Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2007-04-30
2010-12-14
Moore, Ian N (Department: 2491)
Information security
Monitoring or scanning of software or data including attack...
C726S023000, C726S024000, C726S025000, C713S188000, C717S152000
Reexamination Certificate
active
07854002
ABSTRACT:
Spyware programs are detected even if their binary code is modified by normalizing the available code and comparing to known spyware patterns. Upon normalizing the known spyware code patterns, a signature of the normalized code is generated. Similar normalization techniques are employed to reduce the executable binary code as well. A match between the normalized spyware signature and the patterns in the normalized executable code is analyzed to determine whether the executable code includes a known spyware. For pattern matching, Deterministic Finite Automata (DFA) is constructed for basic blocks and simulated on the basic blocks of target executable, hash codes are generated for instructions in target code and known spyware code and compared, register usages are replaced with common variables and compared, and finally Direct Acyclic Graphs (DAGs) of all blocks are constructed and compared to catch reordering of mutually independent instructions and renamed variables.
REFERENCES:
patent: 5278901 (1994-01-01), Shieh et al.
patent: 6292938 (2001-09-01), Sarkar et al.
patent: 7114185 (2006-09-01), Moore et al.
patent: 7409717 (2008-08-01), Szor
patent: 7624449 (2009-11-01), Perriot
patent: 2004/0172551 (2004-09-01), Fielding et al.
patent: 2005/0028002 (2005-02-01), Christodorescu et al.
patent: 2005/0177736 (2005-08-01), de los Santos et al.
patent: 2005/0278781 (2005-12-01), Zhao et al.
patent: 2006/0005241 (2006-01-01), Zhao et al.
patent: 2006/0107055 (2006-05-01), Panwar et al.
patent: 2006/0156397 (2006-07-01), Daj
patent: 2006/0161560 (2006-07-01), Khandelwal et al.
patent: 2006/0230453 (2006-10-01), Flynn et al.
patent: 2007/0016952 (2007-01-01), Stevens
patent: 2007/0016953 (2007-01-01), Morris et al.
patent: 2007/0028110 (2007-02-01), Brennan
patent: 2008/0071783 (2008-03-01), Langmead et al.
Bruschi, D., Lorenzo, M., Monga, M., “Using Code Normalization for Fightin Self-Mutating Malware”, Department of Computer Science, University of Milan, Technical Report, Aug. 2006.
Wang, T., Horng, S., Su, M., Wu, C., Wang, P., Su, W., “A Surveillance Spyware Detection System Based on Data Mining Methods”, IEEE Conf. Proc. on Evolutionary Computation, Vancouver, BC, Canada, Jul. 2006.
Stolfo et al., “Fileprint Analysis for Malware Detection”, http://worminator.cs.columbia.edu/papers/2005/WormPaper-Final.pdf, Jun. 19, 2005, 12 pp.
Kirda et al., “Behavior-based Spyware Detection”, \https://www.cs.ucsb.edu/research/tech—reports/reports/2006-03.pdf, Mar. 2006, 24 pp.
Bozagac, “Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware”, http://www.cs.bilkent.edu.tr/˜guvenir/courses/cs550/Workshop/Cumhur—Doruk—Bozagac.pdf, retrieved Feb. 2007, 8 pp.
Akella SriSatya Aravind
Bendapudi Perraju
Jalan Rajesh
Mohanan Harish
Lagor Alexander
Merchant & Gould P.C.
Microsoft Corporation
Moore Ian N
LandOfFree
Pattern matching for spyware detection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Pattern matching for spyware detection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Pattern matching for spyware detection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4186356