Method and apparatus for protection of electronic media

US 7,150,045 B2
Filed: 12/14/2001
Issued: 12/12/2006
Est. Priority Date: 12/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method of protecting machine readable media from unauthorized storage or copying, comprising:

sending a detector to a client process, wherein the detector comprises a sequence of different types of computer system calls;

receiving, at a server, a response to the detector from the client process;

detecting, by the server, a presence of an unauthorized software behavior on the client based upon a comparison between the response and the detector according to a matching rule that is associated with the detector sent; and

updating a database of detectors for a previously unseen and unauthorized behavior of the process based in part on the response, such that the database of detectors evolves over time.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a system and method for providing protection of media by the detection of unauthorized client behaviors and the communication of the unauthorized client behaviors to augment the invention'"'"'s detection abilities. A variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client. Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that might enable unauthorized copying of protected media. Communication of unauthorized software behaviors includes sharing of memory detectors among servers on a network, and the sending of memory detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.

Citations

28 Claims

1. A method of protecting machine readable media from unauthorized storage or copying, comprising:
- sending a detector to a client process, wherein the detector comprises a sequence of different types of computer system calls;
  
  receiving, at a server, a response to the detector from the client process;
  
  detecting, by the server, a presence of an unauthorized software behavior on the client based upon a comparison between the response and the detector according to a matching rule that is associated with the detector sent; and
  
  updating a database of detectors for a previously unseen and unauthorized behavior of the process based in part on the response, such that the database of detectors evolves over time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 28)
- - 2. The method as in claim 1, wherein the sent detector includes at least one of a self-detector, a memory detector, and a novel detector, and wherein:
    - the self-detector comprises a sequence of different types of system calls detectable in a normal execution of a process;
      
      the memory detector comprises a sequence of different types of system calls that is associated with a known unauthorized process alteration; and
      
      the novel detector comprises a sequence of different types of system calls that has not been previously detected in an execution of the process.
  - 3. The method as in claim 1, wherein the sent detector further comprises detecting the presence of an unauthorized substantially simultaneously executing client process.
  - 4. The method as in claim 1, wherein the sending of the detector further comprises varying a length of the sequence of computer system calls within the detector such that the meaning of the detector is obscured.
  - 5. The method as in claim 1, wherein the sending of the detector further comprises encoding numerically the detector such that the meaning of the detector is obscured.
  - 6. The method as in claim 1, wherein the matching rule includes a criterion for each field in the detector that is to be matched before a match is validated, wherein each field includes a sequence of at least one computer system calls.
  - 7. The method as in claim 1, further including sending the detector to detect previously unseen and unauthorized behavior to another client process.
  - 8. The method as in claim 1, further including:
    - exchanging sets of memory detectors between the server and another server during an update period, wherein each memory detector comprises a sequence of different types of system calls that is associated with a known unauthorized process alteration;
      
      evaluating the received set of memory detectors against each server'"'"'s self database of detectors and a set of matching rules;
      
      discarding memory detectors in the received set of memory detectors that match another detector in each server'"'"'s self database of detectors, wherein a false positive detection is minimized; and
      
      merging each new retained memory detector from the received set of memory detectors with each server'"'"'s memory database of detectors, wherein the exchange of the sets of memory detectors between each server obstructs the spread of unauthorized copying and corruption of electronic media.
  - 28. The method of claim 1, wherein associated with the detector is a life span defining a length of time that the detector is considered active on the client device, and wherein, when the life span for the detector is exceeded, the detector is inactivated.

9. A method for obstructing unauthorized copying and corruption of media between clients that communicate over a network of servers, comprising:
- exchanging a set of memory detectors between servers during an update period, wherein each memory detector comprises a sequence of different types of system calls that is associated with a known unauthorized process alteration;
  
  evaluating each received set of memory detectors against each server'"'"'s self database and a set of matching rules;
  
  discarding each detector in the received set of detectors that match another detector in each server'"'"'s self database; and
  
  merging a new retained detector from each received set of detectors with each server'"'"'s memory database, wherein the exchanging of the set of memory detectors prevents unauthorized copying and corruption of media.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method as in claim 9, wherein each detector within the set of memory detectors has a life span wherein the detector is active on a client during the life span and becomes inactive when the life span is exceeded.
  - 11. The method as in claim 9, wherein the set of detectors enable the detection of the presence of an unauthorized substantially simultaneously executing client process.
  - 12. The method as in claim 9, wherein the exchanging the set of memory detectors further includes varying a sequence length of a computer system call within each detector such that each detector is obscured.
  - 13. The method as in claim 9, wherein the exchanging the set of detectors includes encoding numerically the detector such that the meaning of the detector is obscured.
  - 14. The method as in claim 9, wherein the matching rule includes at least one criterion for each field in each detector that is to be matched before a match is validated, and wherein each field includes a sequence of at least one computer system calls.

15. A method of providing detection of machine-readable media from an unauthorized usage, the method comprising:
- sending by a server a series of behavioral questions for a process residing on a clients, wherein the series of behavioral questions comprise a series of different types of system calls and an identifier specifying media associated with the system calls;
  
  receiving at the server a response from the client;
  
  evaluating the response from the process to the series of behavioral questions;
  
  detecting an unauthorized behavior of the process based on the evaluating; and
  
  communicating the detection of the unauthorized behavior of the process among a plurality of other servers, so that the plurality of other servers are enabled to update their series of behavioral questions based in part on the detected unauthorized behavior.

16. A server to protect media from unauthorized usage, the system comprising:
- a transceivers to send and receive data over the network; and
  
  a program to perform actions when executed that include;
  
  sending a detector to a client, the detector comprising a sequence of different types of system calls, and is associated with a life span that when exceeded inactivates the use of the detector for detecting an unauthorized process;
  
  receiving a response to the detector from the client,detecting a presence of the unauthorized process on the client based on the response and a matching rule associated with the detector, andupdating a database of memory detectors for a previously undetected and unauthorized process on the client such that the database of memory detectors evolves over time.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system as in claim 16 further including employing the client to access the media.
  - 18. The system as in claim 16, wherein the sending of the detector includes adjusting the frequency of a class of detectors sent in response to changes in responses from each client, such that the class of detectors includes at least one of a self-detector, a memory detector, and a novel detector.
  - 19. The system as in claim 16, wherein the updating further includes eliminating detectors in the database that exceed the predetermined detector life span.
  - 20. The system as in claim 16, wherein the matching rule includes at least one criterion for a field in the detector to be matched before a match is validated, and wherein the field includes a sequence of at least one computer system calls.

21. A system to protect media from unauthorized usage, the system comprising:
- a server to send media to a client; and
  
  a program to perform actions when executed that include;
  
  sending a detector to the client;
  
  receiving a response to the detector from the client;
  
  detecting a presence of an unauthorized process on the client based on the response and a matching rule associated with the detector, wherein the detecting includes executing a Rabin-Karp algorithm of prime numbers and a sliding window across the response and the detector; and
  
  updating a database of memory detectors for a previously undetected and unauthorized process on the client such that the database of memory detectors evolves over time.

22. A computer readable medium having stored thereon a data structure to provide a detector pattern for use in data integrity of machine-readable media, the data structure comprising:
- a plurality of data fields associated with a matching rule to validate a match of the plurality of data fields from a response to the data structure, and wherein at least one data field in the plurality of data fields indicates a media associated with the detector pattern and each of the remaining data fields in the plurality of data fields comprises different types of computer system calls.

23. A machine readable medium that provides instructions which, when executed by at least one processor, cause said processor to perform operations comprising:
- sending a plurality of different detectors to a client process, wherein each detector within the plurality of detectors comprise a different sequence of different types of system calls;
  
  receiving a response to each of the plurality of different detectors from the client process;
  
  detecting a presence of an unauthorized behavior on the client based upon the response and a matching rule that is associated with the plurality of different detectors sent; and
  
  updating a database of memory detectors for a previously unseen and unauthorized behavior of the client process such that the memory database evolves over time, and wherein each memory detector comprises a sequence of different types of system calls that is associated with an unauthorized client process alteration.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The medium as in claim 23, wherein the detector further includes at least one of a self-detector, a memory detector, and a novel detector.
  - 25. The medium as in claim 23, wherein the detector detects the presence of an unauthorized substantially simultaneously executing client process.
  - 26. The medium as in claim 23, wherein the sending of the detector further includes varying a sequence length of computer system calls within the detector such that the meaning of the detector is obscured.
  - 27. The medium as in claim 23, wherein the sending of the detector further includes encoding numerically the detector such that the meaning of the detector is obscured.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Widevine Technologies Incorporated (Alphabet Inc.)
Inventors
Koelle, Katharina Veronika, Worzel, William P.
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Baum, Ronald

Application Number

US10/020,524
Publication Number

US 20020164023A1
Time in Patent Office

1,824 Days
Field of Search

None
US Class Current

726/26
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06N 3/126   Evolutionary algorithms, e....

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Method and apparatus for protection of electronic media

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protection of electronic media

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links