Detection and identification methods for software
First Claim
Patent Images
1. A method for creating a superfingerprint for identifying a protected software comprising:
- creating a superfingerprint for said protected software by;
executing said protected software at least once;
in each execution, using a supervising program, selecting specified portions of the executing image of at least one of said executing software and of results of executing said protected software;
in each execution, using a supervising program, performing computations on said selected portions to obtain a collection of fingerprints; and
combining, using the supervising program, said collections of fingerprints found in each execution into the superfingerprint of said protected software according to a combining rule;
at a later time, detecting execution of an unidentified software; and
using the superfingerprint of the protected software to identify the executing unidentified software, where the executing unidentified software is identified as the protected software using the superfingerprint even if the executing unidentified software and the protected software are not exactly the same by;
selecting by a supervising program specified portions of the executing image of at least one of said executing unidentified software and of the results of executing said executing unidentified first software on each execution;
performing by said supervising program specified computations on said selected portions to obtain a collection of fingerprints from the executing unidentified software;
comparing said collection of fingerprints from the executing unidentified software to a previously computed superfingerprint of the protected software to determine whether there is an approximate match; and
declaring said the executing unidentified software to be the same as said the protected software if an approximate match is found.
5 Assignments
0 Petitions
Accused Products
Abstract
Software is identified while in main memory by examining small portions of its executable image or by examining the results of its execution. These portions, or an encoding of them, are then compared with previously stored identifying information about at least one Software through an approximate matching process.
75 Citations
50 Claims
-
1. A method for creating a superfingerprint for identifying a protected software comprising:
-
creating a superfingerprint for said protected software by; executing said protected software at least once; in each execution, using a supervising program, selecting specified portions of the executing image of at least one of said executing software and of results of executing said protected software; in each execution, using a supervising program, performing computations on said selected portions to obtain a collection of fingerprints; and combining, using the supervising program, said collections of fingerprints found in each execution into the superfingerprint of said protected software according to a combining rule; at a later time, detecting execution of an unidentified software; and
using the superfingerprint of the protected software to identify the executing unidentified software, where the executing unidentified software is identified as the protected software using the superfingerprint even if the executing unidentified software and the protected software are not exactly the same by;selecting by a supervising program specified portions of the executing image of at least one of said executing unidentified software and of the results of executing said executing unidentified first software on each execution; performing by said supervising program specified computations on said selected portions to obtain a collection of fingerprints from the executing unidentified software; comparing said collection of fingerprints from the executing unidentified software to a previously computed superfingerprint of the protected software to determine whether there is an approximate match; and declaring said the executing unidentified software to be the same as said the protected software if an approximate match is found. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for identifying a first protected software comprising the steps of:
-
storing previously created superfingerprints for at least one protected software; detecting execution of an unidentified software; and using the superfingerprints of the protected software to identify the executing unidentified software, where the executing unidentified software is identified as the protected software using the superfingerprint even if the executing unidentified software and the protected software are not exactly the same by; selecting by a supervising program specified portions of the executing image of at least one of said executing unidentified software and of the results of executing said executing unidentified software on each execution; performing by said supervising program specified computations on said selected portions to obtain a collection of fingerprints from the executing unidentified software; comparing said collection of fingerprints from the executing unidentified software to said previously computed superfingerprint of the protected software to determine whether there is an approximate match; and declaring said the executing unidentified software to be the same as said the protected software if an approximate match is found. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method for identifying a protected software group of a first protected software comprising the steps of:
-
storing previously created superfingerprints for at least one protected software group; detecting execution of an unidentified software; and using one of the superfingerprints of the protected software to identify the executing unidentified software, where the executing unidentified software is identified as the protected software using the superfingerprint even if the executing unidentified software and the protected software are not exactly the same by; selecting specified portions of the executing image of said executing unidentified software and of the results of executing said executing unidentified software on each execution; performing specified computations on said selected portions to obtain a collection of fingerprints from the executing unidentified software; comparing said collection of fingerprints to said previously computed superfingerprint of at least one second protected software group to determine whether there is an approximate match; and declaring said executing unidentified software to be a member of said second protected software group if an approximate match is found.
-
-
50. A method for identifying a protected software that is a member of a group of protected software comprising the steps of:
-
storing previously created superfingerprints for at least one protected software group and for members of that group; detecting execution of an unidentified software; and using one of the superfingerprints of the protected software to identify the executing unidentified software, where the executing unidentified software is identified as the protected software using the superfingerprint even if the executing unidentified software and the protected software are not exactly the same by; selecting specified portions of the executing image of said executing unidentified software and of the results of executing said executing unidentified software on each execution; performing computations on said selected portions to obtain a collection of fingerprints from the executing unidentified software; comparing said collection of fingerprints from the executing unidentified software to said previously computed superfingerprint of at least one protected software group and the superfingerprints of the members of said protected software group to determine whether there is an approximate match with said group and at least one of said superfingerprints of said members of said group; and declaring said executing unidentified software to be the same as a particular member of said second protected software group if an approximate match is found.
-
Specification