Method and system for intrusion detection
First Claim
1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,wherein the protected software comprises a code section containing executable code of an application program and a security section containing a security engine, the protected software further including in the code section or security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software,wherein the protected software communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key for decrypting the protected software,wherein the license container provides at least one license and the at least one cryptographic key for use by the protected software to protect its usage and its integrity, the at least one license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, andwherein at least a portion of the protected computer software is encrypted and the security engine uses the at least one cryptographic key to decrypt the at least one portion of the protected software for executing,the method comprising:
- during execution of the protected software, searching for patterns of an intrusion into the protected software;
detecting with the security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access and detecting with the security engine comprises detecting execution of the bait code; and
creating a signal on detection of an attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, and wherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executing comprises the following steps: during execution of the protected software, analyzing the behavior of the protected software and/or the execution environment of the protected software on the computer system, and searching for patterns of an intrusion or an intruding program, detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, and creating a signal on detection of an attack.
48 Citations
43 Claims
-
1. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,
wherein the protected software comprises a code section containing executable code of an application program and a security section containing a security engine, the protected software further including in the code section or security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software, wherein the protected software communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key for decrypting the protected software, wherein the license container provides at least one license and the at least one cryptographic key for use by the protected software to protect its usage and its integrity, the at least one license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, and wherein at least a portion of the protected computer software is encrypted and the security engine uses the at least one cryptographic key to decrypt the at least one portion of the protected software for executing, the method comprising: -
during execution of the protected software, searching for patterns of an intrusion into the protected software; detecting with the security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access and detecting with the security engine comprises detecting execution of the bait code; and creating a signal on detection of an attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30, 31, 32)
-
-
28. Apparatus for providing intrusion detection for protected computer software on a computer system by using system components comprising:
a monitor program executing on the computer system communicating with a control program executing on the computer system through messages containing audit information from the protected application program for program; said control program in communication with a protection device attached to said computer system, the protection device receiving an intrusion prevention specification from a remote intrusion protection service provider; wherein the intrusion prevention specification specifies at least one target attribute to be recorded from a set of possible target attributes generated during a monitoring process by the monitor program; and the intrusion prevention specification also specifies at least one monitoring criterion that triggers recording of at least one target attribute during the monitoring process; the monitor program records the at least one target attribute in response to detecting the at least one monitoring criterion produces an intrusion log by recording the at least one target attribute in response to detecting the at least one monitoring criterion; the protected software comprises the original software code of an application program contained in a code section and a security engine contained in a security section, the protected software including in the code section or the security section bait code that is executed only in case of an intruding program uses a monitoring component to gain unauthorized access to the protected software; the protection device is comprised of a license container, the license container providing a license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software.
-
33. A non-transitory computer readable medium storing instructions for causing a computer to perform a process for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on the computer, the computer comprising a processor and at least a processor memory, the computer software to be protected being at least partly encrypted and communicating with a license container containing at least one cryptographic key and using the at least one cryptographic key for decrypting the protected software for execution, wherein the license container provides a license comprising one or more license parameters being selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software;
- the computer software comprising the original software code of an application program contained in a code section, a security engine contained in a security section, and bait code executed only in case of an intruding program using a monitoring component to gain unauthorized access to the protected software;
the process comprising;during execution of the protected software, searching for patterns of an intrusion into the protected software; detecting with the security engine an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access; and creating a signal on detection of an attack. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- the computer software comprising the original software code of an application program contained in a code section, a security engine contained in a security section, and bait code executed only in case of an intruding program using a monitoring component to gain unauthorized access to the protected software;
-
43. Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, the processor executing the protected software,
wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides the license and at least one cryptographic key for the protected software to protect its usage and its integrity, the license comprising one or more license parameters selected from a group consisting of number of licensed uses, condition of use, time period of use, and number of users for the protected software, and wherein the protected computer software is at least partly encrypted and uses the at least one cryptographic key to decrypt said protected software for executing, the method comprising: -
during execution of the protected software, searching for patterns of an intrusion into the protected software; detecting with a security engine an intrusion by an intruding program into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, the protected software is comprised of bait code that is executed only when the intruding program gains unauthorized access to the protected software, and the security engine detects the intrusion by detecting execution of the bait code; creating a signal on detection of an attack; and locking the license container by executing an arbitrary command in the protected software with predefined special values.
-
Specification