Histogram-based virus detection
First Claim
1. A virus detection system for detecting whether a computer file is infected by a computer virus, the system comprising:
- an emulation module for emulating instructions in the computer file;
a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus.
2 Assignments
0 Petitions
Accused Products
Abstract
A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data (410) for holding P-code, a virus definition file (VDF) (412) for holding signature of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating instructions in the file. The emulating module (426) contains a histogram generation module (HGM) (436) for generating a histogram of characteristics of instructions emulated by the emulating module (426) and a histogram definition module (HDF) (438) for specifying the characteristics to be included in the generated histogram. The emulating module (426) uses the generated histogram (500) to determine how many of the instructions of the computer file (100) to emulate. The emulating module (426) emulates (712) instructions and the HGM (436) generates a histogram of the instructions until active instructions are note detected. When active instructions are not detected (714), a P-code module is executed (722) to analyze the histogram (500) and determine whether a the file (100) contains a virus. The P-code can also decide to extend (728) emulation. The HGM (436) is also used to detect (822) the presence of dummy loops during virus decryption.
-
Citations
28 Claims
-
1. A virus detection system for detecting whether a computer file is infected by a computer virus, the system comprising:
-
an emulation module for emulating instructions in the computer file;
a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting the presence of a dummy loop in a computer file infected by a computer virus, the method comprising the steps of:
-
emulating instructions in the computer file;
generating a histogram of the characteristics of the emulated instructions;
tracking emulations of loop instructions in the emulated instructions; and
responsive to a tracked loop instruction being emulated a number of times, analyzing the histogram to determine whether the loop is a dummy loop. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method for detecting the presence of a computer virus in a computer file, the method comprising the steps of:
-
emulating instructions in the computer file;
generating a record counting occurrences of emulated instructions matching specified characteristics;
determining whether a decryption instruction was emulated;
responsive to a positive determination that a decryption instruction was emulated, extending the emulation of instructions in the computer file; and
analyzing the record counting the occurrences of the emulated instructions matching the specified characteristics to determine whether the computer file contains the computer virus. - View Dependent Claims (15, 16, 17)
-
-
18. A computer program product comprising:
-
a computer usable medium having computer readable code embodied therein for detecting whether a computer file is infected by a computer virus, the computer program product comprising;
an emulation module for emulating instructions in the computer file;
a record generation module coupled to the emulation module for identifying emulated instructions matching specified characteristics and generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
an evaluation module coupled to the record generation module for comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A method for detecting whether a computer file is infected by a computer virus, the method comprising the steps of;
-
emulating instructions of the computer virus;
identifying emulated instructions matching specified characteristics;
generating a record counting occurrences of the emulated instructions matching the specified characteristics; and
comparing the generated record with known virus instruction occurrence records to detect the presence of the computer virus. - View Dependent Claims (26, 27, 28)
-
Specification