US20100122078A1 - Systems and methods for creating a code inspection system - Google Patents
Systems and methods for creating a code inspection system Download PDFInfo
- Publication number
- US20100122078A1 US20100122078A1 US12/688,945 US68894510A US2010122078A1 US 20100122078 A1 US20100122078 A1 US 20100122078A1 US 68894510 A US68894510 A US 68894510A US 2010122078 A1 US2010122078 A1 US 2010122078A1
- Authority
- US
- United States
- Prior art keywords
- code
- dynamic decoy
- protected
- portions
- dynamic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
Definitions
- the exemplary methods and systems for detecting a malicious code and preventing it from being further processed by a protected computer or other device are based on, for example, the following principals.
- the inspection of a questionable code is based on what that code could do to a protected machine and/or its software applications and/of hardware rather than of how the questionable code looks.
- the protection methods and systems automatically create a code inspection system that is an accurate software copy of the protected computer or device, including relevant software applications residing on the protected machine.
- the code inspection system automatically updates itself, reflecting software application additions and deletions in the protected computer as well as changes in configurations.
- the code inspection system contains “actuators” which emulate the normal or typical use of the protected machine, i.e., opening and closing of applications, accessing of files, or the like.
- the code inspection system also contains a “clock accelerator” which is running the code clock to emulate passage of sufficient time on order to trigger time-delayed malicious codes. Additionally, the code inspection system contains sensors detecting negative impact of a questionable code
- the actuator module emulates normal use of the protected machine, i.e., it opens and closes applications, accesses files, sends various communications, manipulates user definable parameter values, or the like, as well as “accelerating the clock” of the DM in order to trigger time-triggered malicious codes.
- Emulation of the normal use of the protected machine can be pre-programmed and/or updated by the MU based on the use of the protected machine.
- step S 140 the dynamic decoy machine is initialized. Control then continues to step S 150 .
- step S 150 a determination is made whether new components and/or applications have been installed. If new components and/or applications have been installed, control continues to step S 160 . Otherwise, control jumps to step S 170 .
Abstract
A code inspection system produces a dynamic decoy machine that closely parallels one or more protected systems. The code inspection system can analyze and monitor one or more protected systems, and as those protected systems are updated, altered or modified, the dynamic decoy machine, in which potentially malicious code is tested, can also be updated. Thus, the dynamic decoy machine can accurately reflect the current state of the one or more protected systems such that the potentially destructive nature, if any, of suspicious code can be evaluated as if it were in the actual environment of the protected system, without jeopardizing the security of the protected system.
Description
- This application is a continuation of U.S. patent application Ser. No. 11/367,698, filed Mar. 6, 2006, now allowed, which is a continuation of U.S. patent application Ser. No. 10/074,037, filed Feb. 14, 2002, now U.S. Pat. No. 7,010,698, which claimed priority to U.S. Provisional Application No. 60/268,369, filed Feb. 14, 2001, the disclosures of all of which are hereby incorporated by reference herein in their entirety.
- 1. Field of the Invention
- This invention relates to systems and methods for protecting computers. In particular, this invention relates to systems and methods for protection of computers and other devices from malicious code such as viruses, spyware, undesirable code, or the like.
- 2. Discussion of the Background
- Malicious codes such as viruses, worms, spyware, etc., can cause substantial damage to computers and other devices. Known systems that protect against malicious code are typically based on an analysis of a code before it is accepted by a computer. This analysis is usually based on a comparison of the code in question with a collection of known malicious codes contained in a “library.” If a substantial similarity is found between the code in question and a code in the library, the code is declared malicious or potentially malicious and is not accepted by the protected computer for further processing.
- Detection of malicious code, such as a worm or virus, and a determination of the associated potentially devastating effects can be determined using a test chamber, such as that described in U.S. Pat. No. 5,842,002, incorporated herein by reference in its entirety.
- A test chamber is a static hardware model of a protected system, such as a computer. Questionable code, such as an incoming e-mail message is placed in such a test chamber where the conditions of the actual protected system are simulated. A malicious code reacting to such simulated conditions would act according to its designed purpose in this environment. Most common types of such action would be destruction of computer files and/or replication and an attempt to spread the replicas to other computers within a given environment, such as over a LAN or via e-mail. Upon detection of such activities within the test chamber, or upon destruction of all or a portion of the test chamber, the code in question can be declared malicious and not forwarded to the protected computer.
- In cases where malicious activity is not detected, the code is deemed safe and passed to the protected computer. For example, upon completion of a scan of an e-mail, and no malicious code within the e-mail detected, the e-mail can be forwarded to the protected computer.
- However, the above methods have at least one inherent deficiency based on the fact that, by definition, they can only detect a previously know malicious code. A previously unknown code, or a code not contained in the “library” of codes would be accepted for further processing by the protected system, thereby “infecting” the protected system. Additionally, establishing an optimal level of similarity between the, library and potentially malicious codes presents a substantial difficulty since too general of a criteria of similarity can produce a high level of false positive alerts, while a too specific criteria can produce a high level of false negative results.
- The static test chamber system allows for the detection of malicious code that can be incorporated into files or applications, such as an e-mail or program, or that may be self-executing. However, many malicious codes are designed to interfere with a specific operating system, a specific application, upon a specific function being performed, or on some other or combination of triggering activities. Thus, in order to have a test chamber that could account for all of the variables, the test chamber would either need to duplicate a large number of combinations of operating systems and applications, or there would need to be a plurality of test chambers duplicating different combinations of operating systems and applications. The situation is further complicated by the fact that many operating systems and applications themselves are represented by a variety of releases, different versions, and updates. All of the above variables make it difficult to effectively create and maintain test chambers that can be readily and economically maintained and upgraded.
- A more attractive approach is to concentrate on the results of accepting a code in question. Obviously, testing a questionable code in an actual protected computer is not acceptable. However, generally it is possible to test a questionable code in a sacrificial “buffer” computer, using it as a “test chamber.” Nevertheless, the practicality of this approach is highly questionable for the following reasons. If the “buffer” computer is an actual computer, this would require a user to purchase two computers instead of one, and would eventually double the number of computers required to perform the same tasks. If the “buffer” computer is a “virtual machine,” this would require creating “virtual machines” for every release of every operating system. Furthermore, because malicious codes are often targeting specific applications, with both scenarios, the “buffer” machine has to contain a copy of every application of the actual protected computer. The frequency of new releases of operating systems and software applications by all vendors creates such a large number of variations to be duplicated by the protective system that it makes the approach even less practical.
- One exemplary embodiment of the systems and methods of this invention allows for the automatic building and updating of a dynamic decoy machine (DM) based on a protected system. The DM can reside in the protected system, outside and connected to the protected system, as a standalone system, or a combination thereof. As the protected system goes through updates, modifications and additions, the protected system is automatically duplicated in the DM. Therefore the DM's configuration closely parallels that of the protected computer.
- The exemplary methods and systems for detecting a malicious code and preventing it from being further processed by a protected computer or other device are based on, for example, the following principals. The inspection of a questionable code is based on what that code could do to a protected machine and/or its software applications and/of hardware rather than of how the questionable code looks. The protection methods and systems automatically create a code inspection system that is an accurate software copy of the protected computer or device, including relevant software applications residing on the protected machine. The code inspection system automatically updates itself, reflecting software application additions and deletions in the protected computer as well as changes in configurations. The code inspection system contains “actuators” which emulate the normal or typical use of the protected machine, i.e., opening and closing of applications, accessing of files, or the like. The code inspection system also contains a “clock accelerator” which is running the code clock to emulate passage of sufficient time on order to trigger time-delayed malicious codes. Additionally, the code inspection system contains sensors detecting negative impact of a questionable code on the protected machine.
- In accordance with an exemplary embodiment of this invention, the code inspection system (CIS), comprises two major parts: a code inspection management module and a dynamic decoy machine (DM). The dynamic decoy machine (DM) further comprises two major parts: an actuator module and a sensor module. These various sensor modules can be added to the dynamic decoy machine's configuration during installations and upgrades that occur on the protected machine, or based on some other predetermined configuration.
- Inspection of the questionable code by the code inspection system is performed within the dynamic decoy machine. During the inspection of incoming code, if the questionable code contains malicious code with destructive capabilities, the DM can be partially or fully destroyed or damaged, without affecting the protected system.
- The actuator module emulates normal use of the protected machine, i.e., it opens and closes applications, accesses files, sends various communications, manipulates user definable parameter values, or the like, as well as “accelerating the clock” of the DM in order to trigger time-triggered malicious codes. Emulation of the normal use of the protected machine can be pre-programmed and/or updated by the MU based on the use of the protected machine.
- The sensors module comprises sensors that detect undesirable actions of the questionable code. These undesirable actions can be broadly divided into three categories: command-based, access-based, and unauthorized modification based. Command-based sensors detect the invocation of one or more undesirable commands. Typical examples could be such commands as “delete.” Access-based sensors detect a questionable code's attempt to access undesirable areas of the DM such as an “address book,” registry, or the like. Unauthorized modification based sensors detect violations of the integrity of the files, such as violations of the check-sum or other authentication algorithms.
- The exemplary embodiments of this invention can be performed by a computer program, hardware, or a combination thereof which resides within, outside, or a combination of inside and outside of a protected system. The code inspection system detects installations and upgrades to the protected system's operating system, installation and updates of applications, or the like, and upon such installation process, creates a duplicate of the installed software in the dynamic decoy machine. Thus, the dynamic decoy machine can be a virtual, stand alone, or dedicated dynamic decoy machine such that the configuration of the dynamic decoy machine parallels that of one or more protected computers.
- The substantial duplication of pertinent aspects of the protected system in the dynamic decoy machine can be performed during changes to the protected machine's operating system, applications, and files, and those changes duplicated in the DM, thus constantly updating the DM. Alternatively, the duplication can be performed at a predetermined time, regularly or irregularly, or it can be time-based or event-based. The code inspection management module can also receive signals from the DM indicating violations detected by the sensors and block passage of the questionable code deemed undesirable to the protected machine. If the code is not declared undesirable, the code inspection management unit can deliver the code to the protected machine for further processing. For example, the systems and methods of this invention can be used in conjunction with copending U.S. Ser. No. 09/571,377, entitled “Method of Communications and Communication Network Intrusion Protection Methods and Intrusion Attempt Detection System,” incorporated herein by reference its entirety.
- Furthermore, and in accordance with a second exemplary embodiment of the systems and methods of this invention, the code inspection system can maintain one or more dynamic decoy machines. In this embodiment, the first dynamic decoy machine can be used as the actual dynamic decoy machine in which potentially malicious code is evaluated, while the second dynamic decoy machine can act as a backup to rebuild one or more of the first dynamic decoy machine or the protected system should a recovery be necessary Likewise, by maintaining a backup of the dynamic decoy machine, the backup dynamic decoy machine can be used in the case of accidental damage to the protected computer's operating systems and/or applications.
- The mirroring of the protected system by the code inspection system can be performed during upgrades of an operating system or an application. Alternatively, the mirroring can be performed at a predetermined time, the only drawback being the fact that the code inspection system may not always exactly reflect the protected system. While the code inspection system is substantially identical of that of the protected computer, the code inspection system, for example, may or may not have the same IP address, can have embedded therein sensors and recovery tools should malicious code destroy all or a portion of the software and/or hardware of the code inspection system, or the like.
- Aspects of the present invention relate to computer security. In particular, the exemplary embodiments of the systems and methods of this invention relate to creation and updating of a code inspection system (CIS).
- Aspects of the present invention also relate to systems and methods that are capable of maintaining a code inspection system as a protected system is modified.
- Aspects of the present invention additionally relate to systems and methods of building and updating a code inspection system based on a protected computer.
- Aspects of the present also relate systems and methods that allow for a complete or partial recovery of protected system based on information stored in one or more code inspection systems.
- These and other features and advantages of this invention are described in or apparent from the following detailed description of the embodiments.
- The embodiments of the invention will be described in detail, with reference to the following figures wherein:
-
FIG. 1 is a functional block diagram illustrating an exemplary code inspection system according to this invention; -
FIG. 2 is a functional block diagram illustrating a second exemplary code inspection system according to this invention; and -
FIG. 3 is a flowchart outlining the exemplary method for creating and maintaining a code inspection system according to this invention. - An exemplary embodiment of the systems and methods of this invention allow a code inspection system to produce a dynamic decoy machine that closely parallels one or more protected systems. For example, the code inspection system can analyze and monitor one or more protected systems as those protected systems are updated, altered or modified. The CIS, in which potentially malicious code is tested, can also be updated. Thus, the CIS system can accurately reflect the current state of one or more protected systems such that the potentially destructive nature, if any, of suspicious code can be evaluated as if it were in the actual environment of the protected system, without jeopardizing the security of the protected system.
-
FIG. 1 illustrates an exemplary code inspection system. In particular, the code inspection system comprises a codeinspection management module 10, one or more protectedsystems 20, associated peripherals andinput devices 50, and adynamic decoy machine 40, all interconnected bylink 5. Additionally, thedynamic decoy machine 40 comprises one ormore actuator modules 42 and one ormore sensor modules 44. - While the exemplary embodiment illustrated in
FIGS. 1-2 show the code inspection system and associated components collocated, it is to be appreciated that the various components of the code inspection system can be located a distant portions of a distributed network, such as a local area network, a wide area network, and intranet and/or the internet, or within a dedicated code inspection management system, within separate partitions of a hard drive, such as the hard drive of the protected system, or the like. Thus, it should be appreciated that components of the code inspection management system can be combined into one device or collocated on a particular node of a distributed network. As will be appreciated from the following description, and for reasons of computationally efficiency, the components of the code inspection system can be arranged at any location within a distributed network without affecting the operation of the system. - Furthermore, the
links 5 can be a wired or a wireless link or any other known or later developed element(s) that is capable of supplying and communicating electronic data to and from the connect elements. Additionally, the peripherals andinput devices 50 can be, for example, a keyboard, a mouse, a speech-two-text converter, a computer monitor, a display, or the like. Furthermore, while the exemplary embodiments are described in relation to the protectedsystem 20 being a computer and associated peripherals and input/output devices 50, it is to be appreciated that a protectedsystem 20 can include a plurality of computer systems, a network, one or more subsets of applications and/or operating systems running on a computer, a LAN, or the like. In general, the code inspection management system can be scaled to any size and an associated code inspection system built. - In particular,
FIG. 2 illustrates an exemplary embodiment that can comprise one or more protectedsystems 20 and associated peripherals and input/output devices 50. In this exemplary embodiment, the one or more protectedsystems 20 can be emulated by the codeinspection management module 10 in thedynamic decoy machine 40 such that, for example, the effects of potentially malicious code on the entirety of the network determined. - In operation, the code
inspection management module 10 determines whether the protectedsystem 20 is a new system. If the protectedsystem 20 is new, the codeinspection management module 10 initializes adynamic decoy machine 40 that will be used to test potentially malicious code. In particular, the codeinspection management module 10 monitors the status of the protectedsystem 20 and updates thedynamic decoy machine 40 as the protectedsystem 20 is built, configured, and operating systems and applications installed. Furthermore, along with paralleling the structure of the protectedsystem 20, the codeinspection management module 10 can also embed in thecode inspection system 40 one ormore sensor modules 44 andactuator modules 42 that monitor, detecting, track, and/or disable malicious code. This paralleling can be performed, for example, by copying files from the protected system to thedynamic decoy machine 40, or by a parallel installation process. Thus, upon a potentially malicious code being introduced to the dynamic decoy machine to determine its effects, and theactuator module 42 running the dynamic decoy machine through an exemplary operating scenario, thesensor module 42 can monitor and determine, for example, the operation of the malicious code. - For example, the
dynamic decoy machine 40 can act as an intermediary or interface between the protected system and one or more other unprotected systems or devices from which potentially malicious code could originate. Specifically, the code inspection system can be arranged such that the dynamic decoy machine, cooperating with the codeinspection management module 10, acts as a screening interface for all or a portion of received code. This interface can be seamless such that other users and systems are unaware that they are only in communication with the protected system via the dynamic decoy machine. As an example, the dynamic decoy machine could maintain the IP address to which all or a portion of the communications destined for the protected system are routed. As an alternative, the codeinspection management module 10 anddynamic decoy machine 40 can act as an interface between, for example, the input devices for the protected system, such as the floppy or CDROM drive, and all or a portion of the code destined for the protected system routed through the dynamic decoy machine. Specifically, the code inspection system could be incorporated into, for example, the BIOS or operating system of a computer or a hard drive. Therefore, the code inspection system would have the capability of intercepting all or a portion of the inputs to the protected system. - Alternatively, code
inspection management module 10 can be introduced to produce a code inspection system that mirrors one or more protectedsystems 20 already in existence. In this example, the codeinspection management module 10 analyzes the protectedsystem 20 to determine, for example, the installed operating system, installed applications, installed peripherals and input/output devices, or the like, and creates thedynamic decoy machine 40 based on the protectedsystem 20. - In addition to the operating system and applications installed on the protected
system 20 that are duplicated in thedynamic decoy machine 40, the code inspection management module can emulate the one or more peripherals andinput devices 50 that are connected to the protectedsystem 20 in a manner known as a “virtual machine.” - In this example, not only is the software replicated in the
dynamic decoy machine 40 but also the hardware components. This can be useful, for example, where a potentially malicious code would activate to produce an output on one or more of the peripheral devices. This process can be simplified in a case when the simple fact of questionable code attempting to access an input/output device or a peripheral is deemed undesirable or malicious in itself. - Upon completion of creating the
dynamic decoy machine 40, the code inspection system can verify the integrity of thedynamic decoy machine 40. For example, the codeinspection management module 10 can run a comparison between the protectedsystem 20 and thedynamic decoy machine 40 to ensure the systems are substantially identical, or will perform substantially identically under a given exposure to potentially malicious code, except, for example, anyactuator modules 42 andsensor modules 44 the codeinspection management module 10 may have embedded in thedynamic decoy machine 40. - As with a dynamic decoy machine being developed in conjunction with a newly built computer, once the dynamic decoy machine has been aligned with the protected
system 20, the codeinspection management module 10 monitors the protectedsystem 20 for any updates, installations, or modifications. Upon any one or more of these triggering events, the codeinspection management module 10, vialink 5, can update thedynamic decoy machine 40 as well as update and/or add to the actuator and sensor modules. - For example, the code
inspection management module 10 can act as a minoring device, wherein the protectedsystem 20 is exactly duplicated in thedynamic decoy machine 40. Alternatively, only portions of the protected system pertinent to the anticipated undesirable effects can be duplicated. - In addition to the
dynamic decoy machine 40 being used to test potentially malicious code, as previously discussed, thedynamic decoy machine 40 can be used as a backup system. In particular, if one or more portions of the protectedsystem 20 are damaged, all or a portion of the protectedsystem 20 could be recovered from thedynamic decoy machine 40 since thedynamic decoy machine 40 is a substantial duplicate of the protectedsystem 20. Thus, during a recovery operation, the codeinspection management module 10 can remove any sensor modules or actuator modules that were embedded in the dynamic decoy machine during the dynamic decoy machine's creation. - The
actuator module 42 acts in cooperation with the codeinspection management module 10 place the dynamic decoy machine through various operational sequences in an effort to trigger a piece of malicious code. For example, the operational sequences can be based on a profile of expected actions of the malicious code. Thus, if an e-mail is received, theactuator module 42 could open the e-mail, and thesensor module 44 watch for access to, for example, the address book. Alternatively, if an executable is downloaded from, for example, the internet, theactuator module 42 can execute the program and thesensor module 44 monitor the registry, and any commands, such as the delete command, and, for example, halt execution of thedynamic decoy machine 40 and delete the malicious code. Alternatively, the code inspection system, upon detection of malicious code, can attempt to remove unauthorized portions of, or “disinfect,” the malicious portion of the infected code. In general, the actuator module is capable of automatically simulating operating conditions of the protected system in the dynamic decoy machine. - Furthermore, the actuator module can also be dynamic and monitor the operation of the protected system. Thus, the actuator model is capable of more accurately reflecting the operational sequences of the protected system. For example, the actuator module, in conjunction with a memory device, not shown, can track a predetermined number of operation sequences in the protected machine. These operational sequences, either in whole or part, can then be executed, with or without additional operational sequences, in the dynamic decoy machine.
- The
sensor module 44 can monitor, for example, changes in file sizes, access attempts to particular portions of the dynamic decoy machine, command line statements, inputs and outputs of the potentially malicious code, or the like. Thus, thesensor module 44 can react to not only how a potentially malicious code looks, but how it acts. For example, the systems and methods of this invention can work in conjunction with traditional test chamber type systems that detect malicious code based on a matching technique. Thresholds can then be set that declare a code malicious based on its activity. For example, it may be desirable to declare all codes malicious that attempt to access the address book of a mail program. Alternatively, if any code attempts to execute a command that code may be declared malicious. In general, the sensor module, or a plurality of sensor modules, can be installed the in the dynamic decoy machine to detect any type of activity, and especially any type of unwanted activity. -
FIG. 2 illustrates an exemplary embodiment where there are one or more protectedsystems 20, and thedynamic decoy machine 40, in cooperation with the codeinspection management module 10, is capable of duplicating not only the environments within each protected system, but also the network settings. Network settings can include, for example, LAN, intranet and internet type environments. Thus, for this exemplary embodiment, thedynamic decoy machine 40 may not be simply a stand alone computer, but rather a collection of hardware and/or software that may include, for example, a duplicate of the network environment established between a plurality of protected systems. As with the previous embodiment, the codeinspection management module 10, in cooperation with thedynamic decoy machine 40, monitors the status of the one or more protectedsystems 20 and thenetwork 60 such that thedynamic decoy machine 40 is an accurate representation of the configuration of the one or more protected systems. Thus, when a potentially malicious code is introduced to the dynamic decoy machine for testing, an accurate representation of how the malicious code may act on one or more of the protected systems can be determined. -
FIG. 3 is a flow chart illustrating the exemplary method of constructing and monitoring a dynamic decoy machine according to an embodiment of the present invention. In particular, control begins in step S100 and continues to step S110. In step S110, a determination is made whether the protected system is new. If the protected system is new, control jumps to step S120. Otherwise, control continues to step S140. In step S120, the protected system is analyzed to determine, for example, the installed operating system, network parameters, installed applications, installed peripherals, or the like. Next, in step S130, the dynamic decoy machine is created based on the protected system, and optionally, actuator and sensor modules added. Control then continues to step S170. - In step S140, the dynamic decoy machine is initialized. Control then continues to step S150. In step S150, a determination is made whether new components and/or applications have been installed. If new components and/or applications have been installed, control continues to step S160. Otherwise, control jumps to step S170.
- In step S160, the dynamic decoy machine can be updated in real-time, near-real time, or at a predetermined time, and optionally, any sensor and actuator modules added. Control then continues to step S170.
- In step S170, the potentially malicious code is introduced to the dynamic decoy machine. Next, in step S180, the actuator module is invoked. Then, in step S190, the sensors are monitored for malicious activity. Control then continues to step S200.
- In step S200, a determination is made whether malicious code is detected. If malicious code is detected, control continues to step S210. Otherwise, control jumps to step S260.
- In step S210, the operation of the dynamic decoy machine is halted. Next, in step S220, a determination is made whether to delete the malicious code. If the malicious code is to be deleted, control jumps to step S250 where the malicious code is deleted. Otherwise, control continues to step S230.
- In step S230, the malicious code is attempted to be cleaned. Control then continues to step S240. In step S240, a determination is made whether the clean was successful. If the clean was successful, control continues to step S260. Otherwise, control continues to step S250 where the malicious code is deleted.
- In step S260, the code is passed tot he protected computer. Next, in step S270 a determination is made whether to restore all or a portion of the protected system. If a restoration is desired, control continues to step S280 where all or a portion of the protected system is restored. Control continues to step S290 where the control sequence ends.
- As shown in
FIGS. 1-2 , the code inspection system can be implemented either on a single programmed general purpose computer or a separate programmed general purpose computer. However, the code inspection system can also be implemented on a special purpose computer, a programmed microprocessor or microcontroller and peripheral integrated circuit element, an ASIC or other integrated circuit, a digital signal processor, a hardwired electronic or logic circuit such as a discrete element circuit, a programmable logic device such as PLD, PLA, FPGA, PAL, or the like. In general, any device capable of implementing a finite state machine that is in turn capable of implementing the steps illustrated inFIG. 3 can be used to implement the code inspection system according to this invention. - Furthermore, the disclosed method may be readily implemented in software using object or object-oriented software development environments that provide portable source code that can be used on a variety of computer or workstation hardware platforms. Alternatively, the disclosed test chamber management system can be implemented partially or fully in hardware using standard logic circuits or VLSI design. Whether software or hardware is used to implement the systems in accordance with this invention is dependent on the speed and/or efficiency requirements of the system, the particular function, and the particular software and/or hardware systems or microprocessor or microcomputer systems being utilized. However, the code inspection system and method illustrated herein can be readily implemented in hardware and/or software using any known or later-developed systems or structures, devices and/or software by those of ordinary skill in the applicable art from the functional description provided herein and with a general basic knowledge of the computer arts.
- Moreover, the disclosed methods may be readily implemented as software executed on a programmed general purpose computer, a special purpose computer, a microprocessor, or the like. In these instances, the methods and systems of this invention can be implemented as a program embedded on a personal computer, such as a JAVA® or CGI script, as a resource residing on a server or workstation, a routine embedded on a dedicated code inspection system, a web browser, a PDA, a dedicated code inspection system, or the like. The code inspection system can also be implemented by physically incorporating the system into a software and/or hardware system, such as the hardware and software systems of a computer workstation or dedicated code inspection system.
- It is, therefore, apparent there has been provided in accordance with the present invention, systems and methods for code inspection. While this invention has been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications, and variations would be or are apparent those of ordinary skill in the applicable art. Accordingly, the invention is intended to embrace all such alternatives, modifications, equivalents and variations that are within the spirit and scope of this invention.
- The devices and subsystems of the exemplary embodiments of
FIGS. 1-3 can include computer readable medium or memories for holding instructions programmed according to the teachings of the present invention and for holding data structures, tables, records, and/or other data described herein. Computer readable medium can include any suitable medium that participates in providing instructions to a processor for execution. Such a medium can take many forms, including but not limited to, non-volatile media, volatile media, transmission media, and the like. Non-volatile media can include, for example, optical or magnetic disks, magneto-optical disks, and the like. Volatile media can include dynamic memories, and the like. Transmission media can include coaxial cables, copper wire, fiber optics, and the like. Common forms of computer-readable media can include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other suitable magnetic medium, a CD-ROM, CDRW, DVD, any other suitable optical medium, punch cards, paper tape, optical mark sheets, any other suitable physical medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, an EPROM, a FLASH-EPROM, any other suitable memory chip or cartridge, or any other suitable medium from which a computer can read.
Claims (30)
1. A code inspection system, the system comprising:
a code inspection management module that monitors and communicates with a protected system over a communications network;
a dynamic decoy system coupled to the code inspection management module over the communications network and that, in cooperation with the code inspection management module, is updated to substantially parallel relevant portions of the protected system;
an actuator module included within the dynamic decoy system; and
one or more sensor modules included within the dynamic decoy system, wherein the dynamic decoy system is capable of analyzing at least one of actions and results of one or more portions of code in response to stimuli from the actuator module.
2. The system of claim 1 , wherein the actuator module at least one of executes the one or more portions of code, opens the one or more portions of code, inputs information to the one or more portions of code and simulates a passage of time longer than a period of testing.
3. The system of claim 1 , wherein the one or more sensor modules detect one or more of unauthorized access attempts, unauthorized command execution attempts and unauthorized modifications to one or more portions of the dynamic decoy machine.
4. The system of claim 1 , wherein the protected system is at least one of a computer, a plurality of computers, a network and one or more input devices.
5. The system of claim 1 , wherein the dynamic decoy system can be incorporated into a portion of the protected system
6. The system of claim 5 , wherein at least a portion of the code inspection system is in at least one of a BIOS and an operating system of the protected system.
7. The system of claim 1 , wherein the relevant portions of the protected system allow the one or more portions of code to be analyzed in the dynamic decoy system as if the dynamic decoy system were the protected system.
8. The system of claim 1 , wherein at least a portion of the protected system is capable of being recovered from the dynamic decoy system.
9. The system of claim 1 , wherein the code inspection management module monitors the protected system and updates the dynamic decoy system based on at least one of installed software, installed hardware, operating system upgrades, software upgrades, hardware upgrades, software deletions, hardware deletions and input/output devices.
10. The system of claim 1 , wherein the code inspection system is an interface between the protected system and one or more unprotected systems.
11. A method of creating and maintaining a dynamic decoy system based on a protected system, the method comprising:
creating a dynamic decoy system that substantially parallels relevant portions of a protected system connected to the dynamic decoy system over a communications network;
updating the dynamic decoy system based on changes to the protected system;
receiving one or more portions of code;
introducing the one or more portions of code to the dynamic decoy system;
simulating operating conditions of the protected system in the dynamic decoy system; and
monitoring sensors in the dynamic decoy system for at least one of actions or results of the one or more portions of code.
12. The method of claim 11 , wherein the relevant portions of the protected system allow the one or more portions of code to be analyzed in the dynamic decoy system as if the dynamic decoy system were the protected system.
13. The method of claim 11 , further comprising forwarding approved code to the protected system.
14. The method of claim 11 , wherein the dynamic decoy system is an interface between the protected system and one or more unprotected systems.
15. The method of claim 11 , further comprising restoring one or more portions of the protected system based on the dynamic decoy system
16. The method of claim 11 , further comprising at least one of deleting and removing at least one unauthorized portion the one or more portions of code.
17. The method of claim 11 , further comprising installing one or more sensors in the dynamic decoy system that detect one or more of unauthorized access attempts, unauthorized command execution attempts and unauthorized modifications to one or more portions of the dynamic decoy machine.
18. The method of claim 11 , further comprising installing an actuator in the dynamic decoy system.
19. The method of claim 18 , wherein the actuator at least one of executes the one or more portions of code, opens the one or more portions of code, inputs information to the one or more portions of code and simulates a passage of time longer than a period of testing.
20. The method of claim 11 , wherein updating the dynamic decoy system is based on at least one of installed software, installed hardware, operating system upgrades, software upgrades, hardware upgrades, software deletions, hardware deletions and input/output devices.
21. A computer program product for creating and maintaining a dynamic decoy system based on a protected system, and including one or more computer readable instructions embedded on a tangible computer readable medium and configured to cause one or more computer processors to perform the steps of:
creating a dynamic decoy system that substantially parallels relevant portions of a protected system connected to the dynamic decoy system over a communications network;
updating the dynamic decoy system based on changes to the protected system;
receiving one or more portions of code;
introducing the one or more portions of code to the dynamic decoy system;
simulating operating conditions of the protected system in the dynamic decoy system; and
monitoring sensors in the dynamic decoy system for at least one of actions or results of the one or more portions of code.
22. The computer program product of claim 21 , wherein the relevant portions of the protected system allow the one or more portions of code to be analyzed in the dynamic decoy system as if the dynamic decoy system were the protected system.
23. The computer program product of claim 21 , further comprising forwarding approved code to the protected system.
24. The computer program product of claim 21 , wherein the dynamic decoy system is an interface between the protected system and one or more unprotected systems.
25. The computer program product of claim 21 , further comprising restoring one or more portions of the protected system based on the dynamic decoy system
26. The computer program product of claim 21 , further comprising at least one of deleting and removing at least one unauthorized portion the one or more portions of code.
27. The computer program product of claim 21 , further comprising installing one or more sensors in the dynamic decoy system that detect one or more of unauthorized access attempts, unauthorized command execution attempts and unauthorized modifications to one or more portions of the dynamic decoy machine.
28. The computer program product of claim 21 , further comprising installing an actuator in the dynamic decoy system.
29. The computer program product of claim 28 , wherein the actuator at least one of executes the one or more portions of code, opens the one or more portions of code, inputs information to the one or more portions of code and simulates a passage of time longer than a period of testing.
30. The computer program product of claim 21 , wherein updating the dynamic decoy system is based on at least one of installed software, installed hardware, operating system upgrades, software upgrades, hardware upgrades, software deletions, hardware deletions and input/output devices.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/688,945 US20100122078A1 (en) | 2001-02-14 | 2010-01-18 | Systems and methods for creating a code inspection system |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US26836901P | 2001-02-14 | 2001-02-14 | |
US10/074,037 US7010698B2 (en) | 2001-02-14 | 2002-02-14 | Systems and methods for creating a code inspection system |
US11/367,698 US7752432B2 (en) | 2001-02-14 | 2006-03-06 | Systems and methods for creating a code inspection system |
US12/688,945 US20100122078A1 (en) | 2001-02-14 | 2010-01-18 | Systems and methods for creating a code inspection system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/367,698 Continuation US7752432B2 (en) | 2001-02-14 | 2006-03-06 | Systems and methods for creating a code inspection system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20100122078A1 true US20100122078A1 (en) | 2010-05-13 |
Family
ID=23022685
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/074,037 Active - Reinstated 2024-06-25 US7010698B2 (en) | 2001-02-14 | 2002-02-14 | Systems and methods for creating a code inspection system |
US11/367,698 Expired - Fee Related US7752432B2 (en) | 2001-02-14 | 2006-03-06 | Systems and methods for creating a code inspection system |
US12/688,945 Abandoned US20100122078A1 (en) | 2001-02-14 | 2010-01-18 | Systems and methods for creating a code inspection system |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/074,037 Active - Reinstated 2024-06-25 US7010698B2 (en) | 2001-02-14 | 2002-02-14 | Systems and methods for creating a code inspection system |
US11/367,698 Expired - Fee Related US7752432B2 (en) | 2001-02-14 | 2006-03-06 | Systems and methods for creating a code inspection system |
Country Status (3)
Country | Link |
---|---|
US (3) | US7010698B2 (en) |
EP (1) | EP1360585A4 (en) |
WO (1) | WO2002065285A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100287083A1 (en) * | 2007-12-28 | 2010-11-11 | Mastercard International, Inc. | Detecting modifications to financial terminals |
US20160373470A1 (en) * | 2015-04-29 | 2016-12-22 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US9923908B2 (en) | 2015-04-29 | 2018-03-20 | International Business Machines Corporation | Data protection in a networked computing environment |
US9954870B2 (en) | 2015-04-29 | 2018-04-24 | International Business Machines Corporation | System conversion in a networked computing environment |
Families Citing this family (83)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020178375A1 (en) * | 2001-01-31 | 2002-11-28 | Harris Corporation | Method and system for protecting against malicious mobile code |
CN1147795C (en) * | 2001-04-29 | 2004-04-28 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
US20020194489A1 (en) * | 2001-06-18 | 2002-12-19 | Gal Almogy | System and method of virus containment in computer networks |
ATE368900T1 (en) * | 2001-09-21 | 2007-08-15 | Koninkl Kpn Nv | COMPUTER SYSTEM, DATA TRANSMISSION NETWORK, COMPUTER PROGRAM AND DATA CARRIER, ALL FOR FILTERING MESSAGES INCLUDING CONTENT ACCORDING TO A MARKING LANGUAGE |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
US7607171B1 (en) | 2002-01-17 | 2009-10-20 | Avinti, Inc. | Virus detection by executing e-mail code in a virtual machine |
US9652613B1 (en) | 2002-01-17 | 2017-05-16 | Trustwave Holdings, Inc. | Virus detection by executing electronic message code in a virtual machine |
US7162715B1 (en) * | 2002-03-16 | 2007-01-09 | I-Squared, Inc. | Method and apparatus for preemptive monitoring of software binaries by instruction interception and dynamic recompilation |
US20040162994A1 (en) * | 2002-05-13 | 2004-08-19 | Sandia National Laboratories | Method and apparatus for configurable communication network defenses |
JP3794491B2 (en) * | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | Attack defense system and attack defense method |
US7509679B2 (en) * | 2002-08-30 | 2009-03-24 | Symantec Corporation | Method, system and computer program product for security in a global computer network transaction |
US7331062B2 (en) * | 2002-08-30 | 2008-02-12 | Symantec Corporation | Method, computer software, and system for providing end to end security protection of an online transaction |
US7832011B2 (en) * | 2002-08-30 | 2010-11-09 | Symantec Corporation | Method and apparatus for detecting malicious code in an information handling system |
US7748039B2 (en) * | 2002-08-30 | 2010-06-29 | Symantec Corporation | Method and apparatus for detecting malicious code in an information handling system |
US7437766B2 (en) * | 2002-10-03 | 2008-10-14 | Sandia National Laboratories | Method and apparatus providing deception and/or altered operation in an information system operating system |
US20040078592A1 (en) * | 2002-10-16 | 2004-04-22 | At & T Corp. | System and method for deploying honeypot systems in a network |
US7549166B2 (en) * | 2002-12-05 | 2009-06-16 | International Business Machines Corporation | Defense mechanism for server farm |
US7624110B2 (en) | 2002-12-13 | 2009-11-24 | Symantec Corporation | Method, system, and computer program product for security within a global computer network |
US20060130016A1 (en) * | 2003-03-17 | 2006-06-15 | Wagner John R | Method of kernal-mode instruction interception and apparatus therefor |
US8145710B2 (en) * | 2003-06-18 | 2012-03-27 | Symantec Corporation | System and method for filtering spam messages utilizing URL filtering module |
US8271588B1 (en) | 2003-09-24 | 2012-09-18 | Symantec Corporation | System and method for filtering fraudulent email messages |
US7500108B2 (en) | 2004-03-01 | 2009-03-03 | Microsoft Corporation | Metered execution of code |
US7984304B1 (en) * | 2004-03-02 | 2011-07-19 | Vmware, Inc. | Dynamic verification of validity of executable code |
US8171553B2 (en) * | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8528086B1 (en) * | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US7941490B1 (en) | 2004-05-11 | 2011-05-10 | Symantec Corporation | Method and apparatus for detecting spam in email messages and email attachments |
US7971255B1 (en) * | 2004-07-15 | 2011-06-28 | The Trustees Of Columbia University In The City Of New York | Detecting and preventing malcode execution |
US7457832B2 (en) | 2004-08-31 | 2008-11-25 | Microsoft Corporation | Verifying dynamically generated operations on a data store |
US7690034B1 (en) * | 2004-09-10 | 2010-03-30 | Symantec Corporation | Using behavior blocking mobility tokens to facilitate distributed worm detection |
WO2006060581A2 (en) * | 2004-11-30 | 2006-06-08 | Sensory Networks Inc. | Apparatus and method for acceleration of security applications through pre-filtering |
US20060137013A1 (en) * | 2004-12-06 | 2006-06-22 | Simon Lok | Quarantine filesystem |
US7725735B2 (en) * | 2005-03-29 | 2010-05-25 | International Business Machines Corporation | Source code management method for malicious code detection |
US7640587B2 (en) * | 2005-03-29 | 2009-12-29 | International Business Machines Corporation | Source code repair method for malicious code detection |
US7739337B1 (en) | 2005-06-20 | 2010-06-15 | Symantec Corporation | Method and apparatus for grouping spam email messages |
US8010609B2 (en) * | 2005-06-20 | 2011-08-30 | Symantec Corporation | Method and apparatus for maintaining reputation lists of IP addresses to detect email spam |
GB0512744D0 (en) | 2005-06-22 | 2005-07-27 | Blackspider Technologies | Method and system for filtering electronic messages |
US7712132B1 (en) | 2005-10-06 | 2010-05-04 | Ogilvie John W | Detecting surreptitious spyware |
US8484232B2 (en) * | 2005-11-22 | 2013-07-09 | International Business Machines Corporation | Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value |
US7757289B2 (en) * | 2005-12-12 | 2010-07-13 | Finjan, Inc. | System and method for inspecting dynamically generated executable code |
US7774363B2 (en) | 2005-12-29 | 2010-08-10 | Nextlabs, Inc. | Detecting behavioral patterns and anomalies using information usage data |
US9864752B2 (en) * | 2005-12-29 | 2018-01-09 | Nextlabs, Inc. | Multilayer policy language structure |
US8458789B1 (en) * | 2006-03-09 | 2013-06-04 | Mcafee, Inc. | System, method and computer program product for identifying unwanted code associated with network communications |
US20070239993A1 (en) * | 2006-03-17 | 2007-10-11 | The Trustees Of The University Of Pennsylvania | System and method for comparing similarity of computer programs |
EP1999925B1 (en) * | 2006-03-27 | 2011-07-06 | Telecom Italia S.p.A. | A method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor |
US7996895B2 (en) * | 2006-03-27 | 2011-08-09 | Avaya Inc. | Method and apparatus for protecting networks from unauthorized applications |
US7793110B2 (en) * | 2006-05-24 | 2010-09-07 | Palo Alto Research Center Incorporated | Posture-based data protection |
US8819825B2 (en) * | 2006-05-31 | 2014-08-26 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for generating bait information for trap-based defenses |
US20080010538A1 (en) * | 2006-06-27 | 2008-01-10 | Symantec Corporation | Detecting suspicious embedded malicious content in benign file formats |
US8056134B1 (en) | 2006-09-10 | 2011-11-08 | Ogilvie John W | Malware detection and identification via malware spoofing |
CA2676106A1 (en) | 2007-02-02 | 2008-08-14 | Websense, Inc. | System and method for adding context to prevent data leakage over a computer network |
US9021590B2 (en) * | 2007-02-28 | 2015-04-28 | Microsoft Technology Licensing, Llc | Spyware detection mechanism |
US8321936B1 (en) | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
US9009829B2 (en) * | 2007-06-12 | 2015-04-14 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for baiting inside attackers |
US20120084866A1 (en) * | 2007-06-12 | 2012-04-05 | Stolfo Salvatore J | Methods, systems, and media for measuring computer security |
US8869268B1 (en) * | 2007-10-24 | 2014-10-21 | Symantec Corporation | Method and apparatus for disrupting the command and control infrastructure of hostile programs |
US9130986B2 (en) | 2008-03-19 | 2015-09-08 | Websense, Inc. | Method and system for protection against information stealing software |
US9015842B2 (en) | 2008-03-19 | 2015-04-21 | Websense, Inc. | Method and system for protection against information stealing software |
US8370948B2 (en) | 2008-03-19 | 2013-02-05 | Websense, Inc. | System and method for analysis of electronic information dissemination events |
US8407784B2 (en) | 2008-03-19 | 2013-03-26 | Websense, Inc. | Method and system for protection against information stealing software |
US9495538B2 (en) * | 2008-09-25 | 2016-11-15 | Symantec Corporation | Graduated enforcement of restrictions according to an application's reputation |
US8769684B2 (en) | 2008-12-02 | 2014-07-01 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for masquerade attack detection by monitoring computer user behavior |
US7603713B1 (en) * | 2009-03-30 | 2009-10-13 | Kaspersky Lab, Zao | Method for accelerating hardware emulator used for malware detection and analysis |
US20120060220A1 (en) * | 2009-05-15 | 2012-03-08 | Invicta Networks, Inc. | Systems and methods for computer security employing virtual computer systems |
US9130972B2 (en) | 2009-05-26 | 2015-09-08 | Websense, Inc. | Systems and methods for efficient detection of fingerprinted data and information |
JP5225942B2 (en) * | 2009-07-01 | 2013-07-03 | 日本電信電話株式会社 | Analysis system, analysis method, and analysis program |
US7743419B1 (en) * | 2009-10-01 | 2010-06-22 | Kaspersky Lab, Zao | Method and system for detection and prediction of computer virus-related epidemics |
US8528091B2 (en) | 2009-12-31 | 2013-09-03 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for detecting covert malware |
US9098333B1 (en) | 2010-05-07 | 2015-08-04 | Ziften Technologies, Inc. | Monitoring computer process resource usage |
US9021587B2 (en) * | 2011-10-27 | 2015-04-28 | Microsoft Technology Licensing, Llc | Detecting software vulnerabilities in an isolated computing environment |
US9241259B2 (en) | 2012-11-30 | 2016-01-19 | Websense, Inc. | Method and apparatus for managing the transfer of sensitive information to mobile devices |
RU2514142C1 (en) | 2012-12-25 | 2014-04-27 | Закрытое акционерное общество "Лаборатория Касперского" | Method for enhancement of operational efficiency of hardware acceleration of application emulation |
US9152808B1 (en) * | 2013-03-25 | 2015-10-06 | Amazon Technologies, Inc. | Adapting decoy data present in a network |
US9164877B2 (en) | 2013-06-21 | 2015-10-20 | Sap Se | Business application inspection and modification |
EP2819055B1 (en) * | 2013-06-28 | 2016-05-04 | Kaspersky Lab, ZAO | System and method for detecting malicious software using malware trigger scenarios |
US9516054B2 (en) * | 2014-04-14 | 2016-12-06 | Trap Data Security Ltd. | System and method for cyber threats detection |
US10419458B2 (en) * | 2016-01-21 | 2019-09-17 | Cyiot Ltd | Distributed techniques for detecting atypical or malicious wireless communications activity |
US10764255B2 (en) * | 2016-09-21 | 2020-09-01 | Rockwell Automation Technologies, Inc. | Secure command execution from a cloud monitoring system to a remote cloud agent |
WO2019018033A2 (en) | 2017-04-14 | 2019-01-24 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for testing insider threat detection systems |
US11327473B2 (en) | 2017-07-11 | 2022-05-10 | Rockwell Automation Technologies, Inc. | Dynamically reconfigurable data collection agent for fracking pump asset |
US10482063B2 (en) | 2017-08-14 | 2019-11-19 | Rockwell Automation Technologies, Inc. | Modular control manifest generator for cloud automation |
US10416660B2 (en) | 2017-08-31 | 2019-09-17 | Rockwell Automation Technologies, Inc. | Discrete manufacturing hybrid cloud solution architecture |
US10769277B2 (en) | 2018-06-19 | 2020-09-08 | International Business Machines Corporation | Malicious application detection and prevention system for stream computing applications deployed in cloud computing environments |
US11681804B2 (en) | 2020-03-09 | 2023-06-20 | Commvault Systems, Inc. | System and method for automatic generation of malware detection traps |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5289540A (en) * | 1989-04-19 | 1994-02-22 | Richard P. Jones | Computer file protection system |
US5359659A (en) * | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5548746A (en) * | 1993-11-12 | 1996-08-20 | International Business Machines Corporation | Non-contiguous mapping of I/O addresses to use page protection of a process |
US5842002A (en) * | 1994-06-01 | 1998-11-24 | Quantum Leap Innovations, Inc. | Computer virus trap |
US5887131A (en) * | 1996-12-31 | 1999-03-23 | Compaq Computer Corporation | Method for controlling access to a computer system by utilizing an external device containing a hash value representation of a user password |
US5949999A (en) * | 1996-11-25 | 1999-09-07 | Siemens Corporate Research, Inc. | Software testing and requirements tracking |
US5983348A (en) * | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US5999723A (en) * | 1995-09-28 | 1999-12-07 | Symantec Corporation | State-based cache for antivirus software |
US6071317A (en) * | 1997-12-11 | 2000-06-06 | Digits Corp. | Object code logic analysis and automated modification system and method |
US6981279B1 (en) * | 2000-08-17 | 2005-12-27 | International Business Machines Corporation | Method and apparatus for replicating and analyzing worm programs |
US7117532B1 (en) * | 1999-07-14 | 2006-10-03 | Symantec Corporation | System and method for generating fictitious content for a computer |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US7854004B2 (en) * | 2000-07-14 | 2010-12-14 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a computer system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5815571A (en) * | 1996-10-28 | 1998-09-29 | Finley; Phillip Scott | Computer system with secured data paths and method of protection |
-
2002
- 2002-02-14 EP EP02723146A patent/EP1360585A4/en not_active Withdrawn
- 2002-02-14 WO PCT/US2002/004267 patent/WO2002065285A1/en not_active Application Discontinuation
- 2002-02-14 US US10/074,037 patent/US7010698B2/en active Active - Reinstated
-
2006
- 2006-03-06 US US11/367,698 patent/US7752432B2/en not_active Expired - Fee Related
-
2010
- 2010-01-18 US US12/688,945 patent/US20100122078A1/en not_active Abandoned
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5289540A (en) * | 1989-04-19 | 1994-02-22 | Richard P. Jones | Computer file protection system |
US5359659A (en) * | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5548746A (en) * | 1993-11-12 | 1996-08-20 | International Business Machines Corporation | Non-contiguous mapping of I/O addresses to use page protection of a process |
US5842002A (en) * | 1994-06-01 | 1998-11-24 | Quantum Leap Innovations, Inc. | Computer virus trap |
US5999723A (en) * | 1995-09-28 | 1999-12-07 | Symantec Corporation | State-based cache for antivirus software |
US5949999A (en) * | 1996-11-25 | 1999-09-07 | Siemens Corporate Research, Inc. | Software testing and requirements tracking |
US5887131A (en) * | 1996-12-31 | 1999-03-23 | Compaq Computer Corporation | Method for controlling access to a computer system by utilizing an external device containing a hash value representation of a user password |
US5983348A (en) * | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US6272641B1 (en) * | 1997-09-10 | 2001-08-07 | Trend Micro, Inc. | Computer network malicious code scanner method and apparatus |
US6071317A (en) * | 1997-12-11 | 2000-06-06 | Digits Corp. | Object code logic analysis and automated modification system and method |
US7117532B1 (en) * | 1999-07-14 | 2006-10-03 | Symantec Corporation | System and method for generating fictitious content for a computer |
US7854004B2 (en) * | 2000-07-14 | 2010-12-14 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a computer system |
US6981279B1 (en) * | 2000-08-17 | 2005-12-27 | International Business Machines Corporation | Method and apparatus for replicating and analyzing worm programs |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100287083A1 (en) * | 2007-12-28 | 2010-11-11 | Mastercard International, Inc. | Detecting modifications to financial terminals |
US20160373470A1 (en) * | 2015-04-29 | 2016-12-22 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US9894086B2 (en) * | 2015-04-29 | 2018-02-13 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US9923908B2 (en) | 2015-04-29 | 2018-03-20 | International Business Machines Corporation | Data protection in a networked computing environment |
US9954870B2 (en) | 2015-04-29 | 2018-04-24 | International Business Machines Corporation | System conversion in a networked computing environment |
US10171485B2 (en) | 2015-04-29 | 2019-01-01 | International Business Machines Corporation | System conversion in a networked computing environment |
US10326785B2 (en) | 2015-04-29 | 2019-06-18 | International Business Machines Corporation | Data protection in a networked computing environment |
US10341366B2 (en) | 2015-04-29 | 2019-07-02 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US10412104B2 (en) | 2015-04-29 | 2019-09-10 | International Business Machines Corporation | Data protection in a networked computing environment |
US10536469B2 (en) | 2015-04-29 | 2020-01-14 | International Business Machines Corporation | System conversion in a networked computing environment |
US10666670B2 (en) | 2015-04-29 | 2020-05-26 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US10686809B2 (en) | 2015-04-29 | 2020-06-16 | International Business Machines Corporation | Data protection in a networked computing environment |
US10834108B2 (en) | 2015-04-29 | 2020-11-10 | International Business Machines Corporation | Data protection in a networked computing environment |
Also Published As
Publication number | Publication date |
---|---|
US7010698B2 (en) | 2006-03-07 |
US20020116635A1 (en) | 2002-08-22 |
US7752432B2 (en) | 2010-07-06 |
EP1360585A4 (en) | 2008-04-30 |
WO2002065285A1 (en) | 2002-08-22 |
EP1360585A1 (en) | 2003-11-12 |
US20060212723A1 (en) | 2006-09-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7752432B2 (en) | Systems and methods for creating a code inspection system | |
US20120060220A1 (en) | Systems and methods for computer security employing virtual computer systems | |
US7103913B2 (en) | Method and apparatus for determination of the non-replicative behavior of a malicious program | |
Jacob et al. | Behavioral detection of malware: from a survey towards an established taxonomy | |
US7725735B2 (en) | Source code management method for malicious code detection | |
AU2009200459B2 (en) | Systems and Methods for the Prevention Of Unauthorized Use and Manipulation of Digital Content Related Applications | |
US20120246724A1 (en) | System and method for detecting and displaying cyber attacks | |
EP0636977B1 (en) | Method and apparatus for detection of computer viruses | |
EP1543396B1 (en) | Method and apparatus for the automatic determination of potentially worm-like behaviour of a program | |
EP0769170B1 (en) | Computer virus trap | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
US20060230449A1 (en) | Source code repair method for malicious code detection | |
JP2008547070A (en) | Method and system for repairing applications | |
CN105408911A (en) | Hardware and software execution profiling | |
CN101373502A (en) | Automatic analysis system of virus behavior based on Win32 platform | |
Le Charlier et al. | Dynamic detection and classification of computer viruses using general behaviour patterns | |
Webster et al. | Fast and Service-preserving Recovery from Malware Infections Using {CRIU} | |
Vigna et al. | Host-based intrusion detection | |
CN100353277C (en) | Implementing method for controlling computer virus through proxy technique | |
CN117540381A (en) | Detection method and system for anti-virtualization malicious program | |
Cohen | Current best practices against computer viruses with examples from the DOS operating system | |
Skrzewski et al. | The Possibilities of System’s Self-defense Against Malicious Software | |
Nelson | Combating viruses on microcomputers and LANs | |
Castelli | Choosing your anti-virus software | |
Radatti | Protection against hostile algorithms in UNIX software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |