Method and apparatus for the automatic determination of potentially worm-like behavior of a program

US 7,487,543 B2
Filed: 07/23/2002
Issued: 02/03/2009
Est. Priority Date: 07/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method for the automatic determination of potentially worm-like behavior of a program, comprising:

determining a behavioral profile of the program in an environment that does not emulate the operation of a network, where determining the behavioral profile comprises executing the program in at least one known non-network environment and further comprises;

using an automated method for examining the environment and determining what changes, if any, have occurred in the environment;

recording any determined changes as said behavioral profile;

in response to the program seeking to determine information about a file, creating the file before returning the file to the program as an inducement for the program to display worm-like behavior;

in response to the program seeking to determine information about an electronic mail program, returning the information to the program as an inducement for the program to display worm-like behavior; and

determining a dynamic link library usage of the program;

comparing the determined behavioral profile against a profile indicative of worm-like behavior; and

providing an indication of potentially worm-like behavior based on the result of the comparison.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics includes analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment. A logged record of the observed behavior is analyzed to determine if the behavior is indicative of the program having worm-like characteristics. The non-network environment may simulate the appearance of a network to the program, without emulating the operation of the network.

Citations

13 Claims

1. A method for the automatic determination of potentially worm-like behavior of a program, comprising:
- determining a behavioral profile of the program in an environment that does not emulate the operation of a network, where determining the behavioral profile comprises executing the program in at least one known non-network environment and further comprises;
  
  using an automated method for examining the environment and determining what changes, if any, have occurred in the environment;
  
  recording any determined changes as said behavioral profile;
  
  in response to the program seeking to determine information about a file, creating the file before returning the file to the program as an inducement for the program to display worm-like behavior;
  
  in response to the program seeking to determine information about an electronic mail program, returning the information to the program as an inducement for the program to display worm-like behavior; and
  
  determining a dynamic link library usage of the program;
  
  comparing the determined behavioral profile against a profile indicative of worm-like behavior; and
  
  providing an indication of potentially worm-like behavior based on the result of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as in claim 1, where the behavioral profile is further determined by determining what system resources are required by the program.
  - 3. A method as in claim 1, where the behavioral profile is further determined by determining what system resources are referred to by the program.
  - 4. A method as in claim 1, where the known non-network environment has an ability to appear to exhibit network-related capabilities.
  - 5. A method as in claim 4 where, in response to the program seeking to determine if the environment has network capabilities, providing a network address to the program as an inducement for the program to display worm-like behavior.
  - 6. A method as in claim 1, where the known non-network environment exhibits at least one of non-existent local network-related resources and local network-related objects to the program.
  - 7. A method as in claim 1 where, in response to the program seeking to determine information about a file, responding as if the file exists as an inducement for the program to display worm-like behavior.
  - 8. A method as in claim 1 where in response to the program seeking to determine information about an electronic mail address book, returning the information to the program as an inducement for the program to display worm-like behavior.
  - 9. A method as in claim 1, where determining the behavioral profile of the program further includes exercising the program in a plurality of ways.
  - 10. A method as in claim 1, where determining the behavioral profile of the program further comprises determining identity of a method imported by the program from a library.
  - 11. A method as in claim 1, where determining the behavioral profile of the program further comprises determining what resources are requested by the program.
  - 12. A method as in claim 11, where said resources comprise at least one of dynamic link libraries for network access, methods imported from dynamic link libraries that indicate a possible attempt to send electronic mail, and dynamic link libraries and methods indicating an automation of an electronic mail program.
  - 13. A method as in claim 1, where determining the behavioral profile of the program further comprises determining if system resources requested by the program match certain predetermined system resources and, if so, executing the program in a controlled environment, determining if system changes made during execution of the program match certain predetermined system changes and, if so, declaring the program to be a possible worm, and if not, determining if activities reported by a program behavior monitor match certain predetermined activities and, if so, declaring the program to be a possible worm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
International Business Machines Corporation
Inventors
Arnold, William C., Morar, John F., Whalley, Ian N., Segal, Alla, Chess, David M., White, Steve R.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Moorthy, Aravind K

Application Number

US10/202,517
Publication Number

US 20040019832A1
Time in Patent Office

2,387 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/51 at application loading time...

Method and apparatus for the automatic determination of potentially worm-like behavior of a program

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for the automatic determination of potentially worm-like behavior of a program

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links