Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

US 20030212902A1
Filed: 05/13/2002
Published: 11/13/2003
Est. Priority Date: 05/13/2002
Status: Active Grant

First Claim

Patent Images

1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:

initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed to the Low Level engine as API'"'"'s (application Program Interfaces) for N-code compiled programs, where a virtual central processing unit and virtual memory perform the actual processing;

virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE;

analyzing behavior of the target program following virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and

terminating the AVPE after the analyzing process, thereby removing from the host computer system a copy of the target program that was contained within the AVPE.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.

584 Citations

27 Claims

1. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE comprising software simulating functionality of a P-code interpreter and library routines exposed to the Low Level engine as API'"'"'s (application Program Interfaces) for N-code compiled programs, where a virtual central processing unit and virtual memory perform the actual processing;
  
  virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE;
  
  analyzing behavior of the target program following virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and
  
  terminating the AVPE after the analyzing process, thereby removing from the host computer system a copy of the target program that was contained within the AVPE.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein terminating the AVPE includes deallocating of all virtual memory resources.
  - 3. The method of claim 1, further comprising deallocating all virtual memory resources containing data or program statements created by the target program.
  - 4. The method of claim 1, wherein the library routines for N-code compiled programs are exposed to the AVPE through an application program interface.
  - 5. The method of claim 1, wherein P-code is virtual machine code and a run-time engine simulates the operations performed by each P-code.
  - 6. The method of claim 1, wherein the virtual engine simulates functionality of input/output ports, operating system data areas, and an operating system application program interface.
  - 7. The method of claim 6, wherein the virtual engine further includes a virtual Visual Basic engine.
  - 8. The method of claim 6, wherein virtual execution of the target program causes the target program to interact with the simulated operating system application program interface.
  - 9. The method of claim 1, wherein the target program is newly introduced to the computer system and not executed prior to virtually executing the target program.
  - 10. The method of claim 1, wherein after a first instance of a first program is analyzed by the AVPE and a first behavior pattern is generated and stored in a database within the computer system, the method further comprising:
    - determining that the first program is modified;
      
      analyzing the modified first program by executing the modified first program in the AVPE to provide a second behavior pattern; and
      
      comparing the first behavior pattern to the second behavior pattern.
  - 11. The method of claim 10, wherein a new behavior pattern is generated each time the first program is modified.
  - 12. The method of claim 10, wherein introduction of malignant code during modification of the first program is detected by comparing the first behavior pattern to the second behavior pattern.
  - 13. The method of claim 10, wherein the first behavior pattern is substantially similar to the second behavior pattern when the modified first program is a new version of the first program.
  - 14. The method of claim 1, wherein the behavior pattern identifies functions executed in the virtual execution of the target program, the method further comprising tracking an order in which the functions are virtually executed by the target program within the AVPE.
  - 15. The method of claim 1, wherein the virtual central processing unit is distinct from the AVPE.

16. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing a virtual engine within the computer system, the virtual engine comprising software simulating functionality of a central processing unit, memory and an operating system including application program interface (API) calls to the virtual operating system;
  
  virtually executing a target program within the virtual engine so that the target program interacts with the virtual operating system and the virtual central processing unit through the virtual engine;
  
  monitoring behavior of the target program during virtual execution to identify presence of malicious code and indicating in a behavior pattern the occurrence of malicious code behavior; and
  
  terminating the virtual engine, leaving behind a record of the behavior pattern characteristic of the analyzed target program.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the record is in a behavior pattern database in the computer system.
  - 18. The method of claim 16, wherein after a first instance of a first program is analyzed by the virtual engine and a first behavior pattern is generated and stored in a database within the computer system, the method further comprising:
    - determining that the first program is modified;
      
      analyzing the modified first program by executing the modified first program in the virtual engine to provide a second behavior pattern; and
      
      comparing the first behavior pattern to the second behavior pattern.
  - 19. The method of claim 18, wherein a new behavior pattern is generated each time the first program is modified.
  - 20. The method of claim 18, wherein introduction of malignant code during modification of the first program is detected by comparing the first behavior pattern to the second behavior pattern.
  - 21. The method of claim 18, wherein the first behavior pattern is substantially similar to the second behavior pattern when the modified first program is a new version of the first program.
  - 22. The method of claim 18, wherein the behavior pattern identifies functions executed in the virtual execution of the target program, the method further comprising tracking an order in which the functions are virtually executed by the target program within the virtual engine.

23. A method for identifying presence of malicious code in program code within a computer system, the method comprising:
- initializing an analytical virtual P-code engine (AVPE) within the computer system, the AVPE simulating functionality of a P-code interpreter, the AVPE interacting with a virtual central processing unit that provides processing and virtual memory management functions;
  
  virtually executing a target program within the AVPE so that the target program interacts with a host computer system only through the AVPE and the virtual central processing unit;
  
  analyzing behavior of the target program generated during virtual execution to identify occurrence of malicious code behavior and indicating in a behavior pattern the occurrence of malicious code behavior; and
  
  terminating the AVPE, thereby removing from the host computer system a copy of the target program that was contained within the AVPE.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, wherein terminating the AVPE includes deallocating of all virtual memory resources.
  - 25. The method of claim 23, further comprising deallocating all virtual memory resources containing data or program statements created by the target program.
  - 26. The method of claim 23, wherein the library routines for N-code compiled programs are exposed to the AVPE through an application program interface.
  - 27. The method of claim 25, wherein P-code is virtual machine code and a run-time engine simulates the operations performed by each P-code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
van der Made, Peter A.J.

Granted Patent

US 7,370,360 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/563 by source code analysis

Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

584 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

584 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links