WO1998045778A2 - Antivirus system and method - Google Patents
Antivirus system and method Download PDFInfo
- Publication number
- WO1998045778A2 WO1998045778A2 PCT/IL1998/000170 IL9800170W WO9845778A2 WO 1998045778 A2 WO1998045778 A2 WO 1998045778A2 IL 9800170 W IL9800170 W IL 9800170W WO 9845778 A2 WO9845778 A2 WO 9845778A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- processor
- virus
- bus
- antivirus
- computer
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
Definitions
- This invention concerns antivirus protection systems and methods.
- the invention relates in particular to such systems in which a second (supervisor) processor is added to a first (applications) processor to continuously monitor its operation so as to prevent damage from viruses or software errors.
- the computer has become less "personal”, in the sense that the user cannot supervise the operation of the computer, or have a reasonable measure of assurance about what the computer is actually doing.
- Computers are used for communications. Much information and many programs are available in the INTERNET, for example. How is one to be sure that the information or programs are not contaminated?
- the widely used E-Mail messages may include viruses therein.
- a network includes tens to hundreds of computers, each vulnerable to attack and capable of transmitting a virus to other computers.
- a network is usually open to access from the outside, so that a malicious person can connect to a network without physically breaking into the victim's facilities. Much harm can be done from far away.
- virus apparently came from a property of these programs to copy themselves to other media like diskettes, and therefrom to other computers, so that the "virus” is actually “spreading” to "contaminate” other computers.
- the antivirus program stores digital patterns, each characteristic to a known virus.
- the antivirus program scans the memory and compares the patterns therein with the stored patterns.
- An alarm is activated if the patterns correspond, this indicating the presence of a virus.
- antivirus programs do not indicate the source of the virus, that is which program contains it. At present, the user does not know which program caused the damage or inserted the virus, thus action cannot be taken at source, to stop that source of viruses and/or to claim damage compensation. The required evidence to prosecute the culprit is not available.
- Antivirus programs do not help the user regain control of his/her computer.
- the program only demands to "clean" the virus, without reporting to its user which files are contaminated and what are the consequences of the cleanup, or allowing any choices to the user.
- Backdoors for example a communication program including a routine to allow unauthorized access to another's computer by an outsider.
- Remote diagnostic programs are a needed feature in computers and networks; the same programs can be used by unauthorized people as backdoors to gain access to the victim computer.
- unauthorized person A can remotely connect to the computer of user B.
- the trapdoor in user's B computer, of which B is not aware, allows A to access confidential files in that computer, to read them or make changes or to otherwise do damage. It is even possible for user B to connect to a remote computer, without that user being aware of the fact that the other party may use that trapdoor during that same session.
- Trapdoors can also be used to introduce viruses, possibly with delayed action, or to access privileged information.
- a personal computer during the several seconds it takes to prepare itself at turn-on until it is ready to accept user's commands, may perform tens to hundreds of millions of instructions. Some programs instruct the computer to be left and active in the memory, thus influencing the computer operation thereafter. This is basically a desirable action, for example a TSR to detect the activation of the mouse and to respond accordingly.
- TSRs Unfortunately, with the advent of viruses, some TSRs come to perform undesired functions. For example, a maliciously introduced TSR may slow down the computer, by repeatedly performing an unnecessary piece of useless code, without user's knowledge.
- the end result is that the computer performs slower than is to be expected, thus preventing the user from getting the full performance from the computer.
- viruses should provide reliable protection, without leaving any doubt as to whether the protection device itself is secure or was compromised by a virus.
- the protection means should provide the desired protection without a sizable degradation in the overall performance of the computer.
- the protection means should perform its tasks without demanding too much of user's attention or intervention. Eventually, any protection means which is not easy to use will be disposed of. It is an objective of the present invention to provide for an antivirus system and method using a first and a second processor means for overcoming the abovedetailed disadvantages.
- It is an object of the present invention to provide an antivirus system and method using a multiprocessor system comprising a first processor for performing application programs and a second processor for continuously supervising the operation of the first, to protect it from misuse.
- a second processor, the supervisor is attached to the first processor, the application processor, so that the supervisor includes means to continuously monitor the activity in the application processor, to detect viruses and abnormal operations.
- the supervisor further includes means for intervening to stop the applications processor and/or to issue a warning when the virus is detected, to prevent damage.
- the supervisor itself is protected from attack. It has its own computer and memory, which are independent from the application processor and are protected from any attack by a virus in the application processor. Additional means protect from physical attack.
- the supervisor computer includes a combination of fast monitoring means in hardware, with smart verification means in a programmed device. These means operate together to protect from known viruses as well as from unknown viruses according to their suspect behavior.
- the supervisor method of operation allows both for detection of viruses in real time, and for smart monitoring of sensitive operations without a sizable decrease in performance. Operation at several levels of complexity is disclosed.
- the supervisor performs a smart verification method, to detect potentially dangerous activities.
- the supervisor includes a multisensor unit which monitors everything going on, in and around the application processor, including a plurality of sensors for sensing the various effects indicative of the presence of a virus.
- Fig. 1 is a simplified functional diagram, illustrating the attachment of a supervisor computer to an application computer.
- Fig. 2 is a simplified electrical diagram illustrating the attachment of a supervisor computer to an application computer.
- Fig. 3 details the functional structure of supervisor computer
- Fig. 4 details the structure of real time monitoring means
- Fig. 5 details the omparator structure and operation
- Fig. 6 illustrates the structure of monitoring means using digital signature
- Fig. 1 illustrates the attachment of supervisor computer 2 to an application computer.
- the application computer in this simplified functional diagram, includes a Central Processor Unit CPU 11 , connected to display means 12, keyboard 13, Input/Output unit (I/O) 14 and memory unit 15.
- CPU 11 Central Processor Unit
- I/O Input/Output unit
- the application computer is the original computer which provides the computer functions desired by the user, and to which is added the supervisor 2 to ensure that indeed it will perform the desired functions, without the interference of viruses or malevolent programs.
- supervisor 2 One function of the supervisor 2 is to monitor activity on busses of CPU 11 , like data, control and address between CPU 11 and memory 15, and input/output activity between CPU 11 and I/O means 14. Supervisor 2 connects to these busses to watch instructions and check if some forbidden activity is about to take place. It searches for known viruses patterns or privileged instructions which require authorization.
- Supervisor 2 reads commands and data "on-the-fly" in real time.
- supervisor 2 Another function of supervisor 2 is to act to stop or prevent forbidden activity, after detecting a virus as mentioned above. This is done by: activating a signal to CPU 11 to Reset processor or bring it to Wait state or stop CPU 11 and put its activities under closer scrutiny or log the activities performed.
- a third function of supervisor 2 is to perform protected, direct dialog with the user, using the application computer resources like the keyboard 13 and display 12. Supervisor 2 has direct access to these devices, and it can also immobilize the CPU 11 during the dialog with the user. This is used to reliably notify the user of virus problems, to ask questions regarding permitted operations and to accept instructions from the user, like the subdirectories it is permitted to read and/or write files therein.
- the information in computer 2 can be updated by reading from a diskette (not shown), for example to update the list of viruses. Again, this is preferably done while CPU 11 is not active, to avoid interference with, or eavesdropping to, these activities by a potential virus or ilegitimate program in the applications processor.
- the applications computer is deactivated using, for example, its RESET or HOLD or WAIT while supervisor 2 is using the resources therein like the diskette or keyboard or I/O channel.
- supervisor 2 functions of supervisor 2 is to watch and report, prevent disaster, help recover from problem, let the user know how disaster happened, and who caused it.
- the multisensor unit 27 supports the monitoring function of supervisor 2, by providing additional information relating to possible effects of viruses.
- a virus can establish a communication link with an unauthorized outsider using any of a wide variety of media, for example through a wireless or RF link, ultrasonic or sonic or subsonic waves, signals on the power lines etc. High frequency signals can be transmitted over power lines to outside the firm or the user's home.
- Other possible links may include existing serial or parallel communication channels, like an RS-232 link to a modem or a local net or a phone dialer. These links may be activated under a virus control without the permission or knowledge of the legitimate user.
- Other possible links may include optical media including infrared, visible light and/or ultraviolet.
- Unit 27 includes a plurality of sensors for monitoring the various media for any potential undesired activity. The user may not be able to otherwise sense these activities which may go on about their computer.
- the antivirus system and method uses a first processor, including CPU 11 and related units, for performing application programs and a second processor 2 for continuously supervising the operation of the first, to protect it from misuse.
- the supervisor 2 is attached to the application processor, wherein supervisor 2 includes means to continuously monitor the activity in the application processor, to detect viruses and abnormal operations. The monitoring is done in real time.
- the supervisor further includes means for intervening to stop the applications processor and/or to issue a warning to user when the virus or abnormal operation is detected, to prevent damage to the application processor.
- Fig. 2 details the electrical attachment of a supervisor computer 2 to an application computer, in a simplified biock diagram.
- the supervisor computer 2 connects, or couples to a first processor, that is the applications computer.
- the multisensor unit 27 gives the supervisor 2 the ability to monitor the various media around the applications computer, as detailed below.
- the applications computer includes the CPU 11 , display means 12, keyboard 13, Input/Output unit (I/O) 14, memory unit 15 and other resources 16. All these devices are connected to each other through control/data/address bus 17, as known in the art.
- Supervisor 2 connects to bus 17, thus gaining access to all the resources of the application computer. Whereas supervisor 2 monitors activity on the applications computer through bus 17 and exercises control over the application computer if need be, it does not use the memory 15 of the applications computer to store its programs or data. By including (not shown) its own, separate processor and memory with programs and data, supervisor 2 is protected from attack by virus in the applications computer.
- Supervisor 2 includes means to protect from physical attack, tampering with, removal from bus 17. Its board (not shown) is encased in hard plastic, to prevent access to its components. Mechanical means may be included (not shown) to lock to motherboard or bus 17 of applications computer.
- Additional physical protection means include the supervisor 2 board being soldered to the connector of bus 17, or the supervisor being produced as an integral part of the motherboard of the applications computer.
- the supervisor 2 is manufactured as an integral part of the CPU 11 . This achieves a CPU which is protected from viruses, and is practically impossible to separate between the actual CPU and its protection means.
- Fig. 3 Illustrates one embodiment of the functional structure of the supervisor 2 mentioned in Figs. 1 and 2 above.
- the supervisor includes a combination of fast, real time monitoring means including units 22, 23, 24 and a slower, smart unit comprising controller 21.
- the supervisor structure includes the following means:
- monitoring means including registers 22 and 23 and comparators 24, to evaluate operation of first processor in real time for detecting abnormal operation, to stop first computer and issue alarm or warning or indication to controller 21.
- a shift register 22 continuously receives and shifts in real time instructions read in the first, or the supervised, computer.
- a plurality of comparators 24 each compares the instruction string with the string of a known virus or a predefined suspect behavior, to detect viruses in real time.
- controller means 21 to: initiate the monitoring means at start-up, take actions when alarm is issued, dialog with user, program/update internal memory, log and analyze activities performed prior to an alarm or a virus attack. A smart analysis is done to detect suspect behaviour, indicative of virus, after receiving indication from monitoring means.
- internal memory 25 for virus patterns and forbidden/ privileged instructions, log of activity prior to virus, allowances in each application program (different set of allowances and masks for each application, according to user's instructions).
- the memory can be implemented in the controller IC itself or in a separate IC or ICs or on disk, if adequate safeguards are taken to protect that disk area.
- the bus 17 of the applications computer including control, data, address is coupled to comparator shift register 22.
- Various embodiments are possible, with corresponding levels of performance and circuit complexity. The simplest is to couple only the data bus to shift register 22, using part of the control signals to strobe the data in at the correct timing, as known in the art.
- Control signals on bus 17 indicate when an instruction is on the bus, whether this is a memory or I/O operation, whether it is a Read or Write.
- Register 22 can be wired accordingly to accept a new sample for each new instruction, or only for memory read, or for all data bytes on the bus. This embodiment is suitable for recognizing instructions and various routines.
- a more complex embodiment reads into register 22 the data together with the address and the control signals. This enables to search for instructions relating to specific addresses in RAM, like reading from the interrupt vectors area or the DOS sections, or writing to these locations, which are privileged locations.
- This embodiment requires a wider register 22, that is each stage contains more bits.
- Register 22 includes a plurality of stages (not shown), each k bits in parallel. As a new sample is read in from bus 17, all the previous samples are shifted one stage to the right. The oldest sample is transferred out of register 22, to log shift register/FIFO 23.
- bus 220 contains the data bus and optionally also control and address, for a plurality of times: the last sample, the sample a clock ago, then two clocks ago etc... to 100 or several hundred samples.
- Bus 220 contains the words or bytes for the last instructions on the bus 17. These instructions are compared in comparator unit 24 with the instructions for a specific virus, or the instructions sequence for a sensitive operation which demands scrutiny by contoller 21 .
- the monitoring unit contains a plurality of comparator units 24, each programmed to detect one virus or privileged instruction, as detailed below. All the comparators 24 operate concurrently in real time. Each comparator 24 includes a string of a specific virus or instruction sequence, and possibly an ignore mask to ignore irrelevant parameters in the instruction string.
- the comparators 24 issue an alarm/warning/action on bus 28, which includes busses 241 and 247.
- alarm/warning /action bus 28 is used to issue the alarm/warning if a suspect string or instruction was detected.
- the bus 28 combines with similar busses from the other comparator units, all connected in parallel.
- Bus 28 contains action signals, comprising command bus 247, to take immediate action (fast) if a dangerous string is detected, to RESET or HOLD in wait the applications computer for example.
- Bus 28 also includes the report alarm bus 241 , to report to controller 21 that an alarm/warning or other virus-related activity took place.
- the specific word on bus 241 can indicate the type of action or virus which was detected.
- the application computer can be immediately stopped if necessary, and the controller 21 notified. If a less dangerous instruction is detected, then controller 21 can be notified without stopping or resetting the applications computer.
- Supervisor controller 21 includes nonvolatile memory means 25 holding its programs and parameters, like the virus list. This information is protected from access from the applications computer through bus 17. Thus, programs in supervisor computer are protected from access from outside. The programs for controller are not changeable, to prevent tampering with. No software or virus in PC can affect the second processor. No event in PC can change the programs in second computer, including the user or a virus or any program or occurence in PC.
- Time/ date unit 26 serves to perform time-sensitive functions. For example, controller 21 can check the number of different files addressed by an application per second. Too many files acessed in a short time is a suspect activity, suggesting a virus. Time can also be used to log activities, to provide evidence for subsequent legal action.
- Controller 21 also reads the report activity bus 231 , to read past instructions from register 23, so as to reconstruct activity prior to alarm.
- Log shift register/FIFO 23 can be longer than register 22, since only the final stage output goes to an output bus 231. It can keep log of thousands to hundreds of thousands of the last instructions. This allows controller 21 to inspect and find what events took place prior to the virus attack, or where the virus come from.
- Controller 21 can take direct control over the application computer through bus 217.
- This bus can include (not shown) lines to Hold that computer inactive, or to Reset it, together with control, data and address lines to gain access to the application computer and its resources, for example using DMA.
- Load parameters bus 29 is used by controller 21 to load parameters into comparators 24, each with a different instruction or instruction string and a corresponding "ignore" mask for each byte or bit, and a desired action to take if that string is detected. It is possible to update the information/parameters in memory 25, while updates are done under controller 21 supervision. Encrypted messages may be used to program new virus patterns. It is preferred not to allow programming controller while the application is operational, but only with applications stopped by controller 21.
- monitoring means includes means (not shown) for computing digital signature or CRC (Cyclic Redundancy Code) and comparing with signature of viruses, instead of directly comparing bytes.
- CRC Cyclic Redundancy Code
- DSP Digital Signal Processor
- Very fast processors may be used to perform comparison with virus string as detailed above using a microprogrammed implementation of the abovedetailed structure and its operation method, as detailed with reference to shift register 22 and the comparators 24.
- the supervisor computer includes a combination of fast monitoring means in hardware, with smart verification means in a programmed device. These means operate together to protect from known viruses as well as from unknown viruses according to their suspect behavior.
- the controller 21 performs the following functions, in addition to the smart verification which is detailed in the following chapter:
- Memory is nonvolatile, like flash or cmos or similar, or magnetic. Internal in supervisor.
- Update programs data in internal memory. Can be changed only when entered with special format and CRC and/or encrypted, to enable update of virus list, programs etc by responsible provider. Responsible to user as to integrity of program. PC is in reset or wait during this update, so no virus or nonhonest user can watch, record or tamper with program update in second computer.
- monitoring unit including registers 22 and 23 and comparators 24 (fast comparison) under the supervision of the controller 21 (smart analysis): 1. Simple operation, virus pattern detection. At power-up the controller 21 loads known viruses into the monitoring means hardware, that is in comparators 24.
- Controller 21 is inactive, except to display the log of instructions prior to alarm, to report to user what happened there.
- the monitoring means is programmed to detect the activity in the application PC of a piece of code being loaded to RAM for execution. When this activity is detected, the application CPU is stopped and the controller 21 is prompted accordingly. The controller 21 then reads all the instructions which are in RAM and ready for execution in the PC, just prior to their execution, by using bus 217.
- the monitoring means reads samples through bus 17 into register 22 as detailed above and searches in real time, in hardware, for all the known viruses which are programmed therein. Thus, even viruses with self-changing code are detected, since this method verifies each piece of code just prior to its execution.
- Two-stage protection comprises fast real-time verification using the monitoring monitoring means, and a higher level, slower, smart verification using the controller 21 , for sensitive operations.
- the controller 21 loads known viruses pattern as well as sensitive operations which demand further scrutiny, like interrupts or file operations or I/O.
- the smart verification is detailed below.
- the monitoring means act promptly to stop the applications CPU through bus 247, to prevent damage. If a sensitive operation is detected in the monitoring unit, then the CPU is temporarily stopped and the controller 21 is prompted through bus 241 to perform a smart, in-depth analysis of the situation.
- This embodiment includes the simple hardware protection and further, the second level of verification/protection.
- smart tests are difficult to perform in hardware, but are easier to implement in software, in the programmed controller. This, however, takes time and cannot be performed in real time, while the PC operates as normal. According to the present invention, the smart tests are performed for sensitive operations in the PC, which operations are slower than the rest. For example, disk operations are slow since they involve the mechanical movements of the disk head and platter, and take time in the order of milliseconds.
- the PC is preferably stopped during the smart test performance. Thus, the additional time it takes to perform the smart test has no considerable effect on the overall performance of the PC, since smart test can be peformed in about 10 - 100 microseconds, this time being so much shorter than the sensitive operation in the PC, that the overall performance is not much affected.
- the smart test can be peformed is such a short time, for example using a 16-bit controller like the Intel 80196.
- I/O operations like a modem have a relatively slow bit rate, and take overall time in the order of seconds to minutes.
- a smart verification prior to the actual performance of the I/O function has no sizable effect on overall PC performance.
- Active protection may be performed in addition to the two-stage method.
- the controller 21 initiates activities in the PC, which are expected to stimulate or provoke viruses into action. Thus the virus is detected, by its activity.
- the controller creates a controlled environment, wherein the activity of the PC can be completely predicted; any deviations from the expected activity are the result of a virus, thus the virus is detected before it has a chance to attack. This is an offensive method of operation, wherein the protection means strikes first to provoke the virus, then to detect it and neutralize it.
- the supervisor method of operation allows both for detection of viruses in real time, and for smart monitoring of sensitive operations without a sizable decrease in performance. Operation at several levels of complexity was disclosed. Smart Verification Method
- This method is performed by controller 21 , after it is prompted through bus 241 that a sensitive instruction or sequence of instructions took place. It includes various routines for analyzing the activities in the PC from several aspects.
- a notification may be issued like:
- Log monitor access to too many files at once, during short time period. In normal use, computer works with limited number of files. Monitor access to too many subdirectories. User can limit operation to several or few subdirs or to specific areas of disk.
- Special adaptive comparator unit freezes a pattern of executed instructions from SR 22 to registers, to compare with itself later on. Detects a virus which creates dummy loops, repetitive execution of unnecessary programs. Method of use: From time to time, at random, controller 21 reads pattern of instructions now executing through bus 231 , and load through bus 29 into comparators 24.
- the comparator then checks for repetitions of this patterns, and reports to controller. If the pattern repeats too often, it may be a virus. If not, then after a set time a new instructions string is read at random and compared with thereafter. This solves the problem of a virus slowing down computer operation by initiating it to do unnecessary, dummy commands. It performs an adaptive monitoring and detection of unnecessary repetitions of code.
- Correlator between program executing and disturbances monitored by sensors (multi-sensor unit 27). If there is correlation - stop and report to user. The user may be unaware that activity in his/her computer are a result of commands received from the LAN or Internet or a bug operated by radio for example, or with ultrasonic waves.
- the supervisor performs a smart verification method, to detect potentially dangerous activities.
- Fig. 4 details the structure of real time monitoring means in one embodiment, in simplified block diagram. This is the monitoring means hardware, used to monitor without slowing down the PC or application computer.
- Data multiplexer and latches means 222 is used to read information from the applications computer bus, including data bus 172, control bus 173 and address bus 174. These are part of control/data/address of applications computer 17. Means 222 may read all or part of these busses.
- the PC bus uses data, address, control on 8 or 16 or 32 bit bus.
- Means 222 aligns the bus by bytes for proper analysis of programs execution, or brings into other uniform form the input samples. The result is samples of instruction/data bus 223, which are transferred to comparator shift register 22. After input, these samples are shifted to present an instructions sequence for the comparators 24, to compare with existing viruses.
- Bus 223 may contain, in addition to data and commands, also the status, strobe etc- the CPU controls issued on the bus. This provides the context of data issued or read: rd/wr, IO/memory, bus width.
- the shift register includes two parts: comparator shift register 22, including stages like 224, 225. It shifts the data, commands all the time to the right, then to output bus 229; and log shift register/FIFO 23 , which shifts ail the time as well, with its output bus 231 connected to controller (not shown).
- Register 22 is used for comparison with patterns to search. It is small, about 100- 200 samples with outputs at every stage/sample (internal to supervisor). The first output is the data bus latest output CO 226, with subsequent outputs for previous samples. Thus, data bus i-th output Ci 227 represents one of the n stages in SR 22, and data bus earliest output Cn 228 is the oldest sample in register 22.
- the busses 226, 227, 228 comprise the abovementioned bus 220.
- Register 23 keeps log of last operations, to track virus to source, by reconstruction of activity performed prior to virus attack/detection large, about 10 - 100 ksamples. Contains only output total 231 , to controller 21 .
- Output busses from register 22, including bus 226, 227, 228 are connected in parallel (the same data) to a multitude of comparator units 24, each including:
- instruction/data reference register 31 which is fixed after initial loading from controller. It includes a plurality of stages, corresponding to the stages of register 22, and with output bus at each stage, of which are shown the reference bus latest value RO 316, the reference bus i-th value Ri 317 which represents one of the n stages in register 31 , and the reference bus earliest value Rn 318.
- the load reference bus 291 part of parameters bus 29, is used to load the initial values into register 31 at power-up.
- This programmed structure allows for flexible operation, to load various viruses or instruction strings to be searched for.
- comparator stage 331 for last instruction value. It compares latest output CO 226 with corresponding reference RO 316, using AND mask from bus MO 326. The comparison is bitwise, that is each of k bits of bus CO 226 is compared with a corresponding bit of bus RO 316, with mask bit from MO 326 being applied to allow or ignore the result, then all the partial bit results are collected to result in result of comparison 361 , which is detailed below.
- comparator stage 333 is used for earlies instruction value. Compares earliest output Cn 228 with corresponding reference Rn 318, using AND mask from bus Mn 328. The result of comparison 363 is the output.
- AND gate 334 sums up all the results of comparison 361 , 363 and all the results in between (n in all), to issue alarm strobe 335 if all the comparison results are positive, indicating the complete detection of a virus string.
- Mask register 32 Is fixed after initial loading through load mask bus 292, part of parameters bus 29, at power up. Like register 31 , there are outputs at each stage, illustrated with mask bus latest value MO 326, mask bus i-th value Mi 327 represents one of the n stages in register 32, and mask bus earliest value Rn 328.
- action register 34 holds a digital value indicating the type of action to take, which is related to the virus or event stored in register 31 .
- the action may include Reset the CPU, Hold or only a warning to the controller 21 (see Fig. 3) of the supervisor processor. It is loaded through action bus 293, part of parameters bus 29, used to load the action parameters at power-up, from controller 21 (see Fig. 3).
- Alarm/warning /action bus 28 is used to issue the alarm/warning if a suspect string or instruction was detected. It is combined with similar bus from other comparator units (not shown) operating concurrently with that detailed in Fig. 4, and with their bus 28 connected in parallel to this one to form report alarm bus 241 , to report to controller 21 that an alarm/warning or suspect activity took place.
- the operation of the unit is synchronous, in that all the stages of register 22 are shifted at the same time, and the operation of the comparators is synchronized with that shift.
- Address information in register 22 allows to relate to specific address range, like interrupt vectors in RAM of PC, or to first instructions (from fixed address) after RESET.
- Control information in register 22 allows to relate, or wait for specific instruction types, like only READ, or READ and I/O, or READ and MEMORY, or WRITE and I/O, or DMA, or other combinations.
- RESET - the reset input forces the CPU to abandon all tasks, and restart from the beginning, as in power-up. Can be used where real danger is eminent, and no risks can be taken to preserve status or tasks in progress
- HOLD the hold input causes the CPU to float most of its output and input/output pins, thus allowing access to the supervisor to the address, control and data busses. That is, full control over the PC and its resources. After deactivating the HOLD signal, the CPU will continue its tasks as usual.
- the outputs means that the outputs go into a tri-state or high impedance state, allowing other devices to control the logic state for the bits on the bus, either 1 or 0.
- RESET - the reset input forces the CPU to abandon all tasks, and restart from the beginning, as in power-up. Like in i486.
- HOLD - the Hold Request input causes the CPU to float most of its output and input/output pins.
- BRDY - indicates that the external device is ready to transfer data.
- RESET - the reset input forces the CPU to abandon all tasks, and restart from the beginning, as in power-up.
- HALT this input stops all processor bus activity, and the bus is floated, to tri-state.
- Mask bytes example, for Intel 8086/80486 family: Structure of instruction "Jump within segment or group” : Three bytes: Op Code, Disp Low , Disp High ; Op Code E9 hexa
- the masked opcode is the same for the four instructions, which can be detected with one comparator. Compare with 70 hexa.
- Fig. 5 details an embodiment of the comparator structure and operation. It details, for example, one embodiment of comparator 331 , mentioned with reference to Fig. 4 above. Comparator 331 operates on busses CO 226, R0 316 and M0 326, each k bits wide latest output CO 226, the corresponding reference R0 316 and mask from bus M0 326.
- Fig. 5 details the operations on one bit, say bit j. This is representative of the operation of the other bits as well.
- One bit of the instruction C0(j) 412 is compared with one bit of the reference R0(j) 413, in XOR gate 41 . It compares latest output CO 226 with corresponding reference R0 316, using AND mask from bus M0 326. The comparison is bitwise, that is each of k bits of bus CO 226 is compared with a corresponding bit of bus RO 316, with mask bit from MO 326 being applied to allow or ignore the result, then ail the partial bit results are collected to result in result 361.
- bit j The operations on one bit, say bit j, are detailed. This is representative of the operation of the other bits as well.
- one bit of the instruction C0(j) 412 is compared with one bit of the reference R0(j) 413 in XOR gate 41 .
- the output 414 of gate 41 is zero if the bits are equal (either both are 0 or both are 1 logic).
- AND gate 42 If the mask bit M0(j) 423 is HIGH or ENABLE, then AND gate 42 is transparent, so that its output 424 is identical to signal 414. Similarly, the other comparators (not shown) operate on the other bits of the busses CO, RO, MO to issue the other input lines 425 to NOR gate 43.
- the result of comparison 361 at the output of NOR gate 43 is combined (not shown) with corresponding results from the other stages of comparison, to arrive at a decision regarding a specific virus pattern which is sought after.
- a digital signal processor like the ANALOG DEVICES INC. DSP21000 family may be used to perform the bitwise logic and other functions as detailed above.
- Fig. 6 details another structure of monitoring means, using digital signatures in lieu of direct comparison of ail samples of an instruction string.
- Data multiplexer and latches means 222 reads instructions from the input bus and generates instruction/data bus 223, which is transferred to comparator shift register 22, and thence to log shift register/FIFO 23. These registers shift all the time, to move the instructions past the comparation unit.
- the log shift register/FIFO output bus 231 is connected to the controller (not shown).
- register 22 outputs data bus latest output CO 226, and previous samples including data bus i-th output Ci 227 which represents one of the n stages in SR 22, and data bus earliest output Cn 228.
- comparator units operating concurrently, each receiving the outputs from register 22 in parallel, and each including:
- signature computing means 51 which receives a data bus 512 from SR 22 and a mask bus 513 from a register (not shown). The output is issued on the digital signature bus 515.
- comparator 52 compares signature on bus 514 with reference of virus or other event, stored in signature reference register 53 . This is a fixed value, after initial loading. It is loaded through load signature reference bus 291 , part of parameters bus 29.
- the mask register (not shown) is serial or parallel, as known in the art. It is fixed after initial loading. An alarm strobe 335 is issued (active) if the signatures correspond, indicating the complete detection of a virus string. The alarm strobe 335 connects to an action register (not shown) similar to that in Fig. 4, or similar.
- the comparator unit includes a plurality of such comparators, each with a signature computing means 51 , comparator 52 and reference 53, and each issuing an alarm strobe 335. Each may issue a different type of Alarm or Warning or Notice, as programmed by the controller (not shown) in the supervisor processor. All the comparators operate concurrently on the data instructions supplied to all of them, in parallel, from SR 22.
- Time to error - for 200 MHz clock that is, one comparison and decision is performed each 5 nanoseconds interval.
- signatures may be used to achieve a very reliable verification, while concurrently achieving a significant saving in cost and circuit complexity.
- the supervisor includes a multisensor unit 27 which monitors everything going on, in and around the application processor, including (not shown) a plurality of sensors for sensing the various effects indicative of the presence of a virus.
- the multisensor unit monitors everything going on, including processor commands, I/O port activity, RS-232, modem/telephone output, ethernet, Internet, LAN, optical (visible/IR/UV), ultrasonic/sonic/subsonic, RF and microwaves, electrical and magnetic fields, disturbance on power line of 50 Hz or 60Hz. Its function: look everywhere, every medium is suspect; anything moving, bring in for inspection.
- Part of the sensors are fixed, to continuously sense in and around the PC.
- Part of the sensors are portable, detachable, like a pen for example, so as to allow the user to bring it to suspect areas or busses.
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU68507/98A AU6850798A (en) | 1997-04-08 | 1998-04-08 | Antivirus system and method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL120632 | 1997-04-08 | ||
IL12063297A IL120632A0 (en) | 1997-04-08 | 1997-04-08 | Multiprocessor system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
WO1998045778A2 true WO1998045778A2 (en) | 1998-10-15 |
WO1998045778A3 WO1998045778A3 (en) | 1998-12-30 |
Family
ID=11070011
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL1998/000170 WO1998045778A2 (en) | 1997-04-08 | 1998-04-08 | Antivirus system and method |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU6850798A (en) |
IL (1) | IL120632A0 (en) |
WO (1) | WO1998045778A2 (en) |
Cited By (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1055990A1 (en) * | 1999-05-28 | 2000-11-29 | Hewlett-Packard Company | Event logging in a computing platform |
WO2001057629A2 (en) * | 2000-02-07 | 2001-08-09 | Panacya, Inc. | Computer security system indentifying suspect behaviour |
WO2001016900A3 (en) * | 1999-08-31 | 2001-10-04 | American Express Travel Relate | Methods and apparatus for conducting electronic transactions |
WO2001077794A2 (en) * | 2000-04-06 | 2001-10-18 | Granite Technologies, Inc. | System and method for real time monitoring and control of a computer machine environment and configuration profile |
WO2002025413A2 (en) * | 2000-09-22 | 2002-03-28 | Ge Medical Systems Global Technology Company Llc | Ultrasound imaging system having virus protection |
FR2830638A1 (en) * | 2001-10-05 | 2003-04-11 | France Telecom | Detection of attacks, especially virus type attacks, on a computer system, whereby a generic method is used that is capable of detecting attack programs hidden in data chains that are loaded into memory by a detectable instruction |
EP1331540A2 (en) * | 2001-11-30 | 2003-07-30 | Duaxes Corporation | Apparatus, method, and system for virus detection |
WO2004036397A1 (en) * | 2002-10-17 | 2004-04-29 | Zacharias Sahlberg | Method and device for separating different segments of computer equipment |
US6792543B2 (en) | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
GB2406485A (en) * | 2003-09-11 | 2005-03-30 | Detica Ltd | Hardware detection of predermined bit patterns in data packets |
GB2411748A (en) * | 2000-05-28 | 2005-09-07 | Secureol | Anti-virus system for detecting abnormal data outputs |
US6988250B1 (en) | 1999-02-15 | 2006-01-17 | Hewlett-Packard Development Company, L.P. | Trusted computing platform using a trusted device assembly |
WO2007124417A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching time stamped events to find an origin of pestware |
WO2007124416A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching activity indicative of pestware |
WO2007124421A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching existing pestware |
US7343351B1 (en) | 1999-08-31 | 2008-03-11 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
US7353531B2 (en) | 2001-02-23 | 2008-04-01 | Hewlett-Packard Development Company L.P. | Trusted computing environment |
US7457951B1 (en) | 1999-05-28 | 2008-11-25 | Hewlett-Packard Development Company, L.P. | Data integrity monitoring in trusted computing entity |
US7665137B1 (en) | 2001-07-26 | 2010-02-16 | Mcafee, Inc. | System, method and computer program product for anti-virus scanning in a storage subsystem |
US7673343B1 (en) | 2001-07-26 | 2010-03-02 | Mcafee, Inc. | Anti-virus scanning co-processor |
US7707638B2 (en) * | 2002-01-30 | 2010-04-27 | Stmicroelectronics (Research & Development) Limited | Autonomous software integrity checker |
US7761605B1 (en) | 2001-12-20 | 2010-07-20 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US8171551B2 (en) * | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
US8185943B1 (en) | 2001-12-20 | 2012-05-22 | Mcafee, Inc. | Network adapter firewall system and method |
WO2014004821A1 (en) * | 2012-06-29 | 2014-01-03 | Mcafee, Inc. | Preventing attacks on devices with multiple cpus |
EP2942728A1 (en) * | 2014-04-30 | 2015-11-11 | The Boeing Company | Systems and methods of analyzing a software component |
EP1714229B1 (en) | 2004-08-02 | 2015-11-18 | Mahltig Management- und Beteiligungs GmbH | Security module and method for controlling and monitoring the data traffic of a personal computer |
US9213836B2 (en) | 2000-05-28 | 2015-12-15 | Barhon Mayer, Batya | System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages |
EP2494484A4 (en) * | 2009-10-31 | 2016-05-18 | Hewlett Packard Development Co | Malicious code detection |
US9396082B2 (en) | 2013-07-12 | 2016-07-19 | The Boeing Company | Systems and methods of analyzing a software component |
GB2540949A (en) * | 2015-07-31 | 2017-02-08 | Arm Ip Ltd | Probabilistic Processor Monitoring |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US9852290B1 (en) | 2013-07-12 | 2017-12-26 | The Boeing Company | Systems and methods of analyzing a software component |
US10839388B2 (en) | 2001-07-10 | 2020-11-17 | Liberty Peak Ventures, Llc | Funding a radio frequency device transaction |
US11481492B2 (en) | 2017-07-25 | 2022-10-25 | Trend Micro Incorporated | Method and system for static behavior-predictive malware detection |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9031880B2 (en) | 2001-07-10 | 2015-05-12 | Iii Holdings 1, Llc | Systems and methods for non-traditional payment using biometric data |
US7735725B1 (en) | 2001-07-10 | 2010-06-15 | Fred Bishop | Processing an RF transaction using a routing number |
US9454752B2 (en) | 2001-07-10 | 2016-09-27 | Chartoleaux Kg Limited Liability Company | Reload protocol at a transaction processing entity |
US7360689B2 (en) | 2001-07-10 | 2008-04-22 | American Express Travel Related Services Company, Inc. | Method and system for proffering multiple biometrics for use with a FOB |
US6805287B2 (en) | 2002-09-12 | 2004-10-19 | American Express Travel Related Services Company, Inc. | System and method for converting a stored value card to a credit card |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5491791A (en) * | 1995-01-13 | 1996-02-13 | International Business Machines Corporation | System and method for remote workstation monitoring within a distributed computing environment |
US5657473A (en) * | 1990-02-21 | 1997-08-12 | Arendee Limited | Method and apparatus for controlling access to and corruption of information in computer systems |
-
1997
- 1997-04-08 IL IL12063297A patent/IL120632A0/en unknown
-
1998
- 1998-04-08 WO PCT/IL1998/000170 patent/WO1998045778A2/en active Application Filing
- 1998-04-08 AU AU68507/98A patent/AU6850798A/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5657473A (en) * | 1990-02-21 | 1997-08-12 | Arendee Limited | Method and apparatus for controlling access to and corruption of information in computer systems |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5491791A (en) * | 1995-01-13 | 1996-02-13 | International Business Machines Corporation | System and method for remote workstation monitoring within a distributed computing environment |
Non-Patent Citations (3)
Title |
---|
COHEN F., "Current Best Practice Against Computer Viruses", IEEE, CARNAHAN CONF. ON SECURITY TECHNOLOGY, 1991, pages 261-270, XP002913268 * |
LADKIN P. et al., "Comments on a Paper by Voas, Payne and Cohen: A Model for Detecting the Existence of Software Corruption in Real Time", COMPUTERS AND SECURITY, 1994, vol. 13, pages 527-531, XP002913267 * |
QASEM I. et al., "Computer Viruses: Detection and Prevention Techniques", IEEE PROCEEDINGS 1990 SOUTHEAST CONF., pages 199-200, XP002913269 * |
Cited By (64)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7444601B2 (en) | 1999-02-15 | 2008-10-28 | Hewlett-Packard Development Company, L.P. | Trusted computing platform |
US6988250B1 (en) | 1999-02-15 | 2006-01-17 | Hewlett-Packard Development Company, L.P. | Trusted computing platform using a trusted device assembly |
JP2003501716A (en) * | 1999-05-28 | 2003-01-14 | ヒューレット・パッカード・カンパニー | Recording data events on computing platforms |
US7457951B1 (en) | 1999-05-28 | 2008-11-25 | Hewlett-Packard Development Company, L.P. | Data integrity monitoring in trusted computing entity |
JP4860856B2 (en) * | 1999-05-28 | 2012-01-25 | ヒューレット・パッカード・カンパニー | Computer equipment |
EP1055990A1 (en) * | 1999-05-28 | 2000-11-29 | Hewlett-Packard Company | Event logging in a computing platform |
WO2000073880A1 (en) * | 1999-05-28 | 2000-12-07 | Hewlett-Packard Company | Data event logging in computing platform |
US7194623B1 (en) | 1999-05-28 | 2007-03-20 | Hewlett-Packard Development Company, L.P. | Data event logging in computing platform |
US7343351B1 (en) | 1999-08-31 | 2008-03-11 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
WO2001016900A3 (en) * | 1999-08-31 | 2001-10-04 | American Express Travel Relate | Methods and apparatus for conducting electronic transactions |
WO2001057629A2 (en) * | 2000-02-07 | 2001-08-09 | Panacya, Inc. | Computer security system indentifying suspect behaviour |
WO2001057629A3 (en) * | 2000-02-07 | 2002-03-21 | Panacya Inc | Computer security system indentifying suspect behaviour |
WO2001077794A3 (en) * | 2000-04-06 | 2002-10-17 | Granite Technologies Inc | System and method for real time monitoring and control of a computer machine environment and configuration profile |
WO2001077794A2 (en) * | 2000-04-06 | 2001-10-18 | Granite Technologies, Inc. | System and method for real time monitoring and control of a computer machine environment and configuration profile |
GB2411748A (en) * | 2000-05-28 | 2005-09-07 | Secureol | Anti-virus system for detecting abnormal data outputs |
US9213836B2 (en) | 2000-05-28 | 2015-12-15 | Barhon Mayer, Batya | System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages |
GB2411748B (en) * | 2000-05-28 | 2005-10-19 | Secureol | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages |
WO2002025413A2 (en) * | 2000-09-22 | 2002-03-28 | Ge Medical Systems Global Technology Company Llc | Ultrasound imaging system having virus protection |
WO2002025413A3 (en) * | 2000-09-22 | 2003-09-18 | Ge Med Sys Global Tech Co Llc | Ultrasound imaging system having virus protection |
US7263616B1 (en) | 2000-09-22 | 2007-08-28 | Ge Medical Systems Global Technology Company, Llc | Ultrasound imaging system having computer virus protection |
US7353531B2 (en) | 2001-02-23 | 2008-04-01 | Hewlett-Packard Development Company L.P. | Trusted computing environment |
US10839388B2 (en) | 2001-07-10 | 2020-11-17 | Liberty Peak Ventures, Llc | Funding a radio frequency device transaction |
US7673343B1 (en) | 2001-07-26 | 2010-03-02 | Mcafee, Inc. | Anti-virus scanning co-processor |
US7665137B1 (en) | 2001-07-26 | 2010-02-16 | Mcafee, Inc. | System, method and computer program product for anti-virus scanning in a storage subsystem |
US6792543B2 (en) | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
WO2003032134A1 (en) * | 2001-10-05 | 2003-04-17 | France Telecom Sa | Generic method of detecting attack programs hidden in data chains |
FR2830638A1 (en) * | 2001-10-05 | 2003-04-11 | France Telecom | Detection of attacks, especially virus type attacks, on a computer system, whereby a generic method is used that is capable of detecting attack programs hidden in data chains that are loaded into memory by a detectable instruction |
EP1331540A3 (en) * | 2001-11-30 | 2004-10-20 | Duaxes Corporation | Apparatus, method, and system for virus detection |
EP1331540A2 (en) * | 2001-11-30 | 2003-07-30 | Duaxes Corporation | Apparatus, method, and system for virus detection |
US7484244B2 (en) | 2001-11-30 | 2009-01-27 | Duaxes Corporation | Apparatus, method, and system for virus detection |
KR100606478B1 (en) * | 2001-11-30 | 2006-07-31 | 듀아키시즈 가부시키가이샤 | Apparatus, method, and system for virus detection |
US7761605B1 (en) | 2001-12-20 | 2010-07-20 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US9876818B2 (en) | 2001-12-20 | 2018-01-23 | McAFEE, LLC. | Embedded anti-virus scanner for a network adapter |
US9055098B2 (en) | 2001-12-20 | 2015-06-09 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US8627443B2 (en) | 2001-12-20 | 2014-01-07 | Mcafee, Inc. | Network adapter firewall system and method |
US8185943B1 (en) | 2001-12-20 | 2012-05-22 | Mcafee, Inc. | Network adapter firewall system and method |
US7707638B2 (en) * | 2002-01-30 | 2010-04-27 | Stmicroelectronics (Research & Development) Limited | Autonomous software integrity checker |
WO2004036397A1 (en) * | 2002-10-17 | 2004-04-29 | Zacharias Sahlberg | Method and device for separating different segments of computer equipment |
US8171551B2 (en) * | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
US20120192279A1 (en) * | 2003-04-01 | 2012-07-26 | Mcafee, Inc., A Delaware Corporation | Malware detection using external call characteristics |
US8549635B2 (en) * | 2003-04-01 | 2013-10-01 | Mcafee, Inc. | Malware detection using external call characteristics |
GB2406485B (en) * | 2003-09-11 | 2006-09-13 | Detica Ltd | Real-time network monitoring and security |
GB2406485A (en) * | 2003-09-11 | 2005-03-30 | Detica Ltd | Hardware detection of predermined bit patterns in data packets |
EP1714229B1 (en) | 2004-08-02 | 2015-11-18 | Mahltig Management- und Beteiligungs GmbH | Security module and method for controlling and monitoring the data traffic of a personal computer |
US8201243B2 (en) | 2006-04-20 | 2012-06-12 | Webroot Inc. | Backwards researching activity indicative of pestware |
US8181244B2 (en) | 2006-04-20 | 2012-05-15 | Webroot Inc. | Backward researching time stamped events to find an origin of pestware |
WO2007124417A3 (en) * | 2006-04-20 | 2007-12-21 | Webroot Software Inc | Backwards researching time stamped events to find an origin of pestware |
WO2007124417A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching time stamped events to find an origin of pestware |
WO2007124416A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching activity indicative of pestware |
WO2007124421A2 (en) * | 2006-04-20 | 2007-11-01 | Webroot Software, Inc. | Backwards researching existing pestware |
WO2007124416A3 (en) * | 2006-04-20 | 2007-12-21 | Webroot Software Inc | Backwards researching activity indicative of pestware |
WO2007124421A3 (en) * | 2006-04-20 | 2008-01-17 | Webroot Software Inc | Backwards researching existing pestware |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
EP2494484A4 (en) * | 2009-10-31 | 2016-05-18 | Hewlett Packard Development Co | Malicious code detection |
WO2014004821A1 (en) * | 2012-06-29 | 2014-01-03 | Mcafee, Inc. | Preventing attacks on devices with multiple cpus |
US8832837B2 (en) | 2012-06-29 | 2014-09-09 | Mcafee Inc. | Preventing attacks on devices with multiple CPUs |
US9852290B1 (en) | 2013-07-12 | 2017-12-26 | The Boeing Company | Systems and methods of analyzing a software component |
US9396082B2 (en) | 2013-07-12 | 2016-07-19 | The Boeing Company | Systems and methods of analyzing a software component |
EP2942728A1 (en) * | 2014-04-30 | 2015-11-11 | The Boeing Company | Systems and methods of analyzing a software component |
GB2540949A (en) * | 2015-07-31 | 2017-02-08 | Arm Ip Ltd | Probabilistic Processor Monitoring |
GB2540949B (en) * | 2015-07-31 | 2019-01-30 | Arm Ip Ltd | Probabilistic Processor Monitoring |
US10810098B2 (en) | 2015-07-31 | 2020-10-20 | Arm Ip Limited | Probabilistic processor monitoring |
US11481492B2 (en) | 2017-07-25 | 2022-10-25 | Trend Micro Incorporated | Method and system for static behavior-predictive malware detection |
Also Published As
Publication number | Publication date |
---|---|
AU6850798A (en) | 1998-10-30 |
IL120632A0 (en) | 1997-08-14 |
WO1998045778A3 (en) | 1998-12-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO1998045778A2 (en) | Antivirus system and method | |
US10423207B2 (en) | Using power fingerprinting (PFP) to monitor the integrity and enhance security of computer based systems | |
Wagner et al. | Mimicry attacks on host-based intrusion detection systems | |
CN109815698B (en) | Method and non-transitory machine-readable storage medium for performing security actions | |
Xia et al. | CFIMon: Detecting violation of control flow integrity using performance counters | |
JP5054768B2 (en) | Method and apparatus for intrusion detection | |
US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
Yuan et al. | Security breaches as PMU deviation: detecting and identifying security attacks using performance counters | |
AU2002305490B2 (en) | Systems and methods for the prevention of unauthorized use and manipulation of digital content | |
CN101373502B (en) | Automatic analysis system of virus behavior based on Win32 platform | |
Tan et al. | Hiding intrusions: From the abnormal to the normal and beyond | |
CN105408911A (en) | Hardware and software execution profiling | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
JP2008547070A (en) | Method and system for repairing applications | |
AU2002305490A1 (en) | Systems and methods for the prevention of unauthorized use and manipulation of digital content | |
US9542557B2 (en) | Snoop-based kernel integrity monitoring apparatus and method thereof | |
Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
Rajput et al. | Remote non-intrusive malware detection for plcs based on chain of trust rooted in hardware | |
KR100745640B1 (en) | Method for protecting kernel memory and apparatus thereof | |
KR100745639B1 (en) | Method for protecting file system and registry and apparatus thereof | |
Palumbo et al. | A lightweight security checking module to protect microprocessors against hardware trojan horses | |
Zhou et al. | Hardware-based on-line intrusion detection via system call routine fingerprinting | |
JP2014056563A (en) | Device and method for detecting malicious shell code using debugging event | |
WO2009055155A1 (en) | Secure digital forensics | |
JP7383750B2 (en) | Improved systems and methods for detecting fault injection attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG |
|
ENP | Entry into the national phase |
Ref country code: US Ref document number: 1998 205341 Date of ref document: 19981208 Kind code of ref document: A Format of ref document f/p: F |
|
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: CA |
|
NENP | Non-entry into the national phase |
Ref country code: JP Ref document number: 1998542562 Format of ref document f/p: F |
|
122 | Ep: pct application non-entry in european phase |