Detection of a class of viral code

US 7,069,589 B2
Filed: 07/14/2001
Issued: 06/27/2006
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a class of viral code, comprising:

heuristically analyzing a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;

identifying at least one new characteristic of a viral code;

generating at least one new rule, the at least one new rule based at least in part on the at least one new characteristic;

generating a set of flags based at least in part on the heuristic analysis;

using the set of flags to perform at least one search for a scan string and/or a statement type in the subject file; and

triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting a class of viral code are provided. The apparatus comprises an heuristic analyzer and a search component. The heuristic analyzer heuristically analyzes a subject file and generates a set of flags along with statistical information. The search component uses the set of flags with statistical information to perform a search for a scan string and/or a statement type in the subject file. A positive detection alarm is triggered if the scan string and/or statement type is found at least a corresponding predetermined number of times. The heuristic analyzer may be rule-based and comprise an heuristic engine and heuristic rules. The search component also may be rule-based and comprise a search engine and viral code class rules.

Citations

20 Claims

1. A method of detecting a class of viral code, comprising:
- heuristically analyzing a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;
  
  identifying at least one new characteristic of a viral code;
  
  generating at least one new rule, the at least one new rule based at least in part on the at least one new characteristic;
  
  generating a set of flags based at least in part on the heuristic analysis;
  
  using the set of flags to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The method of claim 1, wherein the subject file includes source code in a predetermined programming language.
  - 3. The method of claim 2, wherein the predetermined programming language is a script language.
  - 4. The method of claim 1, wherein the subject file includes a file for a predetermined word processor.
  - 5. The method of claim 1, wherein at least one flag in the set of flags corresponds to a copy operation associated with a viral code of the at least one class of viral code.
  - 6. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for adding data from a string to a target module.
  - 7. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for importing another code.
  - 8. The method of claim 1, wherein at least one flag in the set of flags corresponds to an operation for disabling virus protection features in a target application.
  - 9. The method of claim 1, wherein the searched statement type corresponds to an operation for disabling functionalities in a target application.
  - 10. The method of claim 1, wherein the searched statement type corresponds to an operation for overwriting system macros.
  - 20. The method of claim 1, wherein the at least one search is performed using a neural network.

11. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting a class of viral code, the method steps comprising:
- heuristically analyzing a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;
  
  identifying at least one new characteristic of a viral code;
  
  generating at least one new rule, the at least one new rule based at least in part on the at least one new characteristic;
  
  generating a set of flags based at least in part on the heuristic analysis;
  
  using the set of flags to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

12. A computer system, comprising:
- a processor; and
  
  a program storage device readable by the computer system, tangibly embodying a program of instructions executable by the processor to perform method steps for detecting a class of viral code, the method steps comprising;
  
  heuristically analyzing a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;
  
  identifying at least one new characteristic of a viral code;
  
  generating at least one new rule, the at least one new rule based at least in part on the at least one new characteristic;
  
  generating a set of flags based at least in part on the heuristic analysis;
  
  using the set of flags to perform at least one search for a scan string and/or a statement type in the subject file; and
  
  triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

13. Instructions embodied in a computer readable medium and executable by a computer for detecting a class of viral code, the instructions comprising:
- a first segment including heuristic analyzer code to;
  
  heuristically analyze a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;
  
  identify at least one new characteristic of a viral code;
  
  generate at least one new rule, the at least one new rule based at least in part on the at least one new characteristic;
  
  generate a set of flags based at least in part on the heuristic analysis; and
  
  a second segment including scanner code using the set of flags to perform at least one search for a scan string and/or a statement type in the subject file, and triggering a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.

14. An apparatus for detecting a class of viral code, comprising:
- an heuristic analyzer comprising;
  
  an heuristic engine operable to;
  
  heuristically analyze a subject file to detect at least one class of viral code, the heuristic analysis based at least in part on one or more rules;
  
  identify at least one new characteristic of a viral code; and
  
  generate a set of flags based at least in part on the heuristic analysis; and
  
  a learning module operable to generate at least one new rule, the at least one new rule based at least in part on the at least one new characteristic; and
  
  a search component, wherein the search component uses the set of flags generated by the heuristic analyzer to perform at least one search for a scan string and/or a statement type in the subject file, and triggers a positive detection alarm if each of the at least one search is found at least a corresponding predetermined number of times.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, wherein the heuristic analyzer further comprises a memory module operable to store the one or more rules.
  - 16. The apparatus of claim 15, wherein the heuristic engine is further operable to parse the subject file using the one or more rules.
  - 17. The apparatus of claim 15, wherein the one or more rules include sets of heuristic flags stored in a rules table.
  - 18. The apparatus of claim 14, wherein the search component is rule-based and comprises a search engine and viral code class rules.
  - 19. The apparatus of claim 14, wherein the search component is a neural network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Kwan, Tony, Schmall, Markus
Primary Examiner(s)
Smithers, Matthew
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US09/905,342
Publication Number

US 20020066024A1
Time in Patent Office

1,809 Days
Field of Search

713/200, 713/201, 713/187, 713/188, 713/193, 713/194, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

Detection of a class of viral code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of a class of viral code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links