Functional patching/hooking detection and prevention
First Claim
Patent Images
1. A method for preventing malicious attacks on software using a patching method, comprising the steps of:
- a) providing a database of legitimate and known patches, which database contains characteristic code paths of said legitimate patches;
b) detecting whether a first inspected patch is malicious by inspecting one or more characteristic code paths of said first inspected patch and matching said one or more characteristic code paths of said first inspected patch against said database of legitimate and known patches;
c) if a mismatch is found, determining whether said first inspected patch is a malicious patch and performing an activity needed to prevent said malicious patch from performing undesired activities by correcting or removing said malicious patch;
d) obtaining information from said database regarding where to search for a next inspected patch; and
e) repeating steps a) to d) until no match is found in said database.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for preventing malicious attacks on software, using the patching method, includes providing a database of legitimate and known patches, the database contains characteristic code paths of said legitimate patches. The method also includes detecting whether a patch is malicious by inspecting one or more characteristic paths of the patch and matching one or more code paths against the database of legitimate and known patches. An activity needed to prevent the malicious patch from performing undesired activities is then performed.
6 Citations
10 Claims
-
1. A method for preventing malicious attacks on software using a patching method, comprising the steps of:
-
a) providing a database of legitimate and known patches, which database contains characteristic code paths of said legitimate patches; b) detecting whether a first inspected patch is malicious by inspecting one or more characteristic code paths of said first inspected patch and matching said one or more characteristic code paths of said first inspected patch against said database of legitimate and known patches; c) if a mismatch is found, determining whether said first inspected patch is a malicious patch and performing an activity needed to prevent said malicious patch from performing undesired activities by correcting or removing said malicious patch; d) obtaining information from said database regarding where to search for a next inspected patch; and e) repeating steps a) to d) until no match is found in said database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification