Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2006-01-12
2011-11-01
Lanier, Benjamin (Department: 2432)
Information security
Monitoring or scanning of software or data including attack...
Reexamination Certificate
active
08051479
ABSTRACT:
The invention is a method and apparatus for detecting shellcode such that a set of computer instructions is scanned for the presence of a null operation instruction. The computer instructions are also examined for the presence of a system call instruction, and reviewed for the presence of a decoder instruction set. A null operation weight value is then determined corresponding to the null operation instruction. Also assessed is a system call weight value corresponding to the system call instruction. In addition, a decoder weight value is calculated corresponding to the decoder instruction set. The null operation weight value, the system call weight value, and the decoder weight value are then analyzed to identify a shellcode.
REFERENCES:
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5769942 (1998-06-01), Maeda
patent: 5798706 (1998-08-01), Kraemer et al.
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5812763 (1998-09-01), Teng
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5892903 (1999-04-01), Klaus
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5905859 (1999-05-01), Holloway et al.
patent: 5919257 (1999-07-01), Trostle
patent: 5919258 (1999-07-01), Kayashima et al.
patent: 5940591 (1999-08-01), Boyle et al.
patent: 6052788 (2000-04-01), Wesinger, Jr. et al.
patent: 6088804 (2000-07-01), Hill et al.
patent: 6119236 (2000-09-01), Shipley
patent: 6154844 (2000-11-01), Touboul et al.
patent: 6178509 (2001-01-01), Nardone et al.
patent: 6185678 (2001-02-01), Arbaugh et al.
patent: 6185689 (2001-02-01), Todd, Sr. et al.
patent: 6243815 (2001-06-01), Antur et al.
patent: 6301699 (2001-10-01), Hollander et al.
patent: 6513122 (2003-01-01), Magdych et al.
patent: 7007301 (2006-02-01), Crosbie et al.
patent: 7409717 (2008-08-01), Szor
patent: 7904955 (2011-03-01), Bu et al.
patent: 2006/0069912 (2006-03-01), Zheng et al.
U.S. Appl. No. 11/450,110, filed Jun. 9, 2006.
Office Action Summary from U.S. Appl. No. 10/172,138 mailed on Aug. 11, 2009.
Office Action Seminary from U.S. Appl. No. 10/172,138 mailed on Jan. 25, 2010.
Final Office Action Summary from U.S. Appl. No. 10/172,138 mailed on May 21, 2010.
Notice of Allowance from U.S. Appl. No. 10/172,138, dated Nov. 4, 2010.
Giovanni Vigna, et al., “NetSTAT: A Network-Based Intrusion Detection System,” Department of Computer Science, University of California Santa Barbara, pp. 1-46. Supported under Agreement No. F30602-97-1-0207, 1999 .
Y. F. Jou, et al., and S.F. Wu, et al., “Design and Implementation of a Scalable Intrusion Detection System for the Protection of Network Infrastructure,” Advanced Networking Research, MCNC, RTP, NC, et al., pp. 15, 2000.
Ivan Krsul, “Computer Vulnerability Analysis Thesis Proposal,” The COAST Laboratory, Department of Computer Sciences, Purdue University, IN, Technical Report CSD-TR-97-026. Apr. 15, 1997, pp. 1-23.
Matt Bishop, “Vulnerabilities Analysis,” Department of Computer Science, University of California at Davis, pp. 1-12.
Matt Bishop, “A Taxonomy of UNIX System and Network Vulnerabilities,” CSE-95-10, May 1995, pp. 17.
Matt Bishop, et al., “A Critical Analysis of Vulnerability Taxonomies,” CSE-96-11, Sep. 1996, pp. 1-14.
Dawn X. Song, et al., “Advanced and Authenticated Marking Schemes for IP Traceback,” Report No. UCB/CSD-00-II07, Computer Science Division (EECS), University of California, Berkeley, Jun. 2000, pp. 1-11.
Chien-Lung Wu, et al., IPSec/PHIL (Packet Header Information List): Design, Implementation, and Evaluation, NC State University, Raleigh, NC, et al., pp. 6, 2002.
Allison Mankin, et al., “On Design and Evaluation of “IntentionDriven” ICMP Traceback,” USC/ISI, et al., pp. 7, 2002.
Brian Carrier, et al., “A Recursive Session Token Protocol for Use in Computer Forensic and TCP Traceback,” CERIAS, Purdue University, West Lafayette, IN, et al., 2002 IEEE, pp. 7.
Stefan Savage, et al., “Practical Network Support for IP Traceback,” Department of Computer Science and Engineering, University of Washington, Seattle, WA. Copyright 2000, pp. 12.
Diheng Qu, et al., “Statistical Anomaly Detection for Link-State Routing Protocols,” Computer Science Department, North Carolina State University, Raleigh, NC, et al., Supported under Contract No. F30602-96-C-0325,pp. 9, 2002.
Office Action Summary from U.S. Appl. No. 11/450,110 mailed on Jan. 6, 2010.
Office Action Summary from U.S. Appl. No. 11/450,110 mailed on Jul. 8, 2010.
Office Action Summary from U.S. Appl. No. 11/450,110 mailed on Sep. 23, 2010.
Bu Zheng
Gong Fengmin
Lanier Benjamin
McAfee, Inc.
Wong, Cabello, Lutsch, Rutherford & Brucculeri L.L.P.
LandOfFree
Method and apparatus for detecting shellcode does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for detecting shellcode, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for detecting shellcode will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4275876