IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
UP-0668046
(2003-09-22)
|
등록번호 |
US-7594271
(2009-10-20)
|
발명자
/ 주소 |
- Zhuk, Oscar V.
- Rohr, Vince M.
|
출원인 / 주소 |
- Widevine Technologies, Inc.
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
26 인용 특허 :
87 |
초록
▼
A method and system are directed to differentiating between normal characteristics and abnormal characteristics within a software process, such that tampering of the software process may be identified programmatically. The identification of behavior that may be defined as normal may vary. Such behav
A method and system are directed to differentiating between normal characteristics and abnormal characteristics within a software process, such that tampering of the software process may be identified programmatically. The identification of behavior that may be defined as normal may vary. Such behavior may include a sequence of selected system level calls that may access resources considered relevant, and the like. Data on the selected behavior is gathered, and when a sufficient amount of abnormal behavior has been detected, a signal may be provided such that an action may be performed. Samples of the gathered data are assigned a unique value. Statistical information is determined from the collected behavior, including trend data. Such trend data is compared to trends identified as normal for the software process, and a determination is made whether the sampled behavior is non-normal.
대표청구항
▼
We claim: 1. A method for verifying integrity of a computing process, comprising: determining a trait associated with the computing process; determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining th
We claim: 1. A method for verifying integrity of a computing process, comprising: determining a trait associated with the computing process; determining a pattern statistic associated with the trait based in part on an execution of the computing process in a normal condition, wherein determining the pattern statistic further comprises: determining consecutive data associated with the trait; employing a graphical representation to convert the consecutive data to a radius-vector; if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector; determining a frequency pattern associated with the trait; and employing the graphical representation in part to convert the frequency pattern to an average directional vector; determining a prototype statistic associated with the trait based in part on another execution of the computing process in another condition; comparing the pattern statistic to the prototype statistic; and if the comparison indicates abnormal behavior the computing process, performing a predetermined action. 2. The method of claim 1, wherein performing the predetermined action further comprises performing at least one of sending an alert message, and disabling the computing process. 3. The method of claim 1, wherein the trait further comprises at least one system level call. 4. The method of claim 1, wherein determining the pattern statistic and the prototype statistic further comprises: determining a trend associated with the trait during execution of the computing process in the normal condition; and determining another trend associated with the trait during the other execution of the computing process in the other condition. 5. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises comparing the frequency pattern and a consequence associated with the pattern statistic to another frequency pattern and another consequence associated with the prototype statistic. 6. The method of claim 1, wherein the mature radius-vector further comprises satisfying a condition wherein an absolute difference between a first sequence error and a second sequence error is less than or equal to a predetermined value. 7. The method of claim 1, wherein employing the graphical representation further comprises employing a chaos game representation (CGR) plot. 8. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises comparing a vector norm and angle to another vector norm and another angle. 9. The method of claim 1, wherein comparing the pattern statistic to the prototype statistic further comprises: determining a pattern vector associated with the pattern statistic, wherein the pattern vector includes a direction and length; determining a prototype vector associated with the prototype statistic, wherein the prototype vector includes another direction and another length; determining a total difference between the pattern vector and the prototype vector; and if the total difference is outside a predetermined confidence level, indicating that the prototype statistic is associated with abnormal behavior. 10. An apparatus encoded with computer-executable components for determining tamper evidence of a client process, comprising: a transceiver arranged to receive and forward data; a processor, coupled to the transceiver, having instructions arranged to perform actions, including: determining a trait associated with the client process; receiving a first set of data associated with the trait based in part on execution of the client process in a normal condition; receiving a second set of data associated with the trait based in part on another execution of the client process in another condition; determining a pattern statistic associated with the first set of data, wherein determining the pattern statistic further comprises: determining consecutive data associated with the trait; employing a graphical representation to convert the consecutive data to a radius-vector; if the radius-vector is mature, retaining an endpoint coordinate associated with the radius-vector; determining a frequency pattern associated with the trait; and employing the graphical representation to convert the frequency pattern to an average directional vector; determining a prototype statistic associated with the second set of data; comparing the pattern statistic to the prototype statistic; and if the comparison indicates abnormal behavior of the client process, performing a predetermined action. 11. The apparatus of claim 10, wherein the computer-executable components reside in at least one of a server, and a client. 12. The apparatus of claim 10, wherein performing the predetermined action further comprises performing at least one of sending an alert message, and disabling the client process. 13. The apparatus of claim 10, wherein the trait further comprises at least one system level call. 14. The apparatus of claim 10, wherein determining the pattern statistic and the prototype statistic further comprises: determining a trend associated with the trait during execution of the client process in the normal condition; and determining another trend associated with the trait during the other execution of the client process in the other condition. 15. The apparatus of claim 10, wherein the mature radius-vector further comprises satisfying a condition wherein an absolute difference between a first sequence error and a second sequence error is less than or equal to a predetermined value. 16. The apparatus of claim 10, wherein employing the graphical representation further comprises a chaos game representation (CGR) plot. 17. The apparatus of claim 10, wherein comparing the pattern statistic to the prototype statistic further comprises: determining a pattern vector associated with the pattern statistic; determining a prototype vector associated with the prototype statistic; determining a total difference between the pattern vector and the prototype vector; and if the total difference is outside a predetermined confidence level, indicating that the prototype statistic is associated with abnormal behavior.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.