Computer immune system and method for detecting unwanted code in a computer system

US 7,854,004 B2
Filed: 03/30/2005
Issued: 12/14/2010
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. A method for determining that a computer program, targeted for execution in a real computer with a first operating system, is malicious, the method comprising the steps of:

a virtual PC of the real computer virtually executing the target program, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program;

the virtual PC tracking the flags to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and

upon completion of the virtual execution of the target program, the virtual PC determining that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated analysis system detects malicious code within a computer system by generating and subsequently analyzing a behavior pattern for each computer program introduced to the computer system. Generation of the behavior pattern is accomplished by a virtual machine invoked within the computer system. An initial analysis may be performed on the behavior pattern to identify infected programs on initial presentation of the program to the computer system. The analysis system also stores behavior patterns and sequences with their corresponding analysis results in a database. Newly infected programs can be detected by analyzing a newly generated behavior pattern for the program with reference to a stored behavior pattern to identify presence of an infection or payload pattern.

Citations

20 Claims

1. A method for determining that a computer program, targeted for execution in a real computer with a first operating system, is malicious, the method comprising the steps of:
- a virtual PC of the real computer virtually executing the target program, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program;
  
  the virtual PC tracking the flags to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and
  
  upon completion of the virtual execution of the target program, the virtual PC determining that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program.
- View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising the step of the real computer creating the virtual PC, and wherein creating the virtual PC further comprises:
    - the real computer creating a virtual central processing unit;
      
      the real computer creating a virtual memory;
      
      the real computer creating the virtual operating system, and the real computer creating a program loader.
  - 3. The method of claim 1, further comprising the steps of:
    - the real computer extracting an entry point code from the target program; and
      
      the real computer loading the extracted entry point code into the virtual PC at a correct simulated offset.
  - 4. The method of claim 1, wherein virtually executing a target program within a virtual PC of a real computer further comprises the virtual PC virtually executing a target program that comprises at least one of a DOS, CP/M, COM, EXE, Windows executable, OS/2 executable, 32-bit executable, OLE compound, binary image, and a driver file.
  - 5. The method of claim 1, wherein the virtual PC simulates functionality of input/output ports.
  - 6. The method of claim 1, wherein the virtual operating system simulates an application program interface call of the first operating system by returning a correct value to the call without completing actual performance of the call.
  - 13. The method of claim 1, wherein the step of determining that the target program is malicious further comprises the virtual PC comparing the generated flags to a stored pattern representative of operations by malicious code.
  - 14. The method of claim 1, wherein the target program is virtually executed each time the target program is modified and flags generated during a virtual execution of the modified target program are compared to flags generated during a virtual execution of the target program prior to modification to determine that the modified target program is malicious.
  - 17. The method of claim 1, wherein the step of determining whether the target program is malicious further comprises the virtual PC analyzing the tracked functions to determine if the tracked functions comprise destructive content.
  - 18. The method of claim 1, wherein the step of determining whether the target program is malicious further comprises the virtual PC determining whether the generated flags comprise an indication that a user has not had an opportunity to interact with a process of the target program.
  - 19. The method of claim 1, wherein the step of determining whether the target program is malicious further comprises the virtual PC determining whether the generated flags comprise an indication of a detection avoidance routine.
  - 20. The method of claim 1, further comprising the step of the virtual PC calling one or more interrupts that the target program has modified within the virtual PC and the virtual PC generating interrupt flags for each of the called interrupts,wherein the step of determining whether the target program is malicious further comprises the virtual PC determining whether the generated interrupt flags indicate malicious code in the target program.

7. A computer program product for determining that a computer program, targeted for execution in a real computer with a first operating system is malicious, the computer program product comprising:
- a computer readable storage media;
  
  first program instructions to virtually execute the target program within a virtual PC of the real computer, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program;
  
  second program instructions to track the flags within the virtual PC to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution; and
  
  third program instructions to determine by the virtual PC, upon completion of the virtual execution of the target program, that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program,wherein the first, second, and third program instructions are stored on the computer readable storage media.
- View Dependent Claims (8, 9, 15)
- - 8. The computer program product of claim 7, wherein the third program instructions to determine that the target program is malicious further comprises fourth program instructions to compare the generated flags to a stored pattern representative of operations by malicious code.
  - 9. The computer program product of claim 7, wherein the target program is virtually executed each time the target program is modified and flags generated during a virtual execution of the modified target program are compared to flags generated during a virtual execution of the target program prior to modification to determine that the modified target program is malicious.
  - 15. The computer program product of claim 7, wherein the virtual operating system simulates an application program interface call to the first operating system by returning a correct value to the call and without completing actual performance of the call.

10. A computer system for determining that a computer program, targeted for execution in the computer system, is malicious, the computer system comprising:
- a CPU, a computer readable memory, a computer readable storage media, and a first operating system;
  
  first program instructions to virtually execute the target program within a virtual PC of the computer system, the virtual PC having a second, virtual operating system that controls execution of the target program in the virtual PC, the virtual operating system simulating functionality of operating system data areas and an operating system application program interface for the virtually executing target program, virtual execution of the target program within the virtual PC generating flags representing respective functions performed by the target program;
  
  second program instructions to track the flags within the virtual PC to determine the functions performed by the target program and a sequence in which the functions are called by the target program during the virtual execution;
  
  third program instructions to determine by the virtual PC, upon completion of the virtual execution of the target program, that the target program is malicious based on the tracked functions performed by the target program and the sequence in which the functions are called by the target program; and
  
  wherein the first, second, and third program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory.
- View Dependent Claims (11, 12, 16)
- - 11. The computer system of claim 10, wherein the third program instructions to determine that the target program is malicious further comprises fourth program instructions to compare the generated flags to a stored pattern representative of operations by malicious code.
  - 12. The computer system of claim 10, wherein the target program is virtually executed each time the target program is modified and flags generated during a virtual execution of the modified target program are compared to flags generated during a virtual execution of the target program prior to modification to determine that the modified target program is malicious.
  - 16. The computer system of claim 10, further comprising fourth program instructions to simulate an application program interface call to the first operating system of the computing system by returning a correct value to the call without completing actual performance of the call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
van der Made, Peter A. J.
Primary Examiner(s)
Dada; Beemnet W

Application Number

US11/094,489
Publication Number

US 20050268338A1
Time in Patent Office

2,085 Days
Field of Search

726 22- 25, 713/164, 713/165, 713/187, 713/188, 717/134, 717/135
US Class Current

726/23
CPC Class Codes

G06F 21/562 Static detection

Computer immune system and method for detecting unwanted code in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer immune system and method for detecting unwanted code in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links