Methods and apparatus for interface adapter integrated virus protection

US 7,685,640 B2
Filed: 09/21/2004
Issued: 03/23/2010
Est. Priority Date: 09/21/2004
Status: Active Grant

First Claim

Patent Images

1. A media integrated protection adapter comprising:

an external media interface to accept media data in incoming data frames for processing;

an integrated virus protection engine that initiates a host processor opcode usage evaluation to check the media data in varying evaluation window sizes that encompass one or more of the incoming data frames for patterns of opcode usage indicative of suspect data and generate a media data descriptor having results of the opcode usage evaluation with a suspect data indicator that indicates a suspected type of virus found; and

a system interface providing coupling to a host processor and host memory for moving the media data and the media data descriptor to the host memory in a data transfer operation and informing the host processor of the data transfer operation and to check the suspect data indicator.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virus detection mechanism is described in which virus detection is provided by a network integrated protection (NIP) adapter. The NIP adapter checks incoming media data prior to it being activated by a computing device. The NIP adapter operates independently of a host processor to receive information packets from a network. This attribute of independence allows NIP anti-virus (AV) techniques to be “always on” scanning incoming messages and data transfers. By being independent of but closely coupled to the host processor, complex detection techniques, such as using check summing or pattern matching, can be efficiently implemented on the NIP adapter without involving central processor resources and time consuming mass storage accesses. The NIP adapter may be further enhanced with a unique fading memory (FM) facility to allow for a flexible and economical implementation of polymorphic virus detection.

Citations

20 Claims

1. A media integrated protection adapter comprising:
- an external media interface to accept media data in incoming data frames for processing;
  
  an integrated virus protection engine that initiates a host processor opcode usage evaluation to check the media data in varying evaluation window sizes that encompass one or more of the incoming data frames for patterns of opcode usage indicative of suspect data and generate a media data descriptor having results of the opcode usage evaluation with a suspect data indicator that indicates a suspected type of virus found; and
  
  a system interface providing coupling to a host processor and host memory for moving the media data and the media data descriptor to the host memory in a data transfer operation and informing the host processor of the data transfer operation and to check the suspect data indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The media integrated protection adapter of claim 1 wherein the integrated virus protection engine comprises:
    - a storage unit for storing virus parameters including virus signatures and opcodes to be used in the opcode usage evaluation supporting virus protection operations on the media integrated protection adapter;
      
      a check sum, pattern matching, and opcode frequency estimation engine operative on received media data to detect virus signatures and multiple statistical patterns of opcode usage that are recorded in the media data descriptor; and
      
      data status registers for storing the media data descriptor with the suspect data indicator.
  - 3. The media integrated protection adapter of claim 1 wherein the integrated virus protection engine comprises:
    - a storage unit for storing virus parameters including host processor opcodes supporting virus protection operations on the media interface adapter;
      
      an opcode pattern match engine operative on received media data for determining opcode statistics comparable to virus opcode statistics to estimate a concentration over time of the host processor opcodes in the media data when the media data is received; and
      
      data status registers for storing the media data descriptor with the suspect data indicator.
  - 4. The media integrated protection adapter of claim 3 wherein the concentration over time of the host processor opcodes in the media data is estimated by storing an opcode usage indication in a fading memory wherein the stored opcode usage indication fades with each occurrence of a programmed data time indication.
  - 5. The media integrated protection adapter of claim 3 further comprising:
    - an opcode pattern match engine operative on received media data for determining the patterns of opcode usage to estimate a concentration over time of the patterns of opcode usage in the media data.
  - 6. The media integrated protection adapter of claim 1 wherein the integrated virus protection engine comprises:
    - a storage unit for storing virus parameters including host processor opcodes, a data window value, a characteristic data time number, and a threshold;
      
      a match event engine operative on media data for detecting the host processor opcodes to generate a match event signal upon each detected host processor opcode;
      
      a data unit counter that generates a data time indication after counting the characteristic data time number of data units;
      
      at least one match fading memory (MFM) counter that upon receiving a match event signal is loaded with the data window value plus the MFM counter contents and the MFM counter contents are reduced upon receiving the data time indication from the data unit counter; and
      
      an output of the MFM counter is compared to the threshold generating a detection flag upon the threshold being exceeded for determining a suspect data indicator.
  - 7. The media integrated protection adapter of claim 6 wherein the MFM counter contents are reduced by a divide by 2 shift operation.
  - 8. The media integrated protection adapter of claim 1 wherein the host processor initiates additional virus detection processing on the media data that was moved to the host memory in response to a determination that the suspect data indicator indicates the media data is suspect.
  - 9. The media integrated protection adapter of claim 1 operates externally from the host processor and initially checks the media data for viruses separately from the host processor when the media data is received from the external media interface.

10. A virus protection system comprising:
- a host memory for storing software drivers, host anti-virus (AV) programs, media data, and media data descriptors;
  
  a host processor for executing software drivers and host AV programs; and
  
  a media interface adapter having an external media interface to accept media data in incoming data frames for processing, an integrated virus protection engine that initiates an opcode usage evaluation to check the media data in varying evaluation window sizes that encompass one or more of the incoming data frames for multiple statistical patterns of opcode usage indicate indicative of suspect data, and generate a media data descriptor having results of the opcode usage evaluation with a suspect data indicator that indicates a suspected type of virus found, and an internal host processor and host memory interface for moving the media data and the media data descriptor to the host memory in a data transfer operation and informing the host processor of the data transfer operation to check the suspect data indicator to determine a type of processing appropriate for the media data.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The virus protection system of claim 10 wherein the integrated virus protection engine comprises:
    - a storage unit for storing virus parameters including virus signatures and opcodes to be used in the opcode usage evaluation supporting virus protection operations on the media interface adapter;
      
      a check sum, pattern matching, and opcode frequency engine operative on received media data to detect the virus signatures and the multiple statistical patterns of opcode usage; and
      
      data status registers for storing a media data descriptor with a suspect data indicator.
  - 12. The virus protection system of claim 10 wherein the integrated virus protection engine comprises:
    - a storage unit for storing virus parameters including host processor opcodes supporting virus protection operations on the media interface adapter;
      
      a match event engine operative on received media data for detecting the host processor opcodes to generate a match event signal that is stored as a data window value for that match event in a fading memory where the stored data window value fades with each occurrence of a programmed data time indication; and
      
      data status registers for storing a media data descriptor with suspect data indicator.
  - 13. The virus protection system of claim 12 further comprising:
    - programmable registers storing a data window value, a characteristic data time number, and a threshold;
      
      a data unit counter that generates a shift signal after counting the characteristic data time number of data units;
      
      at least one match fading memory (MFM) counter that upon receiving a match event signal is loaded with the data window value plus the MFM counter contents and the MFM counter contents are shifted right one bit position upon receiving the shift signal from the data unit counter causing the data window value to fade with each occurrence of the shift signal; and
      
      the output of the MFM counter is compared to the threshold generating a detection flag upon the threshold being exceeded for determining a suspect data indicator.
  - 14. The virus protection system of claim 13 wherein the loading of the data window value plus the contents of the MFM counter is achieved by loading a data window value of at least one active binary bit without affecting the MFM counter bits of less significance than the data window value active binary bit.
  - 15. The virus protection system of claim 13 wherein the at least one MFM counter that upon receiving a plurality of match event signals within one characteristic data time is loaded with a sum of the plurality of data window values associated with each match event signal plus the MFM counter contents and the MFM counter contents are shifted right one bit position upon receiving the shift signal from the data unit counter.

16. A network integrated protection adapter comprising:
- a virus parameter storage storing selected host processor opcodes, patterns of opcode usage, and selected fading memory parameters that govern how memory of a match event fades over time; and
  
  a virus protection engine having a network interface for receiving a data stream, wherein the virus protection engine identifies host processor opcodes in the received data stream as match events and estimates a concentration of the selected host processor opcodes in the received data stream according to the selected fading memory parameters.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The network integrated protection adapter of claim 16 wherein the match events include identified patterns of opcode usage.
  - 18. The network integrated protection adapter of claim 16 further comprising:
    - a match event engine operative on the data stream for detecting the patterns of opcode usage and to generate a match event signal upon each detected pattern of opcode usage.
  - 19. The network integrated protection adapter of claim 16 wherein the selected fading memory parameters include a match event data window value, a characteristic data time number, and a threshold value.
  - 20. The network integrated protection adapter of claim 19 further comprising:
    - a match event engine operative on the data stream for detecting the host processor opcodes to generate a match event signal upon each detected host processor opcode;
      
      a data unit counter that repeatedly counts the characteristic data time number of incoming data units in the data stream and generates a data time indication when the data unit counter reaches the characteristic data time number, wherein the data unit counter rolls over after reaching the characteristic data time number;
      
      at least one match fading memory (MFM) counter that upon receiving the match event signal is loaded with the match event data window value plus the MFM counter contents and the MFM counter contents are reduced upon receiving the data time indication from the data unit counter; and
      
      an output of the MFM counter is compared to the threshold value generating a detection flag upon the threshold value being exceeded for determining a suspect data indicator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Agere Systems Incorporated (Broadcom, Inc.)
Inventors
Saibi, Fadi, Mudichintala, Anil, Azadet, Kameran
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/945,663
Publication Number

US 20060064755A1
Time in Patent Office

2,009 Days
Field of Search

713/192, 726 22- 24
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

Methods and apparatus for interface adapter integrated virus protection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for interface adapter integrated virus protection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links