - 13. The method of claim 8, wherein the step of generating a histogram of the characteristics of the emulated instructions generates a separate histogram for each emulated loop.

14. A method for detecting the presence of a computer virus in a computer file, the method comprising the steps of:
- emulating instructions in the computer file;
  
  generating a record counting occurrences of emulated instructions matching specified characteristics;
  
  determining whether a decryption instruction was emulated;
  
  responsive to a positive determination that a decryption instruction was emulated, extending the emulation of instructions in the computer file; and
  
  analyzing the record counting the occurrences of the emulated instructions matching the specified characteristics to determine whether the computer file contains the computer virus.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, further comprising the step of:
    - determining whether to extend the emulation of instructions in the computer file responsive to the analysis of the record.
  - 16. The method of claim 14, wherein the characteristics tracked by the record comprise at least one characteristic selected from the group consisting of:
    - instruction opcodes;
      
      instructions calling an operating system function;
      
      instructions matching a specified bit pattern;
      
      instructions matching a regular expression;
      
      occurrences of groupings of certain instructions; and
      
      values of emulated registers.
  - 17. The method of claim 14, wherein the analyzing step comprises the substep of:
    - comparing the generated record with known virus instruction occurrence records.

18. A computer program product comprising:
- a computer usable medium having computer readable code embodied therein for detecting whether a computer file is infected by a computer virus, the computer program product comprising;
  
  an emulation module for emulating instructions in the computer file;
  
  a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
  
  an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The computer program product of claim 18, wherein the emulation module comprises:
    - a module for detecting a decryption instruction wherein a number of instructions emulated by the emulating module is determined responsive to the detection of the decryption instruction.
  - 20. The computer program product of claim 18, wherein a number of instructions emulated by the emulation module is dynamically determined responsive to the comparison performed by the evaluation module.
  - 21. The computer program product of claim 18, further comprising:
    - a data module coupled to the record generation module for specifying characteristics to be tracked by the record.
  - 22. The computer program product of claim 21, wherein the characteristics comprise at least one characteristics selected from the group consisting of:
    - instruction opcodes;
      
      instruction matching a specified bit pattern;
      
      instructions matching a regular expression;
      
      instructions calling operating system functions;
      
      occurrences of groupings of certain instructions; and
      
      values of emulated registers.
  - 23. The computer program product of claim 18, wherein the record generation module generates a loop record counting occurrences of the instructions matching the specified characteristics inside a loop emulated by the emulation module.
  - 24. The computer program product of claim 23, wherein the evaluation module evaluates the loop record to determine whether the loop is a dummy loop.

25. A method for detecting whether a computer file is infected by a computer virus, the method comprising the steps of;
- emulating instructions of the computer virus;
  
  identifying emulated instructions matching specified characteristics;
  
  generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
  
  comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus.
- View Dependent Claims (26, 27, 28)
- - 26. The method of claim 25, further comprising:
    - detecting a decryption instruction; and
      
      determining a number of instructions to be emulated responsive to the detection of the decryption instruction.
  - 27. The method of claim 25, further comprising:
    - specifying characteristics to be tracked by the record.
  - 28. The method of claim 27, wherein the characteristics comprise at least one characteristics selected from the group consisting of:
    - instruction opcodes;
      
      instruction matching a specified bit pattern;
      
      instructions matching a regular expression;
      
      instructions calling an operating system function;
      
      occurrences of groupings of certain instructions; and
      
      values of emulated registers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Barrón, Gilberto
Assistant Examiner(s)
Gurshman, Grigory

Application Number

US09/524,856
Time in Patent Office

2,086 Days
Field of Search

713/188, 713/187
US Class Current

713/188
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Histogram-based virus detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Histogram-based virus detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links