Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1997-09-23
2002-03-12
Le, Dieu-Minh (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C714S038110
Reexamination Certificate
active
06357008
ABSTRACT:
I. BACKGROUND
A. Technical Field
This invention relates to computer antivirus software. More particularly, this invention relates to software for detecting unknown computer viruses using emulation and artificial intelligence.
B. Related Art
Computer virus detection technology may be divided into categories such as signature scanning, integrity checking, and non-integrity-based unknown virus detection (also called heuristics). This section discusses these categories of antivirus technology.
Signature scanning antivirus programs work by scanning files for signatures of known viruses. A signature is a sequence of bytes that may be found in a virus program code, yet is unlikely to be found elsewhere. To “extract” a signature, an antivirus researcher must analyze the virus. Once this signature is determined, it is recorded in a database of virus signatures to be used by an antivirus program. The antivirus program scans a target program (executable file, boot record, or possibly document file with a macro) to detect the presence of a virus signature. If a signature is found, then the target program is deemed infected. Otherwise, the target program is considered uninfected.
A signature scanning antivirus program can identify particular virus strains for removal and may have a low “false-positive” rate if properly implemented. However, only viruses whose signatures have already been determined and stored in the signature database may be detected using signature scanning. Moreover, the signature database must be updated frequently to detect the latest viruses.
Integrity checking (called “inoculation” by the commercial Norton Anti-Virus product from Symantec Corp.) is a technique in which “snapshots” or “fingerprints” are taken of programs (executable files, boot records) on the computer under the assumption that all these files are in an uninfected state. These fingerprints are typically taken after the computer has been scanned with a virus scanner that reasonably assures the computer is virus-free. These fingerprints are then saved into a database for later integrity-based scans.
During subsequent integrity-based scans of the computer, the antivirus program verifies that each previously fingerprinted program on the computer matches its fingerprint. If a program does not match its fingerprint, then the antivirus program typically uses artificial intelligence to determine if the modification is “virus-like” or merely a valid program update. If the modification appears due to an infection by a virus, the antivirus program typically alerts the user to the modification and gives the user the option to repair the damage, if possible.
Because integrity checking does not scan for virus signatures, it can be used to detect new and (as yet) unknown virus strains. Integrity checking works because viruses must generally make changes to their host program, and these changes can be detected if the database of fingerprints of clean programs is properly created and maintained. However, integrity checking does not work if the computer is not virus-free when the programs are fingerprinted. A virus-infected program that is “inoculated” along with other clean programs would be a safe haven from where the virus can infect other programs. Furthermore, when a change is detected by integrity checking, it is often difficult for the antivirus program to determine if the change was virus-induced or user-induced (e.g., the user may update a program by installing a new version or copying an updated file). If this determination cannot be made by the antivirus program, the user must be called upon to make this determination, and many users are not knowledgeable enough to do so.
Non-integrity-based (also called “heuristic”) unknown virus detection is used to detect new and unknown viruses without any integrity information. A heuristic antivirus program examines a target program (executable file, boot record, or possibly document file with a macro) and analyzes its program code to determine if the code appears virus-like. If the target program's code appears virus-like, then the possible infection is reported to the user.
Heuristic virus detection can detect new and unknown viruses that have not yet been analyzed by antivirus researchers since it does not use virus signatures. Because the heuristic technique does not use integrity information, it does not require fingerprints of programs to be taken and saved when the computer is in a known clean state.
Heuristic virus detection can be classified as either static or dynamic. The primary difference between these two detection schemes is that the dynamic method uses CPU emulation while the static method does not.
i. Static Heuristic Detection
In static heuristic virus detection, the antivirus program searches the instructions of a target program for sequences of instructions that perform operations typically used by viruses. Unlike virus signatures, these sequences are not designed to be specific to a single virus. Instead, they are meant to be as general as possible in order to detect the operation of many different viruses.
For example, the following sequence X86 (Intel microprocessor) machine code instructions may be used to open a file:
assembly language
machine code
MOV DX, ????
BA ?? ??
MOV AX, 3D02
B8 02 3D
INT 21
CD 21
where ?? indicates that the byte may vary in different viruses. Similarly, the following sequence of X86 machine code instructions may be used to write to a file:
assembly language
machine code
MOV DX, ????
BA ?? ??
MOV CX, ????
B9 ?? ??
MOV AX, 4000
B8 00 40
INT 21
CD 21
where again ?? indicates that the byte may vary in different viruses.
Static heuristic antivirus programs search for sequences of bytes like those shown above, then makes an assessment of viral infection based on the sequences it found. For example, if the static heuristic antivirus program finds a file open operation, followed by file read and write operations, and also finds a character (ASC II) string “VIRUS” in the program, it may report that the file is infected by an unknown virus.
Some (self-decrypting) computer viruses have encrypted viral bodies. Sequences of instructions that exhibit virus-like behavior are not identifiable while they are encrypted. Therefore, some static heuristic detection programs precede the behavior searching phase with a decryption phase which is typically performed using a CPU emulator.
Although static heuristic detection programs can be relatively fast, they may recognize only some of the numerous different ways of performing various virus-like operations. For example, a virus writer may re-order the instructions of the file open sequence above as follows:
assembly language
machine code
MOV AX, 3D02
B8 02 3D
MOV DX, ????
BA ?? ??
INT 21
CD 21
As a further example, a virus written may more radically change the instructions for a file open as follows:
assembly language
machine code
MOV AX, 3E00
B8 00 3E
SUB AX, 0100
2D 00 01
MOV DX, 1234
BA 34 12
ADD AL, 02
04 02
INT 21
CD 21
Thus, the static heuristic detection program must look for a large number of different ways each virus-like operation may be implemented in order to reliably detect virus-like behavior. A data-base covering large number of possible permutations of these operations may become unmanageable. This problem would be particularly acute if a virus writer wrote a “virus generator” program which generated thousands of viruses at a time, permuting the order of its sections of code, but not changing its effective behavior. Such a multitude of viruses would be very difficult to deal with for static heuristic detection programs.
ii. Dynamic Heuristic Detection
In dynamic heuristic virus detection, the antivirus program emulates the target program in a virtual environment and observes the emulated instructions for virus-like operations. As the target program is emulated,
Fenwick & West LLP
Le Dieu-Minh
Symantec Corporation
LandOfFree
Dynamic heuristic method for detecting computer viruses... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Dynamic heuristic method for detecting computer viruses..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic heuristic method for detecting computer viruses... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2886706