Method and system for real-time tamper evidence gathering for software

US 7,594,271 B2
Filed: 09/22/2003
Issued: 09/22/2009
Est. Priority Date: 09/20/2002
Status: Active Grant

First Claim

Patent Images

1. A method for verifying integrity of a computing process, comprising:

determining a trait associated with the computing process;

determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining the pattern statistic further comprises;

determining consecutive data associated with the trait;

employing a graphical representation to convert the consecutive data to a radius-vector;

if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector;

determining a frequency pattern associated with the trait; and

employing the graphical representation in part to convert the frequency pattern to an average directional vector;

determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;

comparing the pattern statistic to the prototype statistic; and

if the comparison indicates abnormal behavior the computing process, performing a predetermined action.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are directed to differentiating between normal characteristics and abnormal characteristics within a software process, such that tampering of the software process may be identified programmatically. The identification of behavior that may be defined as normal may vary. Such behavior may include a sequence of selected system level calls that may access resources considered relevant, and the like. Data on the selected behavior is gathered, and when a sufficient amount of abnormal behavior has been detected, a signal may be provided such that an action may be performed. Samples of the gathered data are assigned a unique value. Statistical information is determined from the collected behavior, including trend data. Such trend data is compared to trends identified as normal for the software process, and a determination is made whether the sampled behavior is non-normal.

Citations

17 Claims

1. A method for verifying integrity of a computing process, comprising:
- determining a trait associated with the computing process;
  
  determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining the pattern statistic further comprises;
  
  determining consecutive data associated with the trait;
  
  employing a graphical representation to convert the consecutive data to a radius-vector;
  
  if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector;
  
  determining a frequency pattern associated with the trait; and
  
  employing the graphical representation in part to convert the frequency pattern to an average directional vector;
  
  determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition;
  
  comparing the pattern statistic to the prototype statistic; and
  
  if the comparison indicates abnormal behavior the computing process, performing a predetermined action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein performing the predetermined action further comprises performing at least one of sending an alert message, and disabling the computing process.
  - 3. The method of claim 1, wherein the trait further comprises at least one system level call.
  - 4. The method of claim 1, wherein determining the pattern statistic and the prototype statistic further comprises:
    - determining a trend associated with the trait during execution of the computing process in the normal condition; and
      
      determining another trend associated with the trait during the other execution of the computing process in the other condition.
  - 5. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises comparing the frequency pattern and a consequence associated with the pattern statistic to another frequency pattern and another consequence associated with the prototype statistic.
  - 6. The method of claim 1, wherein the mature radius-vector further comprises satisfying a condition wherein an absolute difference between a first sequence error and a second sequence error is less than or equal to a predetermined value.
  - 7. The method of claim 1, wherein employing the graphical representation further comprises employing a chaos game representation (CGR) plot.
  - 8. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises comparing a vector norm and angle to another vector norm and another angle.
  - 9. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises:
    - determining a pattern vector associated with the pattern statistic, wherein the pattern vector includes a direction and length;
      
      determining a prototype vector associated with the prototype statistic, wherein the prototype vector includes another direction and another length;
      
      determining a total difference between the pattern vector and the prototype vector; and
      
      if the total difference is outside a predetermined confidence level, indicating that the prototype statistic is associated with abnormal behavior.

10. An apparatus encoded with computer-executable components for determining tamper evidence of a client process, comprising:
- a transceiver arranged to receive and forward data;
  
  a processor, coupled to the transceiver, having instructions arranged to perform actions, including;
  
  determining a trait associated with the client process;
  
  receiving a first set of data associated with the trait based in part on execution of the client process in a normal condition;
  
  receiving a second set of data associated with the trait based in part on another execution of the client process in another condition;
  
  determining a pattern statistic associated with the first set of data, wherein determining the pattern statistic further comprises;
  
  determining consecutive data associated with the trait;
  
  employing a graphical representation to convert the consecutive data to a radius-vector;
  
  if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector;
  
  determining a frequency pattern associated with the trait; and
  
  employing the graphical representation to convert the frequency pattern to an average directional vector;
  
  determining a prototype statistic associated with the second set of data;
  
  comparing the pattern statistic to the prototype statistic; and
  
  if the comparison indicates abnormal behavior of the client process, performing a predetermined action.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus of claim 10, wherein the computer-executable components reside in at least one of a server, and a client.
  - 12. The apparatus of claim 10, wherein performing the predetermined action further comprises performing at least one of sending an alert message, and disabling the client process.
  - 13. The apparatus of claim 10, wherein the trait further comprises at least one system level call.
  - 14. The apparatus of claim 10, wherein determining the pattern statistic and the prototype statistic further comprises:
    - determining a trend associated with the trait during execution of the client process in the normal condition; and
      
      determining another trend associated with the trait during the other execution of the client process in the other condition.
  - 15. The apparatus of claim 10, wherein the mature radius-vector further comprises satisfying a condition wherein an absolute difference between a first sequence error and a second sequence error is less than or equal to a predetermined value.
  - 16. The apparatus of claim 10, wherein employing the graphical representation further comprises a chaos game representation (CGR) plot.
  - 17. The apparatus of claim 10, wherein comparing the pattern statistic to the prototype statistic further comprises:
    - determining a pattern vector associated with the pattern statistic;
      
      determining a prototype vector associated with the prototype statistic;
      
      determining a total difference between the pattern vector and the prototype vector; and
      
      if the total difference is outside a predetermined confidence level, indicating that the prototype statistic is associated with abnormal behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Widevine Technologies Incorporated (Alphabet Inc.)
Inventors
Rohr, Vince M., Zhuk, Oscar V.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
HO, VIRGINIA T

Application Number

US10/668,046
Publication Number

US 20040153873A1
Time in Patent Office

2,192 Days
Field of Search

726 22- 24, 713/187, 717/127, 714/47
US Class Current

726/24
CPC Class Codes

G06F 21/121 Restricting unauthorised ex...

G06F 21/552 involving long-term monitor...

Method and system for real-time tamper evidence gathering for software

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for real-time tamper evidence gathering for software

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links