Computer immune system and method for detecting unwanted code in a computer system
First Claim
1. A method for determining that a computer program, targeted for execution in a real computer with a first operating system, is malicious, the method comprising the steps of:
- a virtual PC of the real computer virtually executing the target program, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program;
the virtual PC tracking the flags to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and
upon completion of the virtual execution of the target program, the virtual PC determining that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated analysis system detects malicious code within a computer system by generating and subsequently analyzing a behavior pattern for each computer program introduced to the computer system. Generation of the behavior pattern is accomplished by a virtual machine invoked within the computer system. An initial analysis may be performed on the behavior pattern to identify infected programs on initial presentation of the program to the computer system. The analysis system also stores behavior patterns and sequences with their corresponding analysis results in a database. Newly infected programs can be detected by analyzing a newly generated behavior pattern for the program with reference to a stored behavior pattern to identify presence of an infection or payload pattern.
-
Citations
20 Claims
-
1. A method for determining that a computer program, targeted for execution in a real computer with a first operating system, is malicious, the method comprising the steps of:
-
a virtual PC of the real computer virtually executing the target program, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program; the virtual PC tracking the flags to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and upon completion of the virtual execution of the target program, the virtual PC determining that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program. - View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 17, 18, 19, 20)
-
-
7. A computer program product for determining that a computer program, targeted for execution in a real computer with a first operating system is malicious, the computer program product comprising:
-
a computer readable storage media; first program instructions to virtually execute the target program within a virtual PC of the real computer, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program; second program instructions to track the flags within the virtual PC to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and third program instructions to determine by the virtual PC, upon completion of the virtual execution of the target program, that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program, wherein the first, second, and third program instructions are stored on the computer readable storage media. - View Dependent Claims (8, 9, 15)
-
-
10. A computer system for determining that a computer program, targeted for execution in the computer system, is malicious, the computer system comprising:
-
a CPU, a computer readable memory, a computer readable storage media, and a first operating system; first program instructions to virtually execute the target program within a virtual PC of the computer system, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program; second program instructions to track the flags within the virtual PC to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; third program instructions to determine by the virtual PC, upon completion of the virtual execution of the target program, that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program; and wherein the first, second, and third program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory. - View Dependent Claims (11, 12, 16)
-
Specification