Method and system for intrusion detection

US 8,490,191 B2
Filed: 06/09/2007
Issued: 07/16/2013
Est. Priority Date: 06/21/2006
Status: Active Grant

First Claim

Patent Images

1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the protected software comprises a code section containing executable code of an application program and a security section containing a security engine, the protected software further including in the code section or security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software,wherein the protected software communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key for decrypting the protected software,wherein the license container provides at least one license and the at least one cryptographic key for use by the protected software to protect its usage and its integrity, the at least one license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, andwherein at least a portion of the protected computer software is encrypted and the security engine uses the at least one cryptographic key to decrypt the at least one portion of the protected software for executing,the method comprising:

during execution of the protected software, searching for patterns of an intrusion into the protected software;

detecting with the security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access and detecting with the security engine comprises detecting execution of the bait code; and

creating a signal on detection of an attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, and wherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executing comprises the following steps: during execution of the protected software, analyzing the behavior of the protected software and/or the execution environment of the protected software on the computer system, and searching for patterns of an intrusion or an intruding program, detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, and creating a signal on detection of an attack.

48 Citations

View as Search Results

43 Claims

1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the protected software comprises a code section containing executable code of an application program and a security section containing a security engine, the protected software further including in the code section or security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software,wherein the protected software communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key for decrypting the protected software,wherein the license container provides at least one license and the at least one cryptographic key for use by the protected software to protect its usage and its integrity, the at least one license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, andwherein at least a portion of the protected computer software is encrypted and the security engine uses the at least one cryptographic key to decrypt the at least one portion of the protected software for executing,the method comprising:
- during execution of the protected software, searching for patterns of an intrusion into the protected software;
  
  detecting with the security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access and detecting with the security engine comprises detecting execution of the bait code; and
  
  creating a signal on detection of an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30, 31, 32)
- - 2. Method according to claim 1, wherein searching for patterns of intrusion into protected software is comprised of analyzing the executing of special operation codes in the protected software.
  - 3. Method according to claim 1, further comprising locking the license container by executing an arbitrary command in the protected software with predefined special values.
  - 4. Method according to claim 3, characterized in that the arbitrary command is a special encryption operation to lock the license container.
  - 5. Method according to claim 3, characterized in that locking of the license container is performed by setting a counter to a predetermined value, preferably zero, or in erasing the necessary cryptographic keys in the license container.
  - 6. Method according to claim 1, wherein analyzing the behavior of the protected software comprises analyzing the execution of Application Program Interfaces (APIs) and comparing the number of header-executions to the number of trailer-executions.
  - 7. Method according to claim 1, wherein the bait code is referenced in unused parts of the Import Address Table (IAT) of the protected software.
  - 8. Method according to claim 1, characterized in that the bait code is part of the protected software that is never executed under undisturbed operation conditions.
  - 9. Method according to claim 1, wherein a protection device is attached to an interface of the computer system which includes the license container.
  - 10. Method according to claim 1, wherein the bait code locks the protection device using a specially designed API call.
  - 11. Method according to claim 9, characterized in that after detecting an attack of an intruding software, forensic data is created for memorizing an intrusion event and is stored in the protection device.
  - 12. Method according to claim 11, wherein the forensic data is stored in protected memory in the protection device.
  - 13. Method according to claim 11, wherein the forensic data is stored in encrypted form.
  - 14. Method according to claim 11, wherein the forensic data is stored in a memory region of the protection device that can be written only once.
  - 15. Method according to claim 11, wherein the forensic data is aggregated and evaluated to detect global patterns.
  - 16. Method according to claim 11, wherein the forensic data is sent to a license administrator and the cryptographic keys are contained in the license containers, the forensic data is sent for being collected by the license administrator for the purpose of eventually unlocking the protection device at a later time.
  - 17. Method according to claim 2, characterized in that measuring the timing used for the executing of the protected software includes evaluating the timing of processor exceptions.
  - 18. Method according to claim 2, wherein measuring the timing used for the executing of the protected software includes checking the overall clock consistency.
  - 19. Method according to claim 1, wherein analyzing the behavior of the protected software includes classifying execution threads as one of (a) authorized threads being created by the normal program execution and (b) unauthorized threads being created by an intruding program.
  - 20. Method according to claim 19, further comprising discovering unauthorized threads using TLS-procedures (Thread Local Storage-procedures).
  - 21. Method according to claim 19, further comprising discovering unauthorized threads by monitoring the execution of API-system-calls.
  - 22. Method according to claim 1, wherein analyzing the execution environment of the protected software on the computer system for identifying an intruding program includes examining other processes on the computer system for detecting predetermined patterns.
  - 23. Method according to claim 22, wherein window and class parameters or process and file names are inspected for detecting predetermined patterns of intruding programs.
  - 24. Method according to claim 22, wherein the process memory of other processes on the computer system is inspected in part or in whole.
  - 25. Method according to claim 3, wherein a protection device attached to an interface of the computer system comprises at least one license container characterized in that not the complete protection device is locked but only the license container assigned to the protected software, for which an intrusion has been detected, is locked.
  - 26. Method according to claim 3, wherein a protection device attached to an interface of the computer system comprises at least one license container, and the computer system is configured and arranged to communicate with a remote timestamp server;
    - andwherein locking the protection device is affected upon a communication between the computer system and the timestamp server required to continue the operation of the protection device.
  - 27. Method according to claim 11, further comprising transmitting the forensic data to a remote server of an intrusion prevention service and in unlocking the locked license container using a special command or code being sent from the remote server of an intrusion prevention service.
  - 29. Method according to claim 1 further comprising analyzing the behavior of protected software.
  - 30. Method according to claim 1, further comprising analyzing the behavior of the execution environment.
  - 31. Method according to claim 1, wherein analyzing the behavior of the protected software is comprised of analyzing the executing of special program parts or parts of the protected software code.
  - 32. Method according to claim 1, wherein analyzing the behavior of the protected software is comprised of measuring timing used for the executing of the protected software and evaluating the measured results.

28. Apparatus for providing intrusion detection for protected computer software on a computer system by using system components comprising:
- a monitor program executing on the computer system communicating with a control program executing on the computer system through messages containing audit information from the protected application program for program;
  
  said control program in communication with a protection device attached to said computer system, the protection device receiving an intrusion prevention specification from a remote intrusion protection service provider;
  
  whereinthe intrusion prevention specification specifies at least one target attribute to be recorded from a set of possible target attributes generated during a monitoring process by the monitor program; and
  
  the intrusion prevention specification also specifies at least one monitoring criterion that triggers recording of at least one target attribute during the monitoring process;
  
  the monitor program records the at least one target attribute in response to detecting the at least one monitoring criterion produces an intrusion log by recording the at least one target attribute in response to detecting the at least one monitoring criterion;
  
  the protected software comprises the original software code of an application program contained in a code section and a security engine contained in a security section, the protected software including in the code section or the security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software;
  
  the protection device is comprised of a license container, the license container providing a license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software.

33. A non-transitory computer readable medium storing instructions for causing a computer to perform a process for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on the computer, the computer comprising a processor and at least a processor memory, the computer software to be protected being at least partly encrypted and communicating with a license container containing at least one cryptographic key and using the at least one cryptographic key for decrypting the protected software for execution, wherein the license container provides a license comprising one or more license parameters being selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software;
- the computer software comprising the original software code of an application program contained in a code section, a security engine contained in a security section, and bait code executed only in case of an intruding program using a monitoring component to gain unauthorized access to the protected software;
  
  the process comprising;
  
  during execution of the protected software, searching for patterns of an intrusion into the protected software;
  
  detecting with the security engine an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access; and
  
  creating a signal on detection of an attack.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. The computer readable medium of claim 33, wherein the protected software comprises the original software code of an application program and software selected from the following group of types of software:
    - additional code, special operation codes, a security engine and control program code.
  - 35. The computer readable medium of claim 33, further comprising locking the license container by executing an arbitrary command in the protected software with predefined special values.
  - 36. The computer readable medium of claim 33, wherein analyzing the behavior of the protected software comprises analyzing the execution of application program interfaces (APIs) and comparing the number of header-executions to the number of trailer-executions.
  - 37. The computer readable medium of claim 33, wherein a protection device is attached to an interface of the computer system which includes the license container.
  - 38. The computer readable medium of claim 33, wherein analyzing the execution environment of the protected software on the computer system for identifying an intruding program includes examining other processes on the computer system for detecting predetermined patterns.
  - 39. The computer readable medium of claim 33, further comprising analyzing the protected software.
  - 40. The computer readable medium of claim 33, further comprising analyzing the behavior of the execution environment.
  - 41. The computer readable medium of claim 33, wherein analyzing the behavior of the protected software is comprised of analyzing the executing of special program parts or parts of the protected software code.
  - 42. The computer readable medium of claim 33, wherein analyzing the behavior of the protected software is comprised of measuring the timing used for the executing of the protected software and evaluating the measured results.

43. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key,wherein the license container provides the license and at least one cryptographic key for the protected software to protect its usage and its integrity, the license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, andwherein the protected computer software is at least partly encrypted and uses the at least one cryptographic key to decrypt said protected software for executing,the method comprising:
- during execution of the protected software, searching for patterns of an intrusion into the protected software;
  
  detecting with a security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, the protected software is comprised of bait code that is executed only when the intruding program gains unauthorized access to the protected software, and the security engine detects the intrusion by detecting execution of the bait code;
  
  creating a signal on detection of an attack; and
  
  locking the license container by executing an arbitrary command in the protected software with predefined special values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WIBU-Systems AG
Original Assignee
WIBU-Systems AG
Inventors
Kuegler, Ruediger, Wichmann, Peer, Winzenried, Oliver, Buchheit, Marcellus
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US12/306,126
Publication Number

US 20100017879A1
Time in Patent Office

2,229 Days
Field of Search

726/22, 726/23, 726/27, 713/156, 713/175, 713/189, 713/500
US Class Current

726/23
CPC Class Codes

G06F 21/123   by using dedicated hardware...

G06F 21/14   against software analysis o...

G06F 21/54   by adding security routines...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2143   Clearing memory, e.g. to pr...

Method and system for intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

Method and system for intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others