Electrical computers and digital processing systems: support – Computer virus detection by cryptography
Reexamination Certificate
2005-11-29
2005-11-29
Barrón, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Computer virus detection by cryptography
C713S187000
Reexamination Certificate
active
06971019
ABSTRACT:
A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data (410) for holding P-code, a virus definition file (VDF) (412) for holding signature of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating instructions in the file. The emulating module (426) contains a histogram generation module (HGM) (436) for generating a histogram of characteristics of instructions emulated by the emulating module (426) and a histogram definition module (HDF) (438) for specifying the characteristics to be included in the generated histogram. The emulating module (426) uses the generated histogram (500) to determine how many of the instructions of the computer file (100) to emulate. The emulating module (426) emulates (712) instructions and the HGM (436) generates a histogram of the instructions until active instructions are note detected. When active instructions are not detected (714), a P-code module is executed (722) to analyze the histogram (500) and determine whether a the file (100) contains a virus. The P-code can also decide to extend (728) emulation. The HGM (436) is also used to detect (822) the presence of dummy loops during virus decryption.
REFERENCES:
patent: 5696822 (1997-12-01), Nachenberg
patent: 5712583 (1998-01-01), Frankeny
patent: 5796989 (1998-08-01), Morley et al.
patent: 5826013 (1998-10-01), Nachenberg
patent: 5964889 (1999-10-01), Nachenberg
patent: 6067410 (2000-05-01), Nachenberg
patent: 6088803 (2000-07-01), Tso et al.
patent: WO 99/15966 (1999-04-01), None
Parkhouse, Jayne, “Pelican SafeTNet 2.0” [online], Jun. 2000, SC Magazine Product Review, [retrieved on Dec. 1, 2003]. Retrieved from the Internet <URL: http://www.scmagazine.com/scmagazine/standalone/pelican/sc_pelican.html.
Padawer, “Microsoft P-Code Technology,” [online]. Apr. 1992 [retrieved on Nov. 13, 2003]. Retrieved from the Internet: <URL: http://msdn.Microsoft.com/archive/en-us/dnarvc/html/msdn_c7pcode2.asp?frame=true.>, 6 pages.
“Frequently Asked Questions on Virus-L/comp.virus,” [online]. Oct. 9, 1995 [retrieved on Nov. 25, 2003]. Retrieved from the Internet: <URL: http://www.claws-and-paws.com/virus/faqs/vlfaq200.shtml>, 53 pages.
LeCharlier et al., “Dynamic Detection and Classification of Computer Viruses Using General Behaviour Patterns,” Proceedings of the Fifth International Virus Bulletin Conference, Boston, Mass., Sep. 20-22, 1995, 22 pages.
McCanne et al., “The BSD Packet Filter: A new Architecture for User-level Packet Capture,” Preprint Dec. 19, 1992, 1993 Winter USENIX conference, San Diego, California, Jan. 25-29, 1993, 11 pages.
Leitold et al., “VIRus Searching and KILling Language,” Proceedings of the Second International Virus Bulletin Conference, Sep. 1992, 15 pages.
Taubes, “An Immune System for Cyberspace,” Think Research [online], vol. 34, No. 4, 1996 [retrieved on Dec. 15, 2003]. Retrieved from the Internet: <URL: http://domino.research.ibm.com/comm./wwwr_thinkresearch.nsf/pages/antivirus496.html>, 9 pages.
Ször, “Memory Scanning Under Windows NT,” Virus Bulletin Conference, Sep. 1999, 22 pages.
Ször, “Attacks on Win32,” Virus Bulletin Conference, Oct. 1998, 84 pages.
Nachenberg, “A New Technique for Detecting Polymorphic Computer Viruses,” Thesis, University of Los Angeles, 132 pages, 1995.
PCT International Search Report, International Application No. PCT/US01/08058, Aug. 30, 2002, 4 pages.
PCT International Search Report, International Application No. PCT/US03/16445, Sep. 10, 2003, 4 pages.
Barrón Gilberto
Fenwick+West LLP
Gurshman Grigory
Symantec Corporation
LandOfFree
Histogram-based virus detection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Histogram-based virus detection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Histogram-based virus detection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3474419