Heuristic detection of polymorphic computer viruses based on redundancy in viral code
First Claim
Patent Images
1. A computer program product for controlling a computer to detect an executable computer program containing a computer virus, said computer program product comprising:
- analysis logic for analyzing program instructions forming said executable computer program to identify suspect program instructions being at least one of;
(i) a program instruction generating a result value not used by another portion of said executable computer program; and
(ii) a program instruction dependent upon an uninitialised variable; and
detecting logic for detecting said executable computer program as containing a computer virus if a number of suspect program instructions identified for said executable computer program exceeds a threshold level, wherein said analysis logic includes a dependence table indicating dependency between state variables within said computer and loaded variable values, and for each program instruction said analysis logic makes a determination as to which state variables are read and written by that program instruction and for each loaded variable value within said dependence table if any state variable read by that program instruction is marked as dependent upon said loaded variable value, then all state variables written by that program instruction are marked as dependent upon said loaded variable value with previous dependencies being cleared, and said analysis logic parses said executable computer program for suspect program instructions by following execution flow and upon occurrence of a branch first following a first branch path having saved pending analysis results and subsequently returning to follow a second branch path having restored said pending analysis results;
wherein a state variable is marked as initialised upon occurrence of one of;
(i) a write to said state variable of a determined initialised value; and
(ii) use of said state variable as a memory address value by a program instruction;
wherein a branch path stops being followed when one of the following occurs;
(i) there are no further suitable program instruction for execution within that branch path; and
(ii) said branch path rejoins a previously parsed execution path;
wherein said analysis logic includes an initialisation table indicating which state variables have been initialised;
wherein said dependence table includes a column for each register within a processor, an external write, and a write to a flag value; and
a plurality of rows with each row corresponding to a value loaded into said computer that influences a state of said computer;
wherein said initialisation table includes a column for each register within said processor indicating whether each register is initialised.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer programs are analysed for the occurrence of redundant program instructions of program instruction using uninitialised variables. If the number of such instructions exceeds a threshold level, then the computer program is treated as containing a computer virus. This technique is useful in identifying new and polymorphic viruses.
30 Citations
21 Claims
-
1. A computer program product for controlling a computer to detect an executable computer program containing a computer virus, said computer program product comprising:
-
analysis logic for analyzing program instructions forming said executable computer program to identify suspect program instructions being at least one of; (i) a program instruction generating a result value not used by another portion of said executable computer program; and (ii) a program instruction dependent upon an uninitialised variable; and detecting logic for detecting said executable computer program as containing a computer virus if a number of suspect program instructions identified for said executable computer program exceeds a threshold level, wherein said analysis logic includes a dependence table indicating dependency between state variables within said computer and loaded variable values, and for each program instruction said analysis logic makes a determination as to which state variables are read and written by that program instruction and for each loaded variable value within said dependence table if any state variable read by that program instruction is marked as dependent upon said loaded variable value, then all state variables written by that program instruction are marked as dependent upon said loaded variable value with previous dependencies being cleared, and said analysis logic parses said executable computer program for suspect program instructions by following execution flow and upon occurrence of a branch first following a first branch path having saved pending analysis results and subsequently returning to follow a second branch path having restored said pending analysis results; wherein a state variable is marked as initialised upon occurrence of one of; (i) a write to said state variable of a determined initialised value; and (ii) use of said state variable as a memory address value by a program instruction; wherein a branch path stops being followed when one of the following occurs; (i) there are no further suitable program instruction for execution within that branch path; and (ii) said branch path rejoins a previously parsed execution path; wherein said analysis logic includes an initialisation table indicating which state variables have been initialised; wherein said dependence table includes a column for each register within a processor, an external write, and a write to a flag value; and
a plurality of rows with each row corresponding to a value loaded into said computer that influences a state of said computer;wherein said initialisation table includes a column for each register within said processor indicating whether each register is initialised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of detecting an executable computer program containing a computer virus, said method comprising the steps of:
-
analysing program instructions forming said executable computer program to identify suspect program instructions being at least one of; (i) a program instruction generating a result value not used by another portion of said executable computer program; and (ii) a program instruction dependent upon an uninitialised variable; detecting said executable computer program as containing a computer virus if a number of suspect program instructions identified for said executable computer program exceeds a threshold level; maintaining a dependence table indicating dependency between state variables within said computer and loaded variable values, wherein for each program instruction a determination is made as to which state variables are read and written by that program instruction and, for each loaded variable value within said dependence table, if any state variable read by that program instruction is marked as dependent upon said loaded variable value, then all state variables written by that program instruction are marked as dependent upon said loaded variable value with previous dependencies being cleared; and parsing said executable computer program for suspect program instructions by following execution flow and upon occurrence of a branch first following a first branch path having saved pending analysis results and subsequently returning to follow a second branch path having restored said pending analysis results; wherein a state variable is marked as initialised upon occurrence of one of; (i) a write to said state variable of a determined initialised value; and (ii) use of said state variable as a memory address value by a program instruction; wherein a branch path stops being followed when one of the following occurs; (i) there are no further suitable program instruction for execution within that branch path; and (ii) said branch path rejoins a previously parsed execution path; wherein an initialisation table is included for indicating which state variables have been initialised; wherein said dependence table includes a column for each register within a processor, an external write, and a write to a flag value; and
a plurality of rows with each row corresponding to a value loaded into said computer that influences a state of said computer;wherein said initialisation table includes a column for each register within said processor indicating whether each register is initialised. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. Apparatus for detecting an executable computer program containing a computer virus, said apparatus comprising:
-
an analyser for analysing program instructions forming said executable computer program to identify suspect program instructions being at least one of; (i) a program instruction generating a result value not used by another portion of said executable computer program; and (ii) a program instruction dependent upon an uninitialised variable; and a detector operable to detect said executable computer program as containing a computer virus if a number of suspect program instructions identified for said executable computer program exceeds a threshold level, wherein said analyser includes a dependence table indicating dependency between state variables within said computer and loaded variable values, wherein for each program instruction said analyser makes a determination as to which state variables are read and written by tat program instruction and for each loaded variable value within said dependence table if any state variable read by that program instruction is marked as dependent upon said loaded variable value, then all state variables written by that program instruction are marked as dependent upon said loaded variable value with previous dependencies being cleared, and said analyser parses said executable computer program for suspect program instructions by following execution flow and upon occurrence of a branch first following a first branch path having saved pending analysis results and subsequently returning to follow a second branch path having restored said pending analysis results; wherein a state variable is marked as initialised upon occurrence of one of; (i) a write to said state variable of a determined initialised value; and (ii) use of said state variable as a memory address value by a program instruction; wherein a branch path stops being followed when one of the following occurs; (i) there are no further suitable program instruction for execution within that branch path; and (ii) said branch path rejoins a previously parsed execution path; wherein an initialisation table is included for indicating which state variables have been initialised; wherein said dependence table includes a column for each register within a processor, an external write, and a write to a flag value; and
a plurality of rows with each row corresponding to a value loaded into said computer that influences a state of said computer;wherein said initialisation table includes a column for each register within said processor indicating whether each register is initialised. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification