Method and system for real-time tamper evidence gathering for software
First Claim
1. A method for verifying integrity of a computing process, comprising:
- determining a trait associated with the computing process;
determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining the pattern statistic further comprises;
determining consecutive data associated with the trait;
employing a graphical representation to convert the consecutive data to a radius-vector;
if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector;
determining a frequency pattern associated with the trait; and
employing the graphical representation in part to convert the frequency pattern to an average directional vector;
determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;
comparing the pattern statistic to the prototype statistic; and
if the comparison indicates abnormal behavior the computing process, performing a predetermined action.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system are directed to differentiating between normal characteristics and abnormal characteristics within a software process, such that tampering of the software process may be identified programmatically. The identification of behavior that may be defined as normal may vary. Such behavior may include a sequence of selected system level calls that may access resources considered relevant, and the like. Data on the selected behavior is gathered, and when a sufficient amount of abnormal behavior has been detected, a signal may be provided such that an action may be performed. Samples of the gathered data are assigned a unique value. Statistical information is determined from the collected behavior, including trend data. Such trend data is compared to trends identified as normal for the software process, and a determination is made whether the sampled behavior is non-normal.
-
Citations
17 Claims
-
1. A method for verifying integrity of a computing process, comprising:
-
determining a trait associated with the computing process; determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining the pattern statistic further comprises; determining consecutive data associated with the trait; employing a graphical representation to convert the consecutive data to a radius-vector; if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector; determining a frequency pattern associated with the trait; and employing the graphical representation in part to convert the frequency pattern to an average directional vector; determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition; comparing the pattern statistic to the prototype statistic; and if the comparison indicates abnormal behavior the computing process, performing a predetermined action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus encoded with computer-executable components for determining tamper evidence of a client process, comprising:
-
a transceiver arranged to receive and forward data; a processor, coupled to the transceiver, having instructions arranged to perform actions, including; determining a trait associated with the client process; receiving a first set of data associated with the trait based in part on execution of the client process in a normal condition; receiving a second set of data associated with the trait based in part on another execution of the client process in another condition; determining a pattern statistic associated with the first set of data, wherein determining the pattern statistic further comprises; determining consecutive data associated with the trait; employing a graphical representation to convert the consecutive data to a radius-vector; if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector; determining a frequency pattern associated with the trait; and employing the graphical representation to convert the frequency pattern to an average directional vector; determining a prototype statistic associated with the second set of data; comparing the pattern statistic to the prototype statistic; and if the comparison indicates abnormal behavior of the client process, performing a predetermined action. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification