Method and apparatus for protection of electronic media
First Claim
1. A method of protecting machine readable media from unauthorized storage or copying, comprising:
- sending a detector to a client process, wherein the detector comprises a sequence of different types of computer system calls;
receiving, at a server, a response to the detector from the client process;
detecting, by the server, a presence of an unauthorized software behavior on the client based upon a comparison between the response and the detector according to a matching rule that is associated with the detector sent; and
updating a database of detectors for a previously unseen and unauthorized behavior of the process based in part on the response, such that the database of detectors evolves over time.
5 Assignments
0 Petitions
Accused Products
Abstract
Described is a system and method for providing protection of media by the detection of unauthorized client behaviors and the communication of the unauthorized client behaviors to augment the invention'"'"'s detection abilities. A variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client. Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that might enable unauthorized copying of protected media. Communication of unauthorized software behaviors includes sharing of memory detectors among servers on a network, and the sending of memory detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.
-
Citations
28 Claims
-
1. A method of protecting machine readable media from unauthorized storage or copying, comprising:
-
sending a detector to a client process, wherein the detector comprises a sequence of different types of computer system calls; receiving, at a server, a response to the detector from the client process; detecting, by the server, a presence of an unauthorized software behavior on the client based upon a comparison between the response and the detector according to a matching rule that is associated with the detector sent; and updating a database of detectors for a previously unseen and unauthorized behavior of the process based in part on the response, such that the database of detectors evolves over time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 28)
-
-
9. A method for obstructing unauthorized copying and corruption of media between clients that communicate over a network of servers, comprising:
-
exchanging a set of memory detectors between servers during an update period, wherein each memory detector comprises a sequence of different types of system calls that is associated with a known unauthorized process alteration; evaluating each received set of memory detectors against each server'"'"'s self database and a set of matching rules; discarding each detector in the received set of detectors that match another detector in each server'"'"'s self database; and merging a new retained detector from each received set of detectors with each server'"'"'s memory database, wherein the exchanging of the set of memory detectors prevents unauthorized copying and corruption of media. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method of providing detection of machine-readable media from an unauthorized usage, the method comprising:
-
sending by a server a series of behavioral questions for a process residing on a clients, wherein the series of behavioral questions comprise a series of different types of system calls and an identifier specifying media associated with the system calls; receiving at the server a response from the client; evaluating the response from the process to the series of behavioral questions; detecting an unauthorized behavior of the process based on the evaluating; and communicating the detection of the unauthorized behavior of the process among a plurality of other servers, so that the plurality of other servers are enabled to update their series of behavioral questions based in part on the detected unauthorized behavior.
-
-
16. A server to protect media from unauthorized usage, the system comprising:
-
a transceivers to send and receive data over the network; and a program to perform actions when executed that include; sending a detector to a client, the detector comprising a sequence of different types of system calls, and is associated with a life span that when exceeded inactivates the use of the detector for detecting an unauthorized process; receiving a response to the detector from the client, detecting a presence of the unauthorized process on the client based on the response and a matching rule associated with the detector, and updating a database of memory detectors for a previously undetected and unauthorized process on the client such that the database of memory detectors evolves over time. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system to protect media from unauthorized usage, the system comprising:
-
a server to send media to a client; and a program to perform actions when executed that include; sending a detector to the client; receiving a response to the detector from the client; detecting a presence of an unauthorized process on the client based on the response and a matching rule associated with the detector, wherein the detecting includes executing a Rabin-Karp algorithm of prime numbers and a sliding window across the response and the detector; and updating a database of memory detectors for a previously undetected and unauthorized process on the client such that the database of memory detectors evolves over time.
-
-
22. A computer readable medium having stored thereon a data structure to provide a detector pattern for use in data integrity of machine-readable media, the data structure comprising:
a plurality of data fields associated with a matching rule to validate a match of the plurality of data fields from a response to the data structure, and wherein at least one data field in the plurality of data fields indicates a media associated with the detector pattern and each of the remaining data fields in the plurality of data fields comprises different types of computer system calls.
-
23. A machine readable medium that provides instructions which, when executed by at least one processor, cause said processor to perform operations comprising:
-
sending a plurality of different detectors to a client process, wherein each detector within the plurality of detectors comprise a different sequence of different types of system calls; receiving a response to each of the plurality of different detectors from the client process; detecting a presence of an unauthorized behavior on the client based upon the response and a matching rule that is associated with the plurality of different detectors sent; and updating a database of memory detectors for a previously unseen and unauthorized behavior of the client process such that the memory database evolves over time, and wherein each memory detector comprises a sequence of different types of system calls that is associated with an unauthorized client process alteration. - View Dependent Claims (24, 25, 26, 27)
-
Specification