Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
First Claim
1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) within a virtual personal computer (PC) comprising software simulating functionality of a central processing unit (CPU), an operating system, input/output ports, and a memory, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed as API'"'"'s (Application Program Interfaces) for virtual execution of N-code compiled programs;
virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC;
generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution;
analyzing behavior of the target program upon completion of virtual execution to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and
terminating the virtual PC after the analyzing process, thereby removing from the computer system a copy of the target program that was contained within the virtual PC.
4 Assignments
0 Petitions
Accused Products
Abstract
An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.
422 Citations
27 Claims
-
1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing an analytical virtual P-code engine (AVPE) within a virtual personal computer (PC) comprising software simulating functionality of a central processing unit (CPU), an operating system, input/output ports, and a memory, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed as API'"'"'s (Application Program Interfaces) for virtual execution of N-code compiled programs; virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC; generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution; analyzing behavior of the target program upon completion of virtual execution to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and terminating the virtual PC after the analyzing process, thereby removing from the computer system a copy of the target program that was contained within the virtual PC. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing a virtual PC within the computer system, the virtual PC, implemented by software, comprising a virtual central processing unit simulating functionality of a central processing unit, virtual memory simulating the functionality of memory and a virtual operating system simulating functionality of an operating system including application program interface (API) calls; virtually executing a target program with the virtual PC so that the target program interacts only with an instance of the virtual operating system rather than with the operating system of the computer system, whereby the malicious code is fully executed during virtual execution of the target program if the target program is infected by the malicious code; generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution; and terminating the virtual engine upon completion of the virtual execution of the target program, leaving behind a record of the behavior pattern that is representative of operations of the target program with the computer system, including operations of the malicious code if the target program comprises the malicious code. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
-
initializing an analytical virtual P-code engine (AVPE) of a virtual PC operating within the computer system, the AVPE simulating functionality of a P-code interpreter, the virtual PC comprising a virtual central processing unit, a virtual operating system and virtual memory; virtually executing a target program within the AVPE so that the target program interacts with the computer system only through the virtual PC; generating a behavior pattern for the target program which includes flags for tracking functions performed by the target program and flags for tracking functions not performed by the target program during virtual execution, the flags forming a behavior pattern field that tracks a sequence in which the functions are called by the target program, the behavior pattern representing information about all functions simulated by the target program during virtual execution; analyzing the behavior pattern of the target program generated by completion of virtual execution of the target program to identify an occurrence of malicious code behavior based upon an evaluation of the flags in the behavior pattern field; and terminating the virtual PC, thereby removing from the host computer system a copy of the target program that was contained within the AVPE. - View Dependent Claims (24, 25, 26, 27)
-
Specification