Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

US 7,370,360 B2
Filed: 05/13/2002
Issued: 05/06/2008
Est. Priority Date: 05/13/2002
Status: Active Grant

First Claim

Patent Images

1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:

initializing an analytical virtual P-code engine (AVPE) within a virtual personal computer (PC) comprising software simulating functionality of a central processing unit (CPU), an operating system, input/output ports, and a memory, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed as API'"'"'s (Application Program Interfaces) for virtual execution of N-code compiled programs;

virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC;

generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution;

analyzing behavior of the target program upon completion of virtual execution to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and

terminating the virtual PC after the analyzing process, thereby removing from the computer system a copy of the target program that was contained within the virtual PC.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.

422 Citations

27 Claims

1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) within a virtual personal computer (PC) comprising software simulating functionality of a central processing unit (CPU), an operating system, input/output ports, and a memory, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed as API'"'"'s (Application Program Interfaces) for virtual execution of N-code compiled programs;
  
  virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC;
  
  generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution;
  
  analyzing behavior of the target program upon completion of virtual execution to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and
  
  terminating the virtual PC after the analyzing process, thereby removing from the computer system a copy of the target program that was contained within the virtual PC.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein terminating the virtual PC includes deallocating of all resources of a virtual memory implemented by the software simulating functionality of the memory.
  - 3. The method of claim 1, further comprising deallocating all resources of a virtual memory containing data or program statements created by virtual execution of the target program, the virtual memory implemented by the software simulating functionality of the memory.
  - 4. The method of claim 1, wherein the library routines for N-code compiled programs are exposed to the AVPE through one of the API'"'"'s.
  - 5. The method of claim 1, wherein the P-code comprises virtual machine code and a run-time engine simulates the operations performed by each P-code.
  - 6. The method of claim 1, wherein the virtual PC simulates functionality of data areas for the, operating system, and API'"'"'s for the operating system.
  - 7. The method of claim 6, wherein the virtual PC further comprises software for simulating the functionality of BIOS firmware and language emulators.
  - 8. The method of claim 6, wherein virtual execution of the target program causes the target program to interact with the operating system application program interface simulated by the AVPE.
  - 9. The method of claim 1, wherein the target program is newly introduced to the computer system and not executed prior to virtually executing the target program.
  - 10. The method of claim 1, wherein after a first instance of a first program is analyzed by the AVPE and a first behavior pattern is generated and stored in a database within the computer system, the method further comprising:
    - determining that the first program is modified;
      
      analyzing the modified first program by executing the modified first program in the AVPE to provide a second behavior pattern; and
      
      comparing the first behavior pattern to the second behavior pattern to determine whether the second behavior pattern is altered from the first behavior pattern in a manner indicative of presence of the malicious code in the modified first program.
  - 11. The method of claim 10, wherein a new behavior pattern is generated each time the first program is modified.
  - 12. The method of claim 10, wherein introduction of malicious code during modification of the first program is detected by comparing the first behavior pattern to the second behavior pattern and identifying altered bits indicating an addition of an infection procedure to the modified first program.
  - 13. The method of claim 10, wherein the first behavior pattern is identified as a match to the second behavior pattern when the modified first program is a new version of the first program.
  - 14. The method of claim 1, wherein the behavior pattern identifies functions executed in the virtual execution of the target program, the method further comprising tracking an order in which the functions are virtually executed by the target program within the AVPE to provide a complete record of all functions simulated by the target program, as if the target program was executed on the computer system.
  - 15. The method of claim 1, wherein a virtual central processing unit, implemented by software simulating the functionality of the CPUs is distinct from the AVPE.

16. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing a virtual PC within the computer system, the virtual PC, implemented by software, comprising a virtual central processing unit simulating functionality of a central processing unit, virtual memory simulating the functionality of memory and a virtual operating system simulating functionality of an operating system including application program interface (API) calls;
  
  virtually executing a target program with the virtual PC so that the target program interacts only with an instance of the virtual operating system rather than with the operating system of the computer system, whereby the malicious code is fully executed during virtual execution of the target program if the target program is infected by the malicious code;
  
  generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution; and
  
  terminating the virtual engine upon completion of the virtual execution of the target program, leaving behind a record of the behavior pattern that is representative of operations of the target program with the computer system, including operations of the malicious code if the target program comprises the malicious code.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the record is matched to a plurality of predefined behavior patterns, each representative of a single malicious code function.
  - 18. The method of claim 16, wherein after a first instance of a first program is virtually executed by the virtual PC and a first behavior pattern is generated and stored in a database coupled to the computer system, the method further comprising:
    - determining that the first program is modified;
      
      executing the modified first program with the virtual PC to provide a second behavior pattern; and
      
      comparing the first behavior pattern to the second behavior pattern to determine whether the second behavior pattern is altered from the firm behavior pattern in a manner indicative of presence of the malicious code in the modified first program.
  - 19. The method of claim 18, wherein a new behavior pattern is generated each time the first program is modified.
  - 20. The method of claim 18, wherein introduction of the malicious code by modification of the first program is detected by comparing the first behavior pattern to the second behavior pattern and identifying altered bits indicating an addition of an infection procedure to the modified first program.
  - 21. The method of claim 18, wherein the first behavior pattern is identified as a match to the second behavior pattern when the modified first program is a new version of the first program.
  - 22. The method of claim 18, wherein the behavior pattern identifies all functions executed during the virtual execution of the target program and records an order of simulation of the functions.

23. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) of a virtual PC operating within the computer system, the AVPE simulating functionality of a P-code interpreter, the virtual PC comprising a virtual central processing unit, a virtual operating system and virtual memory;
  
  virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC;
  
  generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution;
  
  analyzing the behavior pattern of the target program generated by completion of virtual execution of the target program to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and
  
  terminating the virtual PC, thereby removing from the host computer system a copy of the target program that was contained within the AVPE.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, wherein terminating the virtual PC includes deallocating of all virtual memory resources.
  - 25. The method of claim 23, further comprising deallocating all virtual memory resources containing data or program statements created by the target program.
  - 26. The method of claim 23, further comprising the step of exposing for the AVPE to low level engines and language interpreters of the virtual PC through an application program interface for the virtual execution of N-code compiled programs.
  - 27. The method of claim 25, wherein P-code comprises virtual machine code and a run-time engine simulates the operations performed by each P-code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
van der Made, Peter A. J.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
SHAN, APRIL YING

Application Number

US10/145,592
Publication Number

US 20030212902A1
Time in Patent Office

2,185 Days
Field of Search

726 3- 4, 726 13- 15, 726 22- 27, 726/30, 726/18, 726/34, 711/6, 711/100, 709/1, 709/100, 709223-225, 709/16, 709/18, 713 1- 3, 713/187, 713/188, 382/181, 382/197, 717/135, 717/134, 710/16, 710/18, 714/37, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

422 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

422 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links