Fuzzy scanning system and method

US 7,284,273 B1
Filed: 05/29/2003
Issued: 10/16/2007
Est. Priority Date: 05/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

randomly selecting at least one string of a virus definition file used by a scanner to locate known viruses, said virus definition file comprising;

a set of strings of said known viruses, said set of strings comprising said at least one string; and

a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings;

randomly mutating properties of said at least one string to create a mutated virus definition file; and

determining whether malicious code is detected using said mutated virus definition file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes randomly mutating a virus definition file on a first host computer system to create a first mutated virus definition file, and randomly mutating the virus definition file on a second host computer system to create a second mutated virus definition file, the second mutated virus definition file being different than the first mutated virus definition file. Because of the differences between the first and second mutated virus definition files, a new unknown virus variant undetected on the first host computer system is detected and collected on the second host computer system thus preventing the unknown virus variant from becoming widespread.

27 Citations

View as Search Results

27 Claims

1. A method comprising:
- randomly selecting at least one string of a virus definition file used by a scanner to locate known viruses, said virus definition file comprising;
  
  a set of strings of said known viruses, said set of strings comprising said at least one string; and
  
  a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings;
  
  randomly mutating properties of said at least one string to create a mutated virus definition file; and
  
  determining whether malicious code is detected using said mutated virus definition file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein, upon a determination that malicious code is detected during said determining, said method further comprising determining whether said malicious code is detectable using said virus definition file.
  - 3. The method of claim 2 wherein, upon a determination that said malicious code is not detectable using said virus definition file, said method further comprising submitting a sample of said malicious code to a virus collection center.
  - 4. The method of claim 2 wherein, upon a determination that said malicious code is not detectable using said virus definition file, said method further comprising providing a notification that unknown malicious code is detected.
  - 5. The method of claim 4 further comprising taking protective action to prevent damage to a host computer system comprising said malicious code.
  - 6. The method of claim 2 wherein, upon a determination that said malicious code is detectable using said virus definition file, said method further comprising taking protective action to prevent damage to a host computer system comprising said malicious code.
  - 7. The method of claim 1 wherein said set of properties of said virus definition file comprises a set of flags associated with said set of strings comprising at least one flag associated with said at least one string.
  - 8. The method of claim 7 wherein said mutated virus definition file comprises said set of strings and a set of associated mutated flags comprising at least one mutated flag associated with said at least one string.
  - 9. The method of claim 8 wherein said at least one mutated flag of said mutated virus definition file comprises a greater number of mismatches than said at least one flag of said virus definition file.
  - 10. The method of claim 8 wherein said at least one mutated flag of said mutated virus definition file comprises a greater number of skips than said at least one flag of said virus definition file.
  - 11. The method of claim 1 wherein said randomly mutating properties of said at least one string to create a mutated virus definition file comprises:
    - mutating a flag associated with said at least one string; and
      
      determining whether said mutating carries an acceptable false positive risk.
  - 12. The method of claim 11 wherein said mutating comprises adding at least one mismatch to said flag.
  - 13. The method of claim 12 wherein said adding at least one mismatch comprises incrementing a mismatch value of said flag.
  - 14. The method of claim 11 wherein said mutating comprises adding at least one skip to said flag.
  - 15. The method of claim 14 wherein said adding at least one skip comprises incrementing a skip value of said flag.
  - 16. The method of claim 11 wherein, upon a determination that said mutating does not carry an acceptable false positive risk during said determining whether said mutating carries an acceptable false positive risk, said method further comprising leaving said flag unmutated.

17. A method comprising:
- randomly mutating a virus definition file on a first host computer system to create a first mutated virus definition file, said virus definition file used by a scanner on said first host computer system to locate known viruses, said virus definition file comprising;
  
  a set of strings of said known viruses; and
  
  a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings;
  
  randomly mutating said virus definition file on a second host computer system to create a second mutated virus definition file, said second mutated virus definition file being different than said first mutated virus definition file; and
  
  wherein said scanner on said first host computer system using said first mutated virus definition file and a scanner on said second host computer system using said second mutated virus definition file are used to detect malicious code.
- View Dependent Claims (18)
- - 18. The method of claim 17 wherein said scanner on said first host computer system using said first mutated virus definition file does not detected unknown malicious code and said scanner on said second host computer system using said second mutated virus definition file does detected said unknown malicious code.

19. A computer system comprising:
- a means for randomly selecting at least one string of a virus definition file used by a scanner to locate known viruses, said virus definition file comprising;
  
  a set of strings of said known viruses, said set of strings comprising said at least one string; and
  
  a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings;
  
  a means for randomly mutating properties of said at least one string to create a mutated virus definition file; and
  
  a means for determining whether malicious code is detected using said mutated virus definition file.

20. A method comprising:
- randomly selecting strings of a virus definition file used by a scanner to locate known viruses, said strings comprising a first string, said virus definition file comprising;
  
  a set of strings of said known viruses, said set of strings comprising said first string; and
  
  a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings; and
  
  randomly mutating properties of said strings to create a mutated virus definition file, said randomly mutating comprising;
  
  selecting said first string;
  
  mutating properties of said first string; and
  
  determining whether said first string is a last string of said strings; and
  
  determining whether malicious code is detected using said mutated virus definition file.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20 wherein, upon a determination that said first string is not said last string, said randomly mutating further comprising selecting a next string of said strings.
  - 22. The method of claim 20 wherein said randomly mutating further comprises determining whether said mutating carries an acceptable false positive risk.
  - 23. The method of claim 22 wherein, upon a determination that said mutating does not carry an acceptable false positive risk during said determining whether said mutating carries an acceptable false positive risk, said method further comprising leaving said properties of said first string unmutated.

24. A computer-program product comprising a computer readable medium containing computer code comprising:
- a fuzzy scanning application for randomly selecting at least one string of a virus definition file used by a scanner to locate known viruses, said virus definition file comprising;
  
  a set of strings of said known viruses, said set of strings comprising said at least one string; and
  
  a set of properties associated with said set of strings of said known viruses, said properties defining known virus variants of said known viruses, said properties comprising a number of mismatches and skips allowed in said strings;
  
  said fuzzy scanning application further for randomly mutating properties of said at least one string to create a mutated virus definition file; and
  
  said fuzzy scanning application further for determining whether malicious code is detected using said mutated virus definition file.
- View Dependent Claims (25, 26, 27)
- - 25. The computer-program product of claim 24 wherein, upon a determination that malicious code is detected during said determining, said fuzzy scanning application is further for determining whether said malicious code is detectable using said virus definition file.
  - 26. The computer-program product of claim 24 wherein, upon a determination that said malicious code is not detectable using said virus definition file, said fuzzy scanning application is further for submitting a sample of said malicious code to a virus collection center.
  - 27. The computer-program product of claim 24 wherein, upon a determination that said malicious code is not detectable using said virus definition file, said fuzzy scanning application is further for providing a notification that unknown malicious code is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Barrón, Jr.; Giberto
Assistant Examiner(s)
TRAN, ELLEN C

Application Number

US10/448,567
Time in Patent Office

1,601 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Fuzzy scanning system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Fuzzy scanning system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others