Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment
Reexamination Certificate
2005-09-22
2010-06-15
Henning, Matthew T (Department: 2431)
Information security
Monitoring or scanning of software or data including attack...
Vulnerability assessment
C726S022000, C726S023000, C726S024000, C709S206000, C713S187000, C713S188000
Reexamination Certificate
active
07739740
ABSTRACT:
A polymorphic threat manager monitors an incoming email stream, and identifies incoming email messages to which executable files are attached. The polymorphic threat manager characterizes incoming executable files according to at least one metric. For example, the polymorphic threat manager can decompose an executable file into fragments, hash some or all of these, and use the hashes as characterization metrics. The polymorphic threat manager subsequently de-obfuscates executable files, and creates corresponding characterization metrics for the de-obfuscated images. The characterizations of executable files before and after de-obfuscation are compared, and if they differ sufficiently, the polymorphic threat manager determines that the file in question is polymorphic. The characterization metrics of such an executable file after de-obfuscation can be used as a signature for that file.
REFERENCES:
patent: 5826013 (1998-10-01), Nachenberg
patent: 5842002 (1998-11-01), Schnurer et al.
patent: 5854916 (1998-12-01), Nachenberg
patent: 5944821 (1999-08-01), Angelo
patent: 5949973 (1999-09-01), Yarom
patent: 6301699 (2001-10-01), Hollander et al.
patent: 6941473 (2005-09-01), Etoh et al.
patent: 7526809 (2009-04-01), Liang et al.
patent: 7568233 (2009-07-01), Szor et al.
patent: 2002/0066024 (2002-05-01), Schmall et al.
patent: 2002/0073323 (2002-06-01), Jordan
patent: 2003/0177394 (2003-09-01), Dozortsev
patent: 2004/0255165 (2004-12-01), Szor
patent: 2005/0166268 (2005-07-01), Szor
patent: 2006/0259974 (2006-11-01), Marinescu et al.
patent: 2007/0055711 (2007-03-01), Polyakov et al.
patent: WO 01/37095 (2001-05-01), None
Wang, Y.-M.; Beck, D.; Vo, B.; Roussev, R.; Verbowski, C., “Detecting stealth software with Strider GhostBuster,” Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on , vol., No., pp. 368-377, Jun. 28-Jul. 1, 2005.
Choi, Yang-Seo, et al., “A New Stack Buffer Overflow Hacking Defense Technique with Memory Address Confirmation”, Lecture Notes in Computer Science 2288, 2002, pp. 146-159, Spinger Verlog, Berlin and Heidelsberg, Germany.
Chew, Monica and Dawn Song, “Mitigating Buffer Overflows by Operating System Randomization”, Dec. 2000, pp. 1-9, U.C. Berkeley, CA USA.
Randustack web pages [online]. Virtualave.net [first retrieved May 1, 2003]. Retrieved from the Internet: <URL: http://pageexec.virualave.net/docs/randustack.txt>, copy retrieved Mar. 21, 2005 from <http://www.pax.grsecurity.net/docs/randustack.txt>.
Randkstack web pages [online]. Virtualave.net [first retrieved May 1, 2003]. Retrieved from the Internet: <URL: http://pageexec.virualave.net/docs/randkstack.txt>, copy retrieved Mar. 21, 2005 from <http://www.pax.grsecurity.net/docs/randkstack.txt>.
Randmap web pages [online]. Virtualave.net [first retrieved May 1, 2003]. Retrieved from the Internet: <URL: http://pageexec.virualave.net/docs/randmmap.txt>, copy retrieved Mar. 21, 2005 from <http://www.pax.grsecurity.net/docs/randmmap.txt>.
Randexec web pages [online]. Virtualave.net [first retrieved May 1, 2003]. Retrieved from the Internet: <URL: http://pageexec.virualave.net/docs/randexec.txt>, copy retrieved Mar. 21, 2005 from <http://www.pax.grsecurity.net/docs/randexec.txt>.
VMA Mirroring web pages [online]. Virtualave.net [retrieved May 1, 2003]. Retrieved from the Internet: <URL: http://pageexec.virualave.net/docs/vmmirror.txt>, copy retrieved Mar. 21, 2005 from <http://www.pax.grsecurity.net/docs/vmmirror.txt>.
Aho, Alfred V., et al. Compilers, Addison-Wesly Publishing Company, USA, revised edition 1988, pp. 585-598, 633-648.
Periot, Frederic, “Defeating Polymorphism Through Code Optimization”, Paper given at the Virus Bulletin conference, Sep. 26-27 Oct. 2003 pp. 142-159, Toronto, Canada, published by Virus Bulletin Ltd., The pentagon, Abington, Oxfordshire, England.
Nachenberg Carey
Wilhelm Jeffrey
Fenwick & West LPP
Henning Matthew T
Symantec Corporation
LandOfFree
Detecting polymorphic threats does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detecting polymorphic threats, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting polymorphic threats will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4168483