Method and apparatus for detecting malicious code in an information handling system
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-021/22
G06F-021/00
G06F-015/16
출원번호
UP-0647644
(2003-08-25)
등록번호
US-7832011
(2010-11-25)
발명자
/ 주소
Obrecht, Mark Eric
Alagna, Michael Anthony
Payne, Charles Andrew
출원인 / 주소
Symantec Corporation
대리인 / 주소
Meyertons, Hood, Kivlin, Kowert & Goetzel, P.C.
인용정보
피인용 횟수 :
7인용 특허 :
35
초록▼
Malicious code detection code is executed by an information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation. The detection routines associate weights to respective code under investigation in re
Malicious code detection code is executed by an information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation. The detection routines associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of the detection routines. It is determined whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines.
대표청구항▼
What is claimed is: 1. A computer-implemented method comprising: selecting an active program on a computer system as code under investigation, wherein the program is running on an operating system of the computer system; and executing each of a first and a second plurality of detection routines on
What is claimed is: 1. A computer-implemented method comprising: selecting an active program on a computer system as code under investigation, wherein the program is running on an operating system of the computer system; and executing each of a first and a second plurality of detection routines on the operating system of the computer system, wherein the first plurality of detection routines are executable to determine whether the selected code under investigation has characteristics and behaviors usually associated with a valid program, wherein the second plurality of detection routines are executable to determine whether the selected code under investigation has characteristics and behaviors usually associated with a malicious program, and wherein said executing includes: applying each of the first plurality of detection routines to the code under investigation to obtain a corresponding one of a first plurality of results; and weighting each of the first plurality of results to obtain a first score indicative of whether the code under investigation is valid code; applying each of the second plurality of detection routines to the code under investigation to obtain a corresponding one of a second plurality of results; weighting each of the second plurality of results to obtain a second score indicative of whether the code under investigation is malicious code; and upon completing the executing of the first and second plurality of detection routines, using at least one of the first and second scores to categorize the code under investigation with respect to the likelihood of the code under investigation compromising the security of the computer system. 2. The method of claim 1, wherein said method is performed repeatedly until a plurality of active programs on the computer system have been categorized with respect to their likelihood of compromising the security of the computer system. 3. The method of claim 1, wherein the second plurality of detection routines are configured to detect remote control software. 4. The method of claim 1, wherein the second plurality of detection routines are configured to detect a keystroke logger. 5. The method of claim 1, wherein the second plurality of detection routines are configured to detect spyware. 6. The method of claim 1, wherein the second plurality of detection routines are configured to detect a worm. 7. The method of claim 1, wherein the second plurality of detection routines are configured to detect a virus. 8. The method of claim 1, wherein the second plurality of detection routines are configured to detect monitoring software. 9. A computer-implemented method comprising: selecting code currently running on a computer system as code under investigation, wherein said code is running on an operating system of said computer system; and executing each of a first and a second plurality of detection routines on the operating system of the computer system, wherein said executing includes: applying each of the first plurality of detection routines to the code under investigation to obtain a corresponding one of a first plurality of results; weighting each of the first plurality of results to obtain a first score indicative of whether the code under investigation is valid code; applying each of the second plurality of detection routines to the code under investigation to obtain a corresponding one of a second plurality of results; and weighting each of the second plurality of results to obtain a second score indicative of whether the code under investigation is malicious code, wherein the second score is independent of the first score; and upon executing each of the first and second plurality of detection routines: using at least one of the first and second scores to categorize the code under investigation into one of a plurality of categories, including first and second categories indicative of valid code and malicious code, respectively; wherein the first and second pluralities of detection routines each include at least one routine executable to determine a characteristic of the code under investigation and at least one routine executable to determine a behavior of the code under investigation. 10. The method of claim 9, wherein at least some of the code associated with the selected active code is running in kernel mode. 11. The method of claim 9, further comprising: selecting additional active code as code under investigation; and executing each of the first and second pluralities of detection routines with respect to said selected code under investigation. 12. A computer system comprising: a processor; and a memory storing program instructions executable by the processor to: select a program currently running on a computer system as code under investigation, wherein said program is running on an operating system of said computer system; and execute each of a first and a second plurality of detection routines on the operating system of the computer system, including: applying each of the first plurality of detection routines to the code under investigation to obtain a corresponding one of a first plurality of results; weighting each of the first plurality of results to obtain a first score indicative of whether the code under investigation is valid code; applying each of the second plurality of detection routines to the code under investigation to obtain a corresponding one of a second plurality of results; and weighting each of the second plurality of results to obtain a second score indicative of whether the code under investigation is malicious code; and upon completing execution of the first and second plurality of detection routines, use at least one of the first and second scores to make a determination whether the code under investigation represents a security threat to the computer system; wherein the first and second pluralities of detection routines each include at least one routine executable to determine a characteristic of the code under investigation and at least one routine executable to determine a behavior of the code under investigation. 13. A computer-readable storage medium having stored thereon program instructions that are executable by a computer system to: select a program currently running on an operating system of the computer system as code under investigation; and execute each of a first and a second plurality of detection routines on the operating system of the computer system, including: applying each of the first plurality of detection routines to the code under investigation to obtain a corresponding one of a first plurality of results, wherein the first plurality of detection routines includes at least one routine executable to test for a characteristic typically associated with valid code and at least one routine executable to test for a behavior typically associated with valid code; weighting and combining each of the first plurality of results to obtain a first composite score; applying each of the second plurality of detection routines to the code under investigation to obtain a corresponding one of a second plurality of results, wherein the second plurality of detection routines includes at least one routine executable to test for a characteristic typically associated with malicious code and at least one routine executable to test for a behavior typically associated with malicious code; and weighting and combining each of the second plurality of results to obtain a second composite score; and upon executing each of the first and second plurality of detection routines, use at least one of the first and second composite scores to make a determination whether the code under investigation is malicious code. 14. The method of claim 1, further comprising: determining from the first and second scores that the code under investigation is malicious code. 15. The method of claim 14, wherein the malicious code does not have a known signature. 16. The method of claim 1, wherein the malicious code is a previously unknown type of malicious code. 17. The method of claim 14, wherein the determination that the code under investigation is malicious code is based on the first score not exceeding a valid code threshold value and the second score exceeding a malicious code threshold value. 18. The method of claim 1, wherein the determination is made from the first and second scores that the code under investigation is valid code. 19. The method of claim 1, wherein the determination is made that the code under investigation is valid code, wherein the determination is made based on the first score exceeding a valid code threshold value, regardless of the second score. 20. The method of claim 1, wherein the determination is made that the code under investigation is valid code, wherein the determination is made based on the first score exceeding a valid code threshold and the second score not exceeding a malicious code threshold. 21. The method of claim 1, further comprising: determining from the first and second scores that the code under investigation is suspicious code, wherein suspicious code has not been determined to be either valid or malicious code. 22. The computer system of claim 12, wherein the program instructions are executable by the processor to: determine from the first and second scores that the code under investigation is malicious code. 23. The computer system of claim 22, wherein the malicious code is a previously unknown type of malicious code. 24. The computer system of claim 22, wherein the determination that the code under investigation is malicious code is based on the first score not exceeding a valid code threshold value and the second score exceeding a malicious code threshold value. 25. The computer system of claim 12, wherein the program instructions are executable by the processor to: determine from the first and second scores that the code under investigation is valid code. 26. The computer system of claim 25, wherein the determination that the code under investigation is valid code is based on the first score exceeding a valid code threshold value, regardless of the second score. 27. The computer system of claim 12, further comprising program instructions executable by the processor to: determine from the first and second scores that the code under investigation is suspicious code. 28. The storage medium of claim 13, wherein the program instructions are executable by the computer system to: determine from the first and second scores that the code under investigation is malicious code. 29. The storage medium of claim 28, wherein the malicious code is a previously unknown type of malicious code. 30. The storage medium of claim 13, wherein the program instructions are executable by the computer system to: determine from the first and second scores that the code under investigation is valid code. 31. The storage medium of claim 30, wherein the determination that the code under investigation is valid code is based on the first score exceeding a valid code threshold value, regardless of the second score. 32. The storage medium of claim 28, further comprising program instructions executable to: determine from the first and second scores that the code under investigation is suspicious code. 33. The storage medium of claim 28, wherein the determination that the code under investigation is malicious code is based on the first score not exceeding a valid code threshold value and the second score exceeding a malicious code threshold value. 34. The method of claim 1, wherein at least some of the code associated with the selected active program is running in kernel mode. 35. One or more computer-readable storage media having stored thereon program instructions executable on a computer system to: while a first program is running on an operating system of the computer system: execute each of a first and second plurality of detection routines on the operating system of the computer system to gather information about the first program, wherein the first plurality of detection routines are executable to detect information about the first program that is indicative of valid code, and wherein the second plurality of detection routines are executable to detect information about the first program that is indicative of malicious code; weight results of the first and second pluralities of detection routines; use the weighted results of the first plurality of detection routines to determine a first value indicative of the likelihood that the first program is valid code; use the weighted results of the second plurality of detection routines to determine a second value indicative of the likelihood that the first program is malicious code; and use at least one of the first and second values to determine whether the first program is a security threat to the computer system; and for each of a plurality of additional programs running on the operating system of the computer system: execute each of the first and second pluralities of detection routines on the operating system of the computer system relative to that additional program; and use weighted results of the execution of the first and second pluralities of detection routines to determine whether that additional program is a security threat to the computer system. 36. The computer-readable storage media of claim 35, wherein the program instructions are executable to determine whether the first program is a security threat to the computer system based on a first comparison between the first value and a valid code threshold value and also based on a second comparison between the second value and a malicious code threshold value. 37. The computer-readable storage media of claim 35, wherein the program instructions are executable to determine that the first program is a security threat to the computer system based on the first value not exceeding a valid code threshold value and on the second value exceeding a malicious code threshold value. 38. The computer-readable storage media of claim 35, wherein the program instructions are executable to determine that the first program is not a security threat to the computer system based on the first value exceeding a valid code threshold value, regardless of the second value. 39. The computer-readable storage media of claim 35, wherein the program instructions are executable to determine that the first program is not a security threat to the computer system based on the first value exceeding a valid code threshold value and on the second value not exceeding a malicious code threshold value. 40. A method, comprising: while a first program is running on an operating system of a computer system, executing each of a first and second plurality of detection routines on the operating system of the computer system, wherein the first plurality of detection routines includes routines that are executable to detect information about the first program that is indicative of valid code, and wherein the second plurality of detection routines includes routines that are executable to detect information about the first program that is indicative of malicious code; weighting results of the first and second pluralities of detection routines; using weighted results of the first plurality of detection routines to compute a first value indicative of the likelihood that the first program is valid code; using weighted results of the second plurality of detection routines to compute a second value indicative of the likelihood that the first program is malicious code; and using at least one of the computed first and second values to categorize the first program as to the likelihood of the first program compromising the security of the computer system; for each of a plurality of additional programs running on an operating system of the computer system: executing each of the first and second pluralities of detection routines on the operating system of the computer system relative to that additional program; using weighted results of the execution of the first and second pluralities of detection routines to categorize that additional program as to the likelihood of that additional program compromising the security of the computer system. 41. The method of claim 40, wherein said using at least one of the computed first and second values includes performing comparisons involving the first and second values. 42. The method of claim 41, wherein said first program is categorized based on a comparison between the first value and a valid code threshold. 43. The method of claim 42, wherein the first program is categorized as not being a security threat based on the first value exceeding the valid code threshold, regardless of the second score. 44. The method of claim 41, wherein said first program is categorized based on a comparison between the first value and a valid code threshold and also on a comparison between the second value and a malicious code threshold. 45. The method of claim 44, wherein the first program is categorized as not being a security threat based on the first value exceeding the valid code threshold and the second value not exceeding the malicious code threshold. 46. The method of claim 1, wherein each of the detection routines within the first and second plurality of detection routines gathers a different type of information about the code under investigation, and wherein the first and second pluralities of detection routines are not themselves running on the operating system of the computer system in a manner that prevents the code under investigation from infecting the computer system. 47. The method of claim 1, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that, when executed, obtains information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 48. The method of claim 9, wherein each of the detection routines within the first and second plurality of detection routines gathers a different type of information about the code under investigation, and wherein the first and second pluralities of detection routines are not themselves running on the operating system of the computer system in a manner that prevents the code under investigation from infecting the computer system. 49. The method of claim 9, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that, when executed, obtains information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 50. The computer system of claim 12, wherein each of the detection routines within the first and second plurality of detection routines is executable to gather a different type of information about the code under investigation, and wherein the first and second pluralities of detection routines do not execute on the operating system of the computer system in a manner that prevents the code under investigation from infecting the computer system. 51. The computer system of claim 12, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that is executable to obtain information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 52. The computer-readable storage medium of claim 13, wherein each of the detection routines within the first and second plurality of detection routines is executable to gather a different type of information about the code under investigation, and wherein the first and second pluralities of detection routines do not execute on the operating system of the computer system in a manner that prevents the code under investigation from infecting the computer system. 53. The computer-readable storage medium of claim 13, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that is executable to obtain information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 54. The computer-readable storage media of claim 35, wherein each of the detection routines within the first and second plurality of detection routines is executable to gather a different type of information about the first program, and wherein the first and second pluralities of detection routines do not execute on the operating system of the computer system in a manner that prevents the first program from infecting the computer system. 55. The computer-readable storage media of claim 35, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that is executable to obtain information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 56. The method of claim 40, wherein each of the detection routines within the first and second plurality of detection routines gathers a different type of information about the first program, and wherein the first and second pluralities of detection routines are not themselves running on the operating system of the computer system in a manner that prevents the first program from infecting the computer system. 57. The method of claim 40, wherein there is at least one detection routine within the collective first and second pluralities of detection routines that, when executed, obtains information about the code under investigation by accessing the operating system of the computer system via an API of the operating system. 58. The method of claim 1, wherein the second plurality of detection routines includes a first detection routine and a second detection routine, wherein the first detection routine is executable to determine a characteristic of a binary image of the active program, and wherein the second detection routine is executable to determine a behavior of the active program by accessing a location within the computer system other than the binary image of the active program. 59. The method of claim 58, wherein the first detection routine is executable to determine whether the binary image of the active program has a signature associated with a malicious program, and wherein the second detection routine is executable to determine whether the active program is logging keystrokes. 60. The method of claim 9, wherein the second plurality of detection routines includes a first detection routine and a second detection routine, wherein the first detection routine is executable to determine a characteristic of a binary image of the code under investigation, and wherein the second detection routine is executable to determine a behavior of the active program by accessing a location within the computer system other than the binary image of the code under investigation. 61. The method of claim 60, wherein the first detection routine is executable to determine whether the binary image of the code under investigation has a signature associated with a malicious program, and wherein the second detection routine is executable to determine whether the active program is logging keystrokes. 62. The computer system of claim 12, wherein the second plurality of detection routines includes a first detection routine and a second detection routine, wherein the first detection routine is executable to determine a characteristic of a binary image of the code under investigation, and wherein the second detection routine is executable to determine a behavior of the active program by accessing a location within the computer system other than the binary image of the code under investigation. 63. The computer system of claim 62, wherein the first detection routine is executable to determine whether the binary image of the code under investigation has a signature associated with a malicious program, and wherein the second detection routine is executable to determine whether the active program is logging keystrokes. 64. The storage medium of claim 13, wherein the second plurality of detection routines includes a first detection routine and a second detection routine, wherein the first detection routine is executable to determine a characteristic of a binary image of the code under investigation, and wherein the second detection routine is executable to determine a behavior of the active program by accessing a location within the computer system other than the binary image of the code under investigation. 65. The storage medium of claim 64, wherein the first detection routine is executable to determine whether the binary image of the code under investigation has a signature associated with a malicious program, and wherein the second detection routine is executable to determine whether the active program is logging keystroke.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (35)
Hill Douglas W. ; Lynn James T., Adaptive system and method for responding to computer network security attacks.
Kaplan Dmitry ; Stanhope David M. ; McKernan Randolph W. ; Wilburn Howard L. ; Green Evan R., Apparatus and method for preventing fraudulent calls in a wireless telephone system using destination and fingerprint a.
Arnold William C. (Mahopac NY) Chess David M. (Mohegan Lake NY) Kephart Jeffrey O. (Yorktown Heights NY) White Steven R. (New York NY), Automatic immune system for computers and computer networks.
Muttik, Igor G.; Cowie, Neil A.; Teblyashkin, Ivan A., Distributed system and method for conducting a comprehensive search for malicious code in software.
Blair Steven Cameron ; Hassinger Sebastian ; Hurley ; II William W. ; Smith William Meyer ; Turek John J. E., Lightweight authentication system and method for validating a server access request.
Sampath Srivats ; Balasubramaniam Chandrasekar ; Lingarkar Ravi ; Katchapalayam Babu ; Kannan Ravi, Method and system for securing, managing or optimizing a personal computer.
Alagna,Michael Anthony; Obrecht,Mark Eric; Payne,Charles Andrew; Norwood,Peter, Method, system and computer program product for security in a global computer network transaction.
Chess, David Michael; Kephart, Jeffrey Owen; Morar, John Frederick; Pring, Edward John; White, Steve Richard, System and method for managing files in a distributed system using filtering.
Chess, David Michael; Kephart, Jeffrey Owen; Morar, John Frederick; Pring, Edward John; White, Steve Richard, System and method for managing files in a distributed system using prioritization.
Horvitz Eric ; Heckerman David E. ; Dumais Susan T. ; Sahami Mehran ; Platt John C., Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set.
Miller Craig A. (Tomball TX) Dhareshwar Yatin (Bombay TX INX) Heller Edmund G. (Spring TX) Garrett Michael R. (Houston TX), Transparent, secure computer virus detection method and apparatus.
Edwards,Jonathan L.; Woodruff,Andrew A.; Worley,Candace M.; Allphin,Ryan L., Virus scanner system and method with integrated spyware detection capabilities.
Obrecht, Mark E.; Myers, Robert P.; Hartmann, Alfred C.; Alagna, Nick F.; Pyle, Kevin N.; Sullivan, Scott D.; Little, Michael W., Monitoring computer process resource usage.
Obrecht, Mark E.; Myers, Robert P.; Hartmann, Alfred C.; Alagna, Nick F.; Pyle, Kevin N.; Sullivan, Scott D.; Little, Michael W., Monitoring computer process resource usage.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.