CN1476554A - 分析型虚拟机 - Google Patents
分析型虚拟机 Download PDFInfo
- Publication number
- CN1476554A CN1476554A CNA018179142A CN01817914A CN1476554A CN 1476554 A CN1476554 A CN 1476554A CN A018179142 A CNA018179142 A CN A018179142A CN 01817914 A CN01817914 A CN 01817914A CN 1476554 A CN1476554 A CN 1476554A
- Authority
- CN
- China
- Prior art keywords
- behavior
- code
- virtual machine
- computer code
- entrance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Holo Graphy (AREA)
- Control And Other Processes For Unpacking Of Materials (AREA)
- Eye Examination Apparatus (AREA)
Abstract
分析型虚拟机(AVM)使用软件处理器对计算机代码进行分析,包括寄存器,用于存储表示通过在虚拟机内虚拟地执行代码识别的行为的行为标志。AVM包括一个序列发生器,用于存储在行为标志寄存器中设置行为标志的序列。AVM通过在一个完全的虚拟机上模拟被分析的代码的执行对机器性能进行分析并记录观察到的行为。当模拟和分析完成时,AVM将行为标志寄存器和序列发生器返回到实机器并终止。
Description
优先权声明和相关中请
本申请优选于2000年10月24日提出的序列号为No.60/242,939的美国临时专利申请,该申请在这里全部加以引用。本申请与2000年8月18日提出的序列号为No.09/642,625的美国专利申请有关,该申请在这里全部加以引用。
技术领域
本发明涉及虚拟机系统,具体来说,涉及适用于进行自动代码分析并能分析包括呈现给计算机系统的可执行程序的数据的虚拟机系统。
背景技术
检测包括诸如病毒之类的程序的恶意代码已经是个人计算机时代普遍所关心的事。随着诸如因特网之类的通信网络的增长和数据交换的扩大,包括使用电子邮件进行通信的迅速发展,通过通信或文件交换而发生的对计算机的传染已经越来越成为值得注意的问题。感染呈现各种各样的形式,但通常都与计算机病毒、特洛伊木马程序或其他形式的恶意代码相关。最近通过电子邮件发动的病毒攻击事件对于传播速度和破坏的范围都给人留下了深刻的印象,使得因特网服务提供商(ISP)和各种各样的公司都发生了服务问题,并丧失了发送电子邮件的能力。在许多情况下,充分地防止文件交换或通过电子邮件发生的传染的努力使计算机用户感到非常不便。人们希望有更好的检测和处理病毒攻击的策略。
一个用于检测病毒的常规方法是签名扫描。签名扫描系统使用从已知的恶意代码提取出来的样本代码模式,并对其他程序代码进行扫描以发现是否有这些模式发生。有时候首先通过模拟对被扫描的程序代码进行解密,并对所产生的代码进行扫描以便发现签名或函数签名。这种签名扫描方法的主要局限性是,只能检测已知的恶意代码,即,只有匹配已知恶意代码的存储的样本签名的代码才被确定为被感染。所有以前没有识别的病毒或恶意代码以及在上次对签名数据库进行更新之后创建的所有病毒或恶意代码都将不会被检测到。因此,此方法不能检测到新创建的病毒;也不会检测到带有其中以前提取的并包含在签名数据库中的签名已经被改写的代码的病毒。
此外,如果签名在代码中不以预期的方式对准,签名分析方法也不能识别病毒的存在。或者,病毒的作者可能通过操作码替换或通过向病毒函数中插入伪码或随机码来模糊病毒的身份。也可以插入无价值的代码,以在一定的程度上改变病毒的签名,从而使签名扫描程序无法被检测到,而不会减弱病毒繁殖和提供其有效负载的能力。
另一种病毒检测策略是完整性检查。完整性检查系统从已知的良性应用程序代码中提取代码样本。代码样本与程序文件中的诸如可执行程序标头和文件长度以及程序文件的创建日期和创建时间之类的信息存储在一起。每隔一定的时间对照此数据库检查程序文件,以确保程序文件没有被修改。基于完整性检查的病毒检测系统的一个主要缺点是,当对应用程序进行任何修改时会发出大量的病毒活动的警告。例如,当用户将计算机的操作系统升级或安装或升级应用程序软件时,完整性检查程序将生成很长的已修改的文件的列表。用户难以确定何时警告表示对计算机系统的真正的攻击。
校验和监视系统通过为每一个程序文件生成循环冗余校验(CRC)值来检测病毒。对程序文件的修改是通过CRC值的变化来检测的。与完整性检查系统相比,校验和监视的优点在于,恶意代码更难以躲避监视。另一方面,校验和监视也表现出与完整性检查系统一样的局限性,因为也会发出许多假的警告,难以鉴别哪些警告是真实的病毒或感染。
行为拦截系统通过与目标计算机的操作系统交互并监视可能存在恶意的行为来检测病毒活动。检测到这样的恶意行为时,操作就会被阻止,并向用户发出通知,即将发生可能存在危险的操作。可能存在恶意的代码可以由用户允许以执行此操作。这使得行为拦截系统稍微有点不可靠,因为系统的有效性取决于用户输入。此外,常驻的行为拦截系统有时也会被恶意代码检测到并将其停用。
另一种用于检测感染的传统策略是利用诱饵文件。此策略通常与其他病毒检测策略一起使用以检测现有和活动的感染。这意味着,恶意代码目前正在目标计算机上运行并正在修改文件。当诱饵文件被修改时,就说明检测到了病毒。许多病毒能察觉到诱饵文件,并不会修改太小、从它们的结构明显地看出是诱饵的文件,或在文件名中具有预先确定的内容的文件。
很明显,需要更好的用于检测病毒及其他类型的恶意代码的方法。
本发明利用虚拟机技术的某些特征。“虚拟机”的概念在当前技术中是已知的,虚拟机具有各种用途。“虚拟机”的优点包括能够执行不会在其他环境下的硬件平台上执行的代码,如为其他硬件平台设计的代码。虚拟机技术还可以应用在多用户和多处理系统中,在这些系统中,每一个进程都在其自己的虚拟机内运行。
虚拟机已经应用于各种各样的计算机功能,如在计算机硬件和高级语言(HLL)之间的接口中(授予Hoskins的美国专利No.5,872,978)、实机器的联网以构成并行处理器(授予Walsh等人的美国专利No.5,774,727)以及创建多任务处理或多用户计算机环境(授予Kaneda等人的美国专利No.4,400,769)。虚拟机还可以应用于需要跨平台HLL代码可移殖性的场合(授予Alexander,III等人的美国专利No.6,118,940)。
发明内容
本发明的一个目标是提供一种用于进行计算机代码行为分析的虚拟机系统,虚拟机系统具有软件处理器。处理器存储了行为记录,包括行为标志,这些标志表示通过在虚拟机内虚拟地执行接受分析的计算机代码而观察到的计算机代码行为。序列发生器存储了在接受分析的计算机代码的虚拟执行期间在行为记录中设置行为标志的序列。提供了表示宿主实计算机系统的模拟内存和模拟操作系统,接受分析的计算机代码与模拟内存和模拟操作系统进行交互,以生成行为标志。在终止虚拟机之前,虚拟机将表示行为记录的数据传递到宿主实计算机系统。
本发明的另一个目标是提供一种用于进行计算机代码行为分析的并具有软件处理器的虚拟机系统。虚拟机包括一种寄存器或结构,用于存储行为标志,这些标志表示通过在虚拟机内虚拟地执行接受分析的计算机代码而观察到的计算机代码行为。虚拟机还包括一种寄存器或结构,用于存储在行为标志寄存器或结构中设置行为标志的序列。寄存器或结构在虚拟机内存储了到接受分析的计算机代码的所有入口点。结构存储了中断矢量地址,这些地址指向在初始化虚拟机时加载到由虚拟机预留的内存中的中断服务例程。一个内存结构模拟输入和输出端口,另一个内存结构模拟处理器内存。一个或多个操作系统模拟壳模拟由接受分析的计算机代码将要在其中操作的实操作系统返回的值。
附图说明
图1说明了带有DOS MZ型的可执行或二进制文件的分析型虚拟机的配置。
图2说明了带有高级语言(HLL)程序代码的分析型虚拟机的配置。
图3说明了运行PE、NE或LE Windows可执行的代码的分析型虚拟机的配置。
图4显示了运行二进制(COM或SYS)可执行文件和运行Visual Basic(VB)可执行文件的分析型虚拟机的内存映像。
图5A和5B概要说明了由分析型虚拟机的一个优选实施例生成的列出了行为模式的表格、序列发生器和入口点结构。
图6显示了执行二进制机器代码的分析型虚拟机的优选实施例的简要过程流程图。
图7显示了执行HLL的分析型虚拟机的优选实施例的简要过程流程图。
具体实施方式
本发明的优选实施例提供了一种分析型虚拟机(AVM)系统,该系统在模拟计算机系统内执行程序代码,方式类似于代码在实计算机系统中的执行方式。分析型虚拟机的优选实施例不允许物理输入或输出发生,也不允许在接受分析的程序代码和实的或物理的计算机系统之间进行任何交互。相反,输入和输出操作、系统调用与指令都是以对接受分析的代码透明的方式模拟的。在正在被分析的代码执行期间,系统功能、操作系统应用程序编程接口(API)调用、输入和输出命令以及对预先定义的存储位置的变更都会由分析型虚拟机记录下来。优选情况下,分析型虚拟机将记录的数据作为行为模式和表示在虚拟执行期间设置行为模式位的序列的序列结构返回到实的或物理的计算机系统。
这里描述的分析型虚拟机(AVM)计划用于自动代码功能分析和行为提取中。“代码”是已标记化或源代码文本格式的二进制机器代码或高级语言(HLL)。分析型虚拟机从传递给它的入口点表中的每一个入口点执行接受分析的代码。在虚拟地执行代码时,AVM监视系统调用、输入/输出(I/O)操作和内存存取。无论是机器语言指令还是高级语言指令都在AVM的模拟中央处理单元(CPU)内执行。由应用程序代码调用的操作系统功能、应用程序代码执行的输入/输出端口读取和写入操作和内存读出和写入操作都在AVM环境内模拟。
早先的分析系统在没有虚拟执行的情况对代码进行扫描。在这样的系统中,对应用程序代码进行扫描以发现函数调用或目标代码片断(授予Arnold等人的美国专利No.5,440,723)。该扫描方法具有若干个缺点,第一个缺点是代码模式匹配可能与实际执行的代码不同步。该扫描方法的另一个缺点是,对函数的直接访问,即,不会检测到没有通过记录的调用结构的函数访问。此外,内存中的被代码执行填满的控制字段不存在,因此在该扫描方法中不会被分析。第三个缺点是,编写恶意代码的人可能通过将“无用”的代码插入到函数模板或通过以非常规的方式调用函数来伪装该代码的实函数。由于这些缺点,扫描分析系统总不是人们所希望的那样。
本发明的优选实施例像这里所讲述的那样使用分析型虚拟机。这样的虚拟机从每一个入口点开始与实的程序流同步执行应用程序代码。当使用这样的特别优选的分析型虚拟机时,可以获得应用程序代码内包含的函数的准确表现。“无用”指令在伪装代码中不再有效。如果AVM以特别优选的方式实现以便像实机器那样响应,那么以非常规的方式调用函数将会无效。
正如下面将详细地讲述的,与传统的本机相比,在代码分析中利用虚拟机具有一个优点,即,通过在安全的环境内执行代码来对代码进行分析。这里的“安全”是指这样的事实,实计算机系统的操作系统、程序和数据不与接受分析的代码进行交互,因此不会被接受分析的代码损害。尽管如此,分析与正常的代码执行同步进行,仿佛代码是使用实处理系统在本机上执行的。
因此,分析型虚拟机的优选实施例可以容纳许多操作系统和硬件平台,以便进行模拟。可以灵活地修改计算系统的结构。此外,还可以监控系统的操作。在某些目前优选的实施例中,监控功能被嵌入到AVM的虚拟操作系统内部,以分析未知的程序代码的行为。图1显示了一个物理计算机系统内的AVM的当前实施例的方框图。与基于编译器的虚拟机类似,AVM处理代码流的流动。与基于编译器的虚拟机不同的是,在执行代码时调用虚拟操作系统功能。
图1显示了一个计算机系统的结构,该系统运行已经被初始化的AVM的一个实例,以便执行DOS MZ型可执行文件或DOS二进制COM或SYS程序,包括这样的程序使用的启动扇区加载器。标有100的方框内的区域表示实机器,即,包括物理中央处理单元(CPU)、物理内存和用户输入和输出通道的计算机的硬件。输入和输出通道包括键盘、鼠标、视频显示器、磁盘驱动器及连接到处理单元的其他外围设备。操作系统102与处于执行过程中的设备驱动程序和应用程序一起存储在物理内存中,可能在其他虚拟机内。所有这样的软件都由实中央处理单元(CPU)105执行。方框图中显示了一个设备驱动程序,它是文件系统挂钩设备驱动程序101。文件系统挂钩设备驱动程序101挂到实操作系统文件系统,并通知启动AVM的应用程序对存储在硬盘驱动器上的文件进行了修改。
操作系统软件102驻留于内存106中并在实机器100内操作。初始化和接收分析型虚拟机200的结果的应用程序103存在于实机器之中,在操作系统102环境内执行,与分析型虚拟机200一样。在分析型虚拟机200被初始化之后,应用程序将入口点、文件类型和包含存放程序的主入口点的分段的缓冲区传递到程序加载器预处理器211。
一旦创建了虚拟机,应用程序将预留一部分物理内存106以便由虚拟机使用。此内存块标有210并存在于物理内存106中。预处理器211准备虚拟内存块210以供分析型虚拟机使用,并创建所有相应的模拟操作系统内存块,如在虚拟地址0000到1023创建中断矢量表、在虚拟地址1024到1279创建DOS参数区域、为VGA显示器预留的程序区和内存(映射到虚拟地址0a000h)。程序加载器预处理器211创建内存控制块(MCB),然后将入口点代码加载到此内存中。在模拟高存储区中,在IBM PC基本内存映像的640K边界上方,创建虚拟中断服务例程。接受分析的程序代码引用的所有地址被软件内存映射器207重新映射以装于此内存模式内。
在程序加载器211完成虚拟DOS内存模式的初始化之后,虚拟CPU 205开始通过预取机制203获取程序指令。取决于由软件指令解码器204获取并解码的每一个指令的第二字节(Or/m字节),软件或虚拟CPU使用数据获取机制208和内存映射器207从寄存器堆栈206或从虚拟内存210处获取。
软件CPU 205对数据执行所希望的操作,并将结果写回由Or/m字节确定的目的地。引用的操作系统功能在操作系统模拟器201中进行模拟。中断服务在中断服务模拟器212中进行模拟,矢量存储在虚拟内存210中的地0000到1023中。高存储区中的中断服务充当中断矢量表和模拟中断服务212之间的链接。内存块210还包含系统堆栈和应用程序代码堆栈。系统和应用程序代码堆栈没有显示出来,因为它们是包含在接受分析的应用程序代码内的地址创建的,并且在应用程序与应用程序之间不同。如果控制字节Or/m指出需要从内存210中预留的虚拟堆栈区处获取数据,那么就这样做。
软件CPU 205具有预取机制203,以及指令解码器204。在获取指令并进行解码和执行之时,接受分析的程序代码就执行模拟功能。每一个模拟的功能的执行都在行为标志寄存器209中设置和重置标志,这些操作发生的序列将记录在序列发生器213中。所产生的行为标志模式,与序列发生器结构一起,被传递到启动了分析型虚拟机的应用程序。然后分析型虚拟机在目前优选的实施例中终止。
下面将进一步地以图6来说明此过程,该图显示了AVM的优选实施例内的流程的方框图。图6和其他图一样,说明了一个优选实施例,但不会对本发明的范围作出限制。程序加载器预处理器功能在左上角显示出来。应用程序传递文件类型、代码长度、入口点偏移和包含整个入口段代码的长度“len”的缓冲区以及包含在可执行文件内的SS(堆栈段)、SP(堆栈指针)、CS(代码段)和IP(指令指针)寄存器值。然后加载器预处理器预留一块物理内存以供AVM作为虚拟内存使用。此时为虚拟内存预留的内存块的大小被限制在64000h字节(十进制数409600)。然而,虚拟内存的大小与AVM的操作无关,因此不应该被视为限制。
虚拟内存映像被初始化以包含中断矢量表、BIOS参数区域、DOS参数区域、环境字符串表、程序段前缀(PSP)和显示适配器内存块(在0a000h映射)。在显示适配器内存块的上面预留了一个区域,在该区域中,为中断矢量表(IVT)内包含的1024个中断中的每个中断创建中断服务例程(ISR)。然后,剩余的内存被配置为由内存控制块(MCB)控制的内存块。由控制应用程序传递到AVM的入口段代码放在虚拟内存中的MCB内存块内。接下来,虚拟处理器的段寄存器;SS、ES、DS、CS、GS和FS被用取决于放在虚拟内存中的可执行代码的类型的值初始化。然后,寄存器堆栈EAX、EBX、ECX、EDX、ESP、EBP、ESI、EDI和标志寄存器被初始化。在行为寄存器中设置和重置标志的监视功能被嵌入到单个的操作系统调用、中断调用和API调用以及地址重映射器和中断服务例程。在每一个下一个指令处理循环期间,检查是否已经超过允许的CPU时间的最大值。优选情况下强制实行此虚拟CPU时间限制,以中断死锁状态,在死锁状态下,接受分析的代码使AVM进入一种无限循环。对CPU时间限制的适当配置可使长的解码或多形循环在处理时可能会出现死锁风险。
IP寄存器指向虚拟内存中的入口点。此时,在虚拟执行过程中,虚拟CPU开始填充12字节预取队列。根据英特尔的奔腾指令集引用来对字节进行解码,此12字节队列中的第一个字节确定指令字的功能。指令字包括操作、中断调用或操作系统API调用。当然,在其他处理器的实施例中,其他指令集引用也是可以的,具体的细节将会有所变化。由此讨论可以看出如何为不同处理器和不同操作系统实施例来实现分析型虚拟机。
在执行一种操作的情况下,调用FetchData过程,该过程从虚拟内存、预取队列或从处理器的寄存器检索正确的数据,具体情况取决于存储在预取队列的第二个字节(Or/m字节)的值。对如此检索的数据进行处理,例如,进行加法、除法、乘法运算或通过应用于数据的大量的其他算术或逻辑操作符进行处理。然后调用SetFlags过程,该过程对执行的操作的结果进行评估,并相应地在虚拟标志寄存器中设置标志。SetSign过程调整处理结果的符号。MemRemap过程将虚拟内存中的目的地的地址作为其输入。重新映射此地址以适应为虚拟内存预留的409600字节。在MemRemap过程中对地址空间修改进行监视。
在进行中断调用的情况下,调用索引被传递到一个过程,该过程通过查寻中断矢量表(IVT)中的地址来将控制权传递到相应的中断服务例程。然后分析继续进行,在虚拟BIOS、虚拟DOS、虚拟DPMI、虚拟Windows(本机API)或在接受分析的代码(如果该代码已经修改IVT以指向其自己的某一个过程)执行相应的中断服务例程。在相应的过程中对中断功能进行监视。
在进行API调用的情况下,调用被传递到一个过程,该过程将相关的序号附加到该调用,并将控制权传递到虚拟API。此虚拟API包含模拟实操作系统API的响应而不是功能的过程。在每一个API过程中对API功能进行监视。API功能修改虚拟内存的区域,以便后来的虚拟API调用可以读回正确的和预期的结果。
此事件序列持续进行,直到遇到结束程序系统调用或执行当前段外面的远转移。每当遇到转移指令,AVM将使用原程序员计划的参数转移,但与转移指令中使用的条件一起存储在入口点表中的分支的另一端。入口点表被遍历,从入口点表中的每一个入口点执行代码。入口点表中不允许重复。当所有的入口点都已经被处理之后,所产生的行为模式与序列发生器结构一起被返回到主动进行调用的应用程序,AVM停止,并释放预留的内存块。然后实计算机系统内的主动进行调用的程序可以检查行为模式和序列发生器以评估AVM分析的代码。
图2显示了加载了代码解释器的AVM的配置,其类型适合于运行高级语言。程序加载器301将程序代码拆分成为单个的行、将程序行编成索引,并将它们放在虚拟内存310中。在此加载操作期间,从代码中提取入口点信息,并与每一个入口点引用的程序行索引一起放在入口点表中。程序代码中使用的变量通过程序代码在AVM的第二pass 中提取。变量存储在虚拟内存310中的一个变量结构中,包含变量索引、变量类型、以及变量的当前值,它们在模拟之前被初始化为零。此时,代码解释器305接收控制权并开始从入口点表中的第一入口点获取指令。指令被解释,并在从中获取指令(跳转指令)的位置对变量结构中的变量进行操作或它们调用系统服务(打开文件、写入文件等等)并执行应用程序编程接口(API)调用。系统服务在服务模拟过程312中进行模拟。Calc.Next过程308计算内存310中的下一个行号,Fetch Next过程307从该行号获取下一个指令行。行为标志寄存器302监视某些系统变量、系统服务和API调用的初始化。这些事件设置和重置行为标志寄存器302中的位。设置或重置行为寄存器标志的序列也记录在序列发生器结构309中。暂时存储器306用于暂时存储系统服务的状况,该状态稍后可以被应用程序代码引用。
系统为每个指令行执行此事件序列,并在代码中的每一入口点继续,直到入口点表中的所有入口点都已经被处理完毕。然后,AVM与序列发生器结构一起将行为模式返回到主动进行调用的程序,并终止AVM。图7进一步说明了AVM的图2实例的过程流,该图显示了在AVM被初始化以解释并提取高级语言(HLL)程序(如VBScript代码)的行为模式之后当前AVM实施例内的过程流。语言定义关键字列表和规则定义了由处理核心解释的语言。在图7中,显示了一个关键字列表,这是一个VBA和VBS之间的交叉,但处理核心不限于这些语言。
当图7的AVM被初始化之后,实内存的409600字节(十六进制0x64000)块作为虚拟计算机内存而预留。加载器功能初始化内存,然后将传递给它的代码缓冲区作为单个的行加载到虚拟内存,行之间由回车(CR-0Dh)或CR和换行符(CR LF=OD 0Ah)字符代码隔开。这些行被作为索引编到源结构中,每一行都被分配一个地址。对源行的处理在pass 1开始,在pass 1中,在代码中定义的所有入口点,如菜单入口、自动执行过程和附加到标准系统功能的过程都位于入口点表中。在pass 2中,存在于代码中的所有变量都被提取并放在虚拟内存内的变量结构中。每个变量都作为地址、变量类型、变量名和变量值来存储。
此后AVM处理核心开始从到代码的第一入口点获取指令。使用关键字列表和语言规则对行进行解码。从变量结构按代码行获取变量引用并进行处理。然后将变量值写回到相应的位置。在进行API调用以执行操作系统功能的情况下,虚拟API被引用,并查询API函数的内部序号,执行模拟功能,并将模拟调用值返回到HLL调用函数。在执行期间,过程流导致行为寄存器302(图2)中的标志被设置或重置,这些事件的序列存储在序列发生器结构309(图2)中。此过程持续执行,直到入口点表中的所有的入口点都被处理完毕,此时分配的内存被释放,行为寄存器值和序列发生器结构被返回到应用程序以供分析,AVM被终止。
在本实施例中,根据本发明的分析型虚拟机具有三种操作模式:高级模式、保护模式和实模式。实模式相当于诸如DOS之类的操作系统,图1和6中说明了AVM的对应的实例。高级模式可以用于分析以诸如Perl、Visual Basic或脚本语言之类的高级语言编写的程序。图2和7说明了AVM的高级模式。
AVM的保护模式实例可以用于分析32位Windows代码或Linux代码。图3说明了用于保护模式的AVM的配置。从该说明和有关高级和实模式分析型虚拟机的详细讨论中,可以很容易地看出图3的AVM的结构和操作,这里就不再赘述。与实模式实施例相比,主要区别是保护模式系统的内核和API功能。保护模式的这些方面反映了这样的事实:它已经正在运行一个虚拟机,是进行API调用而不是中断。
图4说明了这里讲述的不同模式中的分析型虚拟机使用的各种内存映像。如图所示,由不同模式的设备分析的程序的加载方式也不同。因此,为这些不同模式中的每一种模式特别配置了分析型虚拟机,并确定待分析的程序从何处开始执行以及如何对程序进行分析。这里说明的内存分配是示范性的,并可针对特定的系统进行优化。同样,未来处理器和程序也应该改变这里说明的AVM和其实现方式的准确的特征。
根据本发明的优选的实施例进行的AVM调用的最终产物是行为标志寄存器和序列发生器的内容。图5A和5B说明了被跟踪以描述接受分析的代码的特征的示范性的和目前优选的行为集。此行为列表目前是优选的,因为它准确地跟踪了可能的恶意行为,并准确地描述了代码的目前的特征。可以预料,可能需要未来的不同的行为集或对说明的行为集进行修改。序列发生器是跟踪行为标志寄存器的演变的数据结构。在行为寄存器中设置标志的序列对分析并完全描述被分析的代码的特征特别重要。序列发生器是其大小适合于准确地描述代码特征的数据结构。行为寄存器中的结束模式和存储在序列发生器中的标志设置和重置的序列都在刚刚要终止虚拟机之前传递到实机器。然后,主动进行调用的应用程序使用这些结构中的数据来描述被分析的代码的特征。
前面的讨论描述了一种在实计算机上的被保护的执行环境内对应用程序(代码)进行分析的虚拟机。此分析型虚拟机(AVM)包括一种预处理器,该预处理器在由虚拟机预留的内存中创建将在其中执行应用软件程序的相应的操作系统的影像。AVM识别操作系统并按存储了应用程序的文件的标头内的文件格式和控制字段并按待分析的程序代码配置执行环境。AVM由实计算机的操作系统运行以执行AVM内包含的应用程序。在应用程序和系统软件执行环境和/或计算机硬件之间不允许直接的交互存在。
计算机免疫系统应用程序为每次分析创建AVM并在该分析完成时销毁。AVM由许多分层的壳构成。AVM壳的配置取决于需要分析的应用程序的格式;例如,如果分析本机程序代码,则加载软件CPU壳,而要是高级语言脚本或程序代码,则加载相应的语言解释器。因此,AVM的处理器核心要么作为CPU执行本机代码存在,要么作为高级语言解释器存在。应用软件程序内包含的操作系统调用是以这样的方式进行模拟的,以便使应用程序看起来似乎是在物理计算机环境内执行的。
应用程序以AVM内的多个pass执行,具体情况取决于应用软件程序的结构,并且不能以应用程序的原创建者计划的任何顺序执行。在AVM内执行的目的是进行一种分析,以便提取该程序内包含的每一种状况下的程序代码行为。一旦此目的得到满足,分析型虚拟机就终止,保留了生成的行为模式和序列发生器结构,该结构包含行为模式中记录的事件发生的顺序。
这里描述的AVM最适合用于并计划与2000年8月18日提出的序列号为N0.09/642,625的美国专利申请中描述的计算机免疫系统和方法一起使用。序列号为No.09/642,625的申请这里全部加以引用,以便进一步说明描述的分析型虚拟机的优选实施例和应用的其他方面。
Claims (10)
1.一种用于进行计算机代码行为分析的虚拟机系统,该虚拟机系统具有软件处理器,包括:
行为记录,用于存储行为标志,这些标志表示通过在虚拟机内虚拟地执行接受分析的计算机代码所观察到的计算机代码行为;
序列发生器,用于存储在接受分析的计算机代码的虚拟执行期间在行为记录中设置行为标志的序列;以及
表示宿主实计算机系统的模拟内存和模拟操作系统,接受分析的计算机代码与模拟内存和模拟操作系统进行交互,以生成行为标志,
其特征在于,在终止虚拟机之前,虚拟机将表示行为记录的数据传递到宿主实计算机系统。
2.一种用于进行计算机代码行为分析的虚拟机系统,该虚拟机系统具有软件处理器,包括:
寄存器或结构,用于存储行为标志,这些标志表示通过在虚拟机内虚拟地执行接受分析的计算机代码所观察到的计算机代码行为;
寄存器或结构,用于存储在行为标志寄存器或结构中设置行为标志的序列;
入口点表,用于存储到在虚拟机内接受分析的计算机代码的所有入口点;
结构,用于存储中断矢量地址,这些地址指向在初始化虚拟机时加载到由虚拟机预留的内存中的中断服务例程;
模拟输入和输出端口的内存结构;
模拟处理器内存的内存结构;
一个或多个操作系统模拟壳,用于模拟由接受分析的计算机代码将要在其中操作的实操作系统返回的值。
3.根据权利要求2所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,或接受分析的计算机代码片段,并产生包括一组行为标志的行为模式。
4.根据权利要求2所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,并产生设置或重置行为标志的序列。
5.根据权利要求2所述的系统,其特征在于,软件处理器在虚拟机系统内解释高级语言。
6.根据权利要求5所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,或接受分析的计算机代码片段,并产生包括一组行为标志的行为模式。
7.根据权利要求5所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,并产生设置或重置行为标志的序列。
8.根据权利要求2所述的系统,其特征在于,软件处理器执行32位或64位程序代码,操作系统模拟壳响应应用程序编程接口调用。
9.根据权利要求8所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,或接受分析的计算机代码片段,并产生包括一组行为标志的行为模式。
10.根据权利要求8所述的系统,其特征在于,软件处理器从入口点表内定义的每一个入口点开始执行接受分析的计算机代码,并产生设置或重置行为标志的序列。
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US24293900P | 2000-10-24 | 2000-10-24 | |
US60/242,939 | 2000-10-24 | ||
US09/885,427 US7146305B2 (en) | 2000-10-24 | 2001-06-19 | Analytical virtual machine |
US09/885,427 | 2001-06-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1476554A true CN1476554A (zh) | 2004-02-18 |
Family
ID=26935461
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA018179142A Pending CN1476554A (zh) | 2000-10-24 | 2001-08-28 | 分析型虚拟机 |
Country Status (8)
Country | Link |
---|---|
US (1) | US7146305B2 (zh) |
EP (1) | EP1330692A1 (zh) |
JP (1) | JP2004517390A (zh) |
CN (1) | CN1476554A (zh) |
AU (1) | AU2001286849A1 (zh) |
CA (1) | CA2426065A1 (zh) |
TW (1) | TW538376B (zh) |
WO (1) | WO2002035328A1 (zh) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101770551A (zh) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | 一种基于硬件模拟器的处理隐藏进程的方法 |
CN101959193A (zh) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | 一种信息安全检测方法及移动终端 |
CN102378963A (zh) * | 2009-04-01 | 2012-03-14 | 摩托罗拉移动公司 | 利用模型来审查可执行程序的方法和装置 |
CN107203717A (zh) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | 在虚拟机上执行文件的防病毒扫描的系统和方法 |
CN109145599A (zh) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | 恶意病毒的防护方法 |
CN112005176A (zh) * | 2018-03-15 | 2020-11-27 | 西门子股份公司 | 用于计算机支持地模拟以自动化方式工作的机器的运行方法 |
Families Citing this family (128)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7093239B1 (en) | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US7010698B2 (en) * | 2001-02-14 | 2006-03-07 | Invicta Networks, Inc. | Systems and methods for creating a code inspection system |
US20030028464A1 (en) * | 2001-07-07 | 2003-02-06 | Kosinski Bruce C. | Method and system for assisting participants in an investment plan |
US7657935B2 (en) | 2001-08-16 | 2010-02-02 | The Trustees Of Columbia University In The City Of New York | System and methods for detecting malicious email transmission |
US7251814B2 (en) | 2001-08-24 | 2007-07-31 | International Business Machines Corporation | Yield on multithreaded processors |
US7428485B2 (en) * | 2001-08-24 | 2008-09-23 | International Business Machines Corporation | System for yielding to a processor |
US20040268104A1 (en) * | 2001-10-01 | 2004-12-30 | Cooper Benjamin Jonathon | General purpose fixed instruction set (fis) bit-slice feedback processor unit/computer system |
US9306966B2 (en) | 2001-12-14 | 2016-04-05 | The Trustees Of Columbia University In The City Of New York | Methods of unsupervised anomaly detection using a geometric framework |
US7103876B1 (en) * | 2001-12-26 | 2006-09-05 | Bellsouth Intellectual Property Corp. | System and method for analyzing executing computer applications in real-time |
US7017151B1 (en) * | 2001-12-26 | 2006-03-21 | Bellsouth Intellectual Property Corp. | System and method for real-time applications modification |
US7225343B1 (en) | 2002-01-25 | 2007-05-29 | The Trustees Of Columbia University In The City Of New York | System and methods for adaptive model generation for detecting intrusions in computer systems |
US7409717B1 (en) | 2002-05-23 | 2008-08-05 | Symantec Corporation | Metamorphic computer virus detection |
US20040064300A1 (en) * | 2002-09-26 | 2004-04-01 | Mathiske Bernd J.W. | Method and apparatus for starting simulation of a computer system from a process checkpoint within a simulator |
US7313512B1 (en) * | 2002-10-18 | 2007-12-25 | Microsoft Corporation | Software license enforcement mechanism for an emulated computing environment |
US7013483B2 (en) * | 2003-01-03 | 2006-03-14 | Aladdin Knowledge Systems Ltd. | Method for emulating an executable code in order to detect maliciousness |
KR100509650B1 (ko) * | 2003-03-14 | 2005-08-23 | 주식회사 안철수연구소 | 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 |
US7000051B2 (en) * | 2003-03-31 | 2006-02-14 | International Business Machines Corporation | Apparatus and method for virtualizing interrupts in a logically partitioned computer system |
US7281075B2 (en) * | 2003-04-24 | 2007-10-09 | International Business Machines Corporation | Virtualization of a global interrupt queue |
US7287281B1 (en) | 2003-06-17 | 2007-10-23 | Symantec Corporation | Send blocking system and method |
US8539063B1 (en) | 2003-08-29 | 2013-09-17 | Mcafee, Inc. | Method and system for containment of networked application client software by explicit human input |
US7617462B2 (en) * | 2003-10-24 | 2009-11-10 | Sap Ag | Graphical user interface (GUI) for displaying software component availability as determined by a messaging infrastructure |
US7734763B2 (en) * | 2003-10-24 | 2010-06-08 | Sap Ag | Application for testing the availability of software components |
US8949403B1 (en) * | 2003-10-24 | 2015-02-03 | Sap Se | Infrastructure for maintaining cognizance of available and unavailable software components |
US8302111B2 (en) | 2003-11-24 | 2012-10-30 | Time Warner Cable Inc. | Methods and apparatus for hardware registration in a network device |
US7266726B1 (en) | 2003-11-24 | 2007-09-04 | Time Warner Cable Inc. | Methods and apparatus for event logging in an information network |
US7840968B1 (en) * | 2003-12-17 | 2010-11-23 | Mcafee, Inc. | Method and system for containment of usage of language interfaces |
WO2005062707A2 (en) * | 2003-12-30 | 2005-07-14 | Checkpoint Software Technologies Ltd. | Universal worm catcher |
US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
US7730530B2 (en) * | 2004-01-30 | 2010-06-01 | Microsoft Corporation | System and method for gathering exhibited behaviors on a .NET executable module in a secure manner |
US9213538B1 (en) | 2004-02-06 | 2015-12-15 | Time Warner Cable Enterprises Llc | Methods and apparatus for display element management in an information network |
EP1564624A3 (en) * | 2004-02-10 | 2006-04-12 | Ricoh Company, Ltd. | Virus protection for multi-function peripherals |
US7437759B1 (en) | 2004-02-17 | 2008-10-14 | Symantec Corporation | Kernel mode overflow attack prevention system and method |
US7475002B1 (en) * | 2004-02-18 | 2009-01-06 | Vmware, Inc. | Method and apparatus for emulating multiple virtual timers in a virtual computer system when the virtual timers fall behind the real time of a physical computer system |
US7895448B1 (en) * | 2004-02-18 | 2011-02-22 | Symantec Corporation | Risk profiling |
US8078669B2 (en) | 2004-02-18 | 2011-12-13 | Time Warner Cable Inc. | Media extension apparatus and methods for use in an information network |
US7376970B2 (en) * | 2004-02-20 | 2008-05-20 | Microsoft Corporation | System and method for proactive computer virus protection |
US7984304B1 (en) * | 2004-03-02 | 2011-07-19 | Vmware, Inc. | Dynamic verification of validity of executable code |
US8171553B2 (en) * | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
EP1742151A4 (en) * | 2004-04-26 | 2010-11-10 | Inc Nat University Iwate Unive | DEVICE, METHOD AND PROGRAM FOR EXTRACTING SINGLE INFORMATION FROM COMPUTER VIRUSES |
US7257811B2 (en) * | 2004-05-11 | 2007-08-14 | International Business Machines Corporation | System, method and program to migrate a virtual machine |
WO2005116797A1 (en) * | 2004-05-19 | 2005-12-08 | Computer Associates Think, Inc. | Method and system for isolating suspicious email |
US20060005190A1 (en) * | 2004-06-30 | 2006-01-05 | Microsoft Corporation | Systems and methods for implementing an operating system in a virtual machine environment |
US7484247B2 (en) * | 2004-08-07 | 2009-01-27 | Allen F Rozman | System and method for protecting a computer system from malicious software |
US7506338B2 (en) * | 2004-08-30 | 2009-03-17 | International Business Machines Corporation | Method and apparatus for simplifying the deployment and serviceability of commercial software environments |
US7873955B1 (en) * | 2004-09-07 | 2011-01-18 | Mcafee, Inc. | Solidifying the executable software set of a computer |
US7690033B2 (en) * | 2004-09-28 | 2010-03-30 | Exobox Technologies Corp. | Electronic computer system secured from unauthorized access to and manipulation of data |
US7856661B1 (en) | 2005-07-14 | 2010-12-21 | Mcafee, Inc. | Classification of software on networked systems |
US8407785B2 (en) | 2005-08-18 | 2013-03-26 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media protecting a digital data processing device from attack |
US20070074191A1 (en) * | 2005-08-30 | 2007-03-29 | Geisinger Nile J | Software executables having virtual hardware, operating systems, and networks |
US20070050765A1 (en) * | 2005-08-30 | 2007-03-01 | Geisinger Nile J | Programming language abstractions for creating and controlling virtual computers, operating systems and networks |
US20070067769A1 (en) * | 2005-08-30 | 2007-03-22 | Geisinger Nile J | Method and apparatus for providing cross-platform hardware support for computer platforms |
US20070050770A1 (en) * | 2005-08-30 | 2007-03-01 | Geisinger Nile J | Method and apparatus for uniformly integrating operating system resources |
US20070074192A1 (en) * | 2005-08-30 | 2007-03-29 | Geisinger Nile J | Computing platform having transparent access to resources of a host platform |
JP4754922B2 (ja) * | 2005-09-30 | 2011-08-24 | 富士通株式会社 | ワーム感染装置の検出装置 |
EP1952240A2 (en) * | 2005-10-25 | 2008-08-06 | The Trustees of Columbia University in the City of New York | Methods, media and systems for detecting anomalous program executions |
US8112513B2 (en) * | 2005-11-30 | 2012-02-07 | Microsoft Corporation | Multi-user display proxy server |
US8959339B2 (en) | 2005-12-23 | 2015-02-17 | Texas Instruments Incorporated | Method and system for preventing unauthorized processor mode switches |
US7757269B1 (en) | 2006-02-02 | 2010-07-13 | Mcafee, Inc. | Enforcing alignment of approved changes and deployed changes in the software change life-cycle |
US7895573B1 (en) * | 2006-03-27 | 2011-02-22 | Mcafee, Inc. | Execution environment file inventory |
US8555404B1 (en) | 2006-05-18 | 2013-10-08 | Mcafee, Inc. | Connectivity-based authorization |
US20080016572A1 (en) * | 2006-07-12 | 2008-01-17 | Microsoft Corporation | Malicious software detection via memory analysis |
US8272048B2 (en) | 2006-08-04 | 2012-09-18 | Apple Inc. | Restriction of program process capabilities |
US8135994B2 (en) | 2006-10-30 | 2012-03-13 | The Trustees Of Columbia University In The City Of New York | Methods, media, and systems for detecting an anomalous sequence of function calls |
US8370818B2 (en) | 2006-12-02 | 2013-02-05 | Time Warner Cable Inc. | Methods and apparatus for analyzing software interface usage |
US8190861B2 (en) * | 2006-12-04 | 2012-05-29 | Texas Instruments Incorporated | Micro-sequence based security model |
US8332929B1 (en) | 2007-01-10 | 2012-12-11 | Mcafee, Inc. | Method and apparatus for process enforced configuration management |
US9424154B2 (en) | 2007-01-10 | 2016-08-23 | Mcafee, Inc. | Method of and system for computer system state checks |
US7908053B2 (en) * | 2007-07-02 | 2011-03-15 | Honeywell International Inc. | Apparatus and method for troubleshooting a computer system |
US8713680B2 (en) * | 2007-07-10 | 2014-04-29 | Samsung Electronics Co., Ltd. | Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program |
US8763115B2 (en) * | 2007-08-08 | 2014-06-24 | Vmware, Inc. | Impeding progress of malicious guest software |
US8176477B2 (en) | 2007-09-14 | 2012-05-08 | International Business Machines Corporation | Method, system and program product for optimizing emulation of a suspected malware |
US7559086B2 (en) * | 2007-10-02 | 2009-07-07 | Kaspersky Lab, Zao | System and method for detecting multi-component malware |
KR100945247B1 (ko) * | 2007-10-04 | 2010-03-03 | 한국전자통신연구원 | 가상 환경을 이용한 비실행 파일 내의 악성 코드 분석 방법및 장치 |
JP5262089B2 (ja) * | 2007-11-30 | 2013-08-14 | 凸版印刷株式会社 | Icカードに実装されるコンピュータ装置及びその処理方法 |
US8434151B1 (en) | 2008-01-04 | 2013-04-30 | International Business Machines Corporation | Detecting malicious software |
US8701189B2 (en) | 2008-01-31 | 2014-04-15 | Mcafee, Inc. | Method of and system for computer system denial-of-service protection |
WO2009097610A1 (en) * | 2008-02-01 | 2009-08-06 | Northeastern University | A vmm-based intrusion detection system |
US8615502B2 (en) | 2008-04-18 | 2013-12-24 | Mcafee, Inc. | Method of and system for reverse mapping vnode pointers |
US8533843B2 (en) * | 2008-10-13 | 2013-09-10 | Hewlett-Packard Development Company, L. P. | Device, method, and program product for determining an overall business service vulnerability score |
TWI401582B (zh) * | 2008-11-17 | 2013-07-11 | Inst Information Industry | 用於一硬體之監控裝置、監控方法及其電腦程式產品 |
US8544003B1 (en) | 2008-12-11 | 2013-09-24 | Mcafee, Inc. | System and method for managing virtual machine configurations |
US8627305B1 (en) * | 2009-03-24 | 2014-01-07 | Mcafee, Inc. | System, method, and computer program product for hooking code inserted into an address space of a new process |
US8381284B2 (en) | 2009-08-21 | 2013-02-19 | Mcafee, Inc. | System and method for enforcing security policies in a virtual environment |
US9552497B2 (en) * | 2009-11-10 | 2017-01-24 | Mcafee, Inc. | System and method for preventing data loss using virtual machine wrapped applications |
US20110113285A1 (en) * | 2009-11-10 | 2011-05-12 | Internationals Business Machines Corporation | System and method for debugging memory consistency models |
US20110125548A1 (en) * | 2009-11-25 | 2011-05-26 | Michal Aharon | Business services risk management |
US8782434B1 (en) | 2010-07-15 | 2014-07-15 | The Research Foundation For The State University Of New York | System and method for validating program execution at run-time |
US8925101B2 (en) | 2010-07-28 | 2014-12-30 | Mcafee, Inc. | System and method for local protection against malicious software |
US8938800B2 (en) | 2010-07-28 | 2015-01-20 | Mcafee, Inc. | System and method for network level protection against malicious software |
KR101201622B1 (ko) * | 2010-08-19 | 2012-11-14 | 삼성에스디에스 주식회사 | 보안 기능을 가진 시스템 온 칩 및 이를 이용한 디바이스 및 스캔 방법 |
US8549003B1 (en) | 2010-09-12 | 2013-10-01 | Mcafee, Inc. | System and method for clustering host inventories |
US8756696B1 (en) | 2010-10-30 | 2014-06-17 | Sra International, Inc. | System and method for providing a virtualized secure data containment service with a networked environment |
US9075993B2 (en) | 2011-01-24 | 2015-07-07 | Mcafee, Inc. | System and method for selectively grouping and managing program files |
US9112830B2 (en) | 2011-02-23 | 2015-08-18 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US8799997B2 (en) | 2011-04-18 | 2014-08-05 | Bank Of America Corporation | Secure network cloud architecture |
US9594881B2 (en) | 2011-09-09 | 2017-03-14 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
JP2014526751A (ja) | 2011-09-15 | 2014-10-06 | ザ・トラスティーズ・オブ・コロンビア・ユニバーシティ・イン・ザ・シティ・オブ・ニューヨーク | リターン指向プログラミングのペイロードを検出するためのシステム、方法、および、非一時的コンピュータ可読媒体 |
US8694738B2 (en) | 2011-10-11 | 2014-04-08 | Mcafee, Inc. | System and method for critical address space protection in a hypervisor environment |
US9069586B2 (en) | 2011-10-13 | 2015-06-30 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US8973144B2 (en) | 2011-10-13 | 2015-03-03 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US8713668B2 (en) | 2011-10-17 | 2014-04-29 | Mcafee, Inc. | System and method for redirected firewall discovery in a network environment |
US8800024B2 (en) | 2011-10-17 | 2014-08-05 | Mcafee, Inc. | System and method for host-initiated firewall discovery in a network environment |
US8789034B1 (en) * | 2011-12-31 | 2014-07-22 | Parallels IP Holdings GmbH | Method for updating operating system without memory reset |
US8739272B1 (en) | 2012-04-02 | 2014-05-27 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US9183031B2 (en) | 2012-06-19 | 2015-11-10 | Bank Of America Corporation | Provisioning of a virtual machine by using a secured zone of a cloud environment |
US9038178B1 (en) | 2012-06-25 | 2015-05-19 | Emc Corporation | Detection of malware beaconing activities |
US9122873B2 (en) | 2012-09-14 | 2015-09-01 | The Research Foundation For The State University Of New York | Continuous run-time validation of program execution: a practical approach |
US9069782B2 (en) | 2012-10-01 | 2015-06-30 | The Research Foundation For The State University Of New York | System and method for security and privacy aware virtual machine checkpointing |
US8850581B2 (en) | 2012-11-07 | 2014-09-30 | Microsoft Corporation | Identification of malware detection signature candidate code |
US8973146B2 (en) | 2012-12-27 | 2015-03-03 | Mcafee, Inc. | Herd based scan avoidance system in a network environment |
US9195826B1 (en) * | 2013-05-30 | 2015-11-24 | Emc Corporation | Graph-based method to detect malware command-and-control infrastructure |
CN104134034B (zh) * | 2013-06-13 | 2015-10-21 | 腾讯科技(深圳)有限公司 | 控制应用运行的方法和装置 |
EP3061030A4 (en) | 2013-10-24 | 2017-04-19 | McAfee, Inc. | Agent assisted malicious application blocking in a network environment |
US9323929B2 (en) * | 2013-11-26 | 2016-04-26 | Qualcomm Incorporated | Pre-identifying probable malicious rootkit behavior using behavioral contracts |
US9537885B2 (en) | 2013-12-02 | 2017-01-03 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
CN103632101B (zh) * | 2013-12-09 | 2016-11-16 | 北京奇虎科技有限公司 | 一种拦截系统调用的方法和装置 |
US9916185B2 (en) | 2014-03-18 | 2018-03-13 | International Business Machines Corporation | Managing processing associated with selected architectural facilities |
CN104766006B (zh) * | 2015-03-18 | 2019-03-12 | 百度在线网络技术(北京)有限公司 | 一种确定危险文件所对应的行为信息的方法和装置 |
US9846774B2 (en) * | 2015-06-27 | 2017-12-19 | Mcafee, Llc | Simulation of an application |
RU2622627C2 (ru) * | 2015-09-30 | 2017-06-16 | Акционерное общество "Лаборатория Касперского" | Способ обнаружения вредоносных исполняемых файлов, содержащих интерпретатор, посредством комбинирования эмуляторов |
US10108477B2 (en) | 2015-10-23 | 2018-10-23 | Pervacio Inc. | Mobile device diagnostics |
US9836605B2 (en) * | 2015-12-08 | 2017-12-05 | Bank Of America Corporation | System for detecting unauthorized code in a software application |
TWI682323B (zh) * | 2017-11-24 | 2020-01-11 | 財團法人工業技術研究院 | 伺服器及其設定方法 |
US10990432B1 (en) | 2017-11-30 | 2021-04-27 | Ila Corporation | Method and system for interactive cyber simulation exercises |
US11716558B2 (en) | 2018-04-16 | 2023-08-01 | Charter Communications Operating, Llc | Apparatus and methods for integrated high-capacity data and wireless network services |
CN112840728A (zh) | 2018-10-12 | 2021-05-25 | 特许通讯运营公司 | 用于无线网络中的小区标识的设备及方法 |
US11129171B2 (en) | 2019-02-27 | 2021-09-21 | Charter Communications Operating, Llc | Methods and apparatus for wireless signal maximization and management in a quasi-licensed wireless system |
US11026205B2 (en) | 2019-10-23 | 2021-06-01 | Charter Communications Operating, Llc | Methods and apparatus for device registration in a quasi-licensed wireless system |
Family Cites Families (160)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4223380A (en) | 1978-04-06 | 1980-09-16 | Ncr Corporation | Distributed multiprocessor communication system |
JPS55112651A (en) | 1979-02-21 | 1980-08-30 | Fujitsu Ltd | Virtual computer system |
US4672609A (en) | 1982-01-19 | 1987-06-09 | Tandem Computers Incorporated | Memory system with operation error detection |
US4773028A (en) | 1984-10-01 | 1988-09-20 | Tektronix, Inc. | Method and apparatus for improved monitoring and detection of improper device operation |
US4819234A (en) | 1987-05-01 | 1989-04-04 | Prime Computer, Inc. | Operating system debugger |
CA1314101C (en) | 1988-02-17 | 1993-03-02 | Henry Shao-Lin Teng | Expert system for security inspection of a digital computer system in a network environment |
US5121345A (en) | 1988-11-03 | 1992-06-09 | Lentz Stephen A | System and method for protecting integrity of computer data and software |
US4975950A (en) | 1988-11-03 | 1990-12-04 | Lentz Stephen A | System and method of protecting integrity of computer data and software |
US5347450A (en) | 1989-01-18 | 1994-09-13 | Intel Corporation | Message routing in a multiprocessor computer system |
US5353393A (en) | 1989-06-14 | 1994-10-04 | Sunwest Trading Corporation | Apparatus and method for manipulating scanned documents in a computer aided design system |
US5204966A (en) | 1990-03-09 | 1993-04-20 | Digital Equipment Corporation | System for controlling access to a secure system by verifying acceptability of proposed password by using hashing and group of unacceptable passwords |
EP0449242A3 (en) | 1990-03-28 | 1992-10-28 | National Semiconductor Corporation | Method and structure for providing computer security and virus prevention |
US5032979A (en) | 1990-06-22 | 1991-07-16 | International Business Machines Corporation | Distributed security auditing subsystem for an operating system |
US5210704A (en) | 1990-10-02 | 1993-05-11 | Technology International Incorporated | System for prognosis and diagnostics of failure and wearout monitoring and for prediction of life expectancy of helicopter gearboxes and other rotating equipment |
US5274824A (en) | 1991-03-01 | 1993-12-28 | Bull Hn Information Systems Inc. | Keyring metaphor for user's security keys on a distributed multiprocess data system |
JPH04310188A (ja) | 1991-03-01 | 1992-11-02 | Internatl Business Mach Corp <Ibm> | 文書/画像ライブラリのためのライブラリサービス方法 |
EP0510244A1 (en) | 1991-04-22 | 1992-10-28 | Acer Incorporated | Method and apparatus for protecting a computer system from computer viruses |
US5774727A (en) | 1991-06-27 | 1998-06-30 | Digital Equipment Corporation | Parallel processing system for virtual processor implementation of machine-language instructions |
US5577209A (en) | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
US5309562A (en) | 1991-08-19 | 1994-05-03 | Multi-Tech Systems, Inc. | Method and apparatus for establishing protocol spoofing from a modem |
US5454074A (en) | 1991-09-18 | 1995-09-26 | The Boeing Company | Electronic checklist system |
US5649095A (en) | 1992-03-30 | 1997-07-15 | Cozza; Paul D. | Method and apparatus for detecting computer viruses through the use of a scan information cache |
US5278901A (en) | 1992-04-30 | 1994-01-11 | International Business Machines Corporation | Pattern-oriented intrusion-detection system and method |
US5311593A (en) | 1992-05-13 | 1994-05-10 | Chipcom Corporation | Security system for a network concentrator |
US5359659A (en) | 1992-06-19 | 1994-10-25 | Doren Rosenthal | Method for securing software against corruption by computer viruses |
US5371852A (en) | 1992-10-14 | 1994-12-06 | International Business Machines Corporation | Method and apparatus for making a cluster of computers appear as a single host on a network |
US5345595A (en) | 1992-11-12 | 1994-09-06 | Coral Systems, Inc. | Apparatus and method for detecting fraudulent telecommunication activity |
JP2501771B2 (ja) | 1993-01-19 | 1996-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | 不所望のソフトウェア・エンティティの複数の有効なシグネチャを得る方法及び装置 |
US5440723A (en) | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5586260A (en) | 1993-02-12 | 1996-12-17 | Digital Equipment Corporation | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms |
GB9303527D0 (en) | 1993-02-22 | 1993-04-07 | Hewlett Packard Ltd | Network analysis method |
AU671194B2 (en) | 1993-02-23 | 1996-08-15 | British Telecommunications Public Limited Company | Event correlation |
JPH06274384A (ja) * | 1993-03-22 | 1994-09-30 | N T T Data Tsushin Kk | 実行ファイル差分抽出/更新装置及び実行ファイル差分抽出方法 |
US5630061A (en) | 1993-04-19 | 1997-05-13 | International Business Machines Corporation | System for enabling first computer to communicate over switched network with second computer located within LAN by using media access control driver in different modes |
US5398196A (en) | 1993-07-29 | 1995-03-14 | Chambers; David A. | Method and apparatus for detection of computer viruses |
US5414833A (en) | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5835726A (en) | 1993-12-15 | 1998-11-10 | Check Point Software Technologies Ltd. | System for securing the flow of and selectively modifying packets in a computer network |
US5606668A (en) | 1993-12-15 | 1997-02-25 | Checkpoint Software Technologies Ltd. | System for securing inbound and outbound data packet flow in a computer network |
US5515508A (en) | 1993-12-17 | 1996-05-07 | Taligent, Inc. | Client server system and method of operation including a dynamically configurable protocol stack |
US5974457A (en) | 1993-12-23 | 1999-10-26 | International Business Machines Corporation | Intelligent realtime monitoring of data traffic |
US5557742A (en) | 1994-03-07 | 1996-09-17 | Haystack Labs, Inc. | Method and system for detecting intrusion into and misuse of a data processing system |
US5522026A (en) | 1994-03-18 | 1996-05-28 | The Boeing Company | System for creating a single electronic checklist in response to multiple faults |
US5675711A (en) | 1994-05-13 | 1997-10-07 | International Business Machines Corporation | Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses |
EP0769170B1 (en) * | 1994-06-01 | 1999-08-18 | Quantum Leap Innovations Inc: | Computer virus trap |
US5999711A (en) | 1994-07-18 | 1999-12-07 | Microsoft Corporation | Method and system for providing certificates holding authentication and authorization information for users/machines |
US5623601A (en) | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5764890A (en) | 1994-12-13 | 1998-06-09 | Microsoft Corporation | Method and system for adding a secure network server to an existing computer network |
CA2138302C (en) | 1994-12-15 | 1999-05-25 | Michael S. Fortinsky | Provision of secure access to external resources from a distributed computing environment |
US5590331A (en) | 1994-12-23 | 1996-12-31 | Sun Microsystems, Inc. | Method and apparatus for generating platform-standard object files containing machine-independent code |
JPH08242229A (ja) | 1995-03-01 | 1996-09-17 | Fujitsu Ltd | ネットワーク監視における状態整合処理システム |
US5696486A (en) | 1995-03-29 | 1997-12-09 | Cabletron Systems, Inc. | Method and apparatus for policy-based alarm notification in a distributed network management environment |
US5749066A (en) | 1995-04-24 | 1998-05-05 | Ericsson Messaging Systems Inc. | Method and apparatus for developing a neural network for phoneme recognition |
US5734697A (en) | 1995-04-28 | 1998-03-31 | Mci Corporation | Method and apparatus for improving telecommunications system performance |
US5790799A (en) | 1995-05-17 | 1998-08-04 | Digital Equipment Corporation | System for sampling network packets by only storing the network packet that its error check code matches with the reference error check code |
US6061795A (en) * | 1995-07-31 | 2000-05-09 | Pinnacle Technology Inc. | Network desktop management security system and method |
US5878420A (en) | 1995-08-31 | 1999-03-02 | Compuware Corporation | Network monitoring and management system |
US5623600A (en) | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
US6067410A (en) * | 1996-02-09 | 2000-05-23 | Symantec Corporation | Emulation repair system |
US5696822A (en) | 1995-09-28 | 1997-12-09 | Symantec Corporation | Polymorphic virus detection module |
US5854916A (en) | 1995-09-28 | 1998-12-29 | Symantec Corporation | State-based cache for antivirus software |
US5765030A (en) | 1996-07-19 | 1998-06-09 | Symantec Corp | Processor emulator module having a variable pre-fetch queue size for program execution |
US5826013A (en) | 1995-09-28 | 1998-10-20 | Symantec Corporation | Polymorphic virus detection module |
US5745692A (en) | 1995-10-23 | 1998-04-28 | Ncr Corporation | Automated systems administration of remote computer servers |
US5832211A (en) | 1995-11-13 | 1998-11-03 | International Business Machines Corporation | Propagating plain-text passwords from a main registry to a plurality of foreign registries |
US5838903A (en) | 1995-11-13 | 1998-11-17 | International Business Machines Corporation | Configurable password integrity servers for use in a shared resource environment |
US5764887A (en) | 1995-12-11 | 1998-06-09 | International Business Machines Corporation | System and method for supporting distributed computing mechanisms in a local area network server environment |
GB9526129D0 (en) | 1995-12-21 | 1996-02-21 | Philips Electronics Nv | Machine code format translation |
JPH09214493A (ja) | 1996-02-08 | 1997-08-15 | Hitachi Ltd | ネットワークシステム |
JP3165366B2 (ja) | 1996-02-08 | 2001-05-14 | 株式会社日立製作所 | ネットワークセキュリティシステム |
US5761504A (en) | 1996-02-16 | 1998-06-02 | Motorola, Inc. | Method for updating a software code in a communication system |
US5950012A (en) | 1996-03-08 | 1999-09-07 | Texas Instruments Incorporated | Single chip microprocessor circuits, systems, and methods for self-loading patch micro-operation codes and patch microinstruction codes |
US5964839A (en) | 1996-03-29 | 1999-10-12 | At&T Corp | System and method for monitoring information flow and performing data collection |
US6377994B1 (en) * | 1996-04-15 | 2002-04-23 | International Business Machines Corporation | Method and apparatus for controlling server access to a resource in a client/server system |
US5822517A (en) | 1996-04-15 | 1998-10-13 | Dotan; Eyal | Method for detecting infection of software programs by memory resident software viruses |
US6014645A (en) * | 1996-04-19 | 2000-01-11 | Block Financial Corporation | Real-time financial card application system |
US5881236A (en) | 1996-04-26 | 1999-03-09 | Hewlett-Packard Company | System for installation of software on a remote computer system over a network using checksums and password protection |
US5884033A (en) | 1996-05-15 | 1999-03-16 | Spyglass, Inc. | Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions |
US5798706A (en) | 1996-06-18 | 1998-08-25 | Raptor Systems, Inc. | Detecting unauthorized network communication |
US5857191A (en) | 1996-07-08 | 1999-01-05 | Gradient Technologies, Inc. | Web application server with secure common gateway interface |
US5787177A (en) | 1996-08-01 | 1998-07-28 | Harris Corporation | Integrated network security access control system |
US5828833A (en) | 1996-08-15 | 1998-10-27 | Electronic Data Systems Corporation | Method and system for allowing remote procedure calls through a network firewall |
US5864665A (en) | 1996-08-20 | 1999-01-26 | International Business Machines Corporation | Auditing login activity in a distributed computing environment |
US5832208A (en) | 1996-09-05 | 1998-11-03 | Cheyenne Software International Sales Corp. | Anti-virus agent for use with databases and mail servers |
US5845067A (en) | 1996-09-09 | 1998-12-01 | Porter; Jack Edward | Method and apparatus for document management utilizing a messaging system |
US5892903A (en) | 1996-09-12 | 1999-04-06 | Internet Security Systems, Inc. | Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system |
US5983350A (en) | 1996-09-18 | 1999-11-09 | Secure Computing Corporation | Secure firewall supporting different levels of authentication based on address or encryption status |
US5899999A (en) | 1996-10-16 | 1999-05-04 | Microsoft Corporation | Iterative convolution filter particularly suited for use in an image classification and retrieval system |
US5991881A (en) | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US5796942A (en) | 1996-11-21 | 1998-08-18 | Computer Associates International, Inc. | Method and apparatus for automated network-wide surveillance and security breach intervention |
US5848233A (en) | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US5974237A (en) | 1996-12-18 | 1999-10-26 | Northern Telecom Limited | Communications network monitoring |
US5987611A (en) | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
JPH10260872A (ja) * | 1997-01-20 | 1998-09-29 | Fujitsu Ltd | 計算機システムおよび記録媒体 |
US5875296A (en) | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US5983270A (en) | 1997-03-11 | 1999-11-09 | Sequel Technology Corporation | Method and apparatus for managing internetwork and intranetwork activity |
US5925126A (en) | 1997-03-18 | 1999-07-20 | Memco Software, Ltd. | Method for security shield implementation in computer system's software |
US5987606A (en) | 1997-03-19 | 1999-11-16 | Bascom Global Internet Services, Inc. | Method and system for content filtering information retrieved from an internet computer network |
US5964889A (en) | 1997-04-16 | 1999-10-12 | Symantec Corporation | Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator |
JP3028783B2 (ja) * | 1997-04-25 | 2000-04-04 | 日本電気株式会社 | ネットワークの監視方法と装置 |
US5922051A (en) | 1997-05-14 | 1999-07-13 | Ncr Corporation | System and method for traffic management in a network management system |
JP3342351B2 (ja) * | 1997-06-27 | 2002-11-05 | ダイハツ工業株式会社 | 内燃機関における吸気管のシリンダヘッドへの接続装置 |
US6073172A (en) * | 1997-07-14 | 2000-06-06 | Freegate Corporation | Initializing and reconfiguring a secure network interface |
US5919257A (en) | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US5978917A (en) * | 1997-08-14 | 1999-11-02 | Symantec Corporation | Detection and elimination of macro viruses |
US6016553A (en) * | 1997-09-05 | 2000-01-18 | Wild File, Inc. | Method, software and apparatus for saving, using and recovering data |
US6321337B1 (en) * | 1997-09-09 | 2001-11-20 | Sanctum Ltd. | Method and system for protecting operations of trusted internal networks |
US5983348A (en) | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US5961644A (en) | 1997-09-19 | 1999-10-05 | International Business Machines Corporation | Method and apparatus for testing the integrity of computer security alarm systems |
US6357008B1 (en) * | 1997-09-23 | 2002-03-12 | Symantec Corporation | Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases |
US5991856A (en) | 1997-09-30 | 1999-11-23 | Network Associates, Inc. | System and method for computer operating system protection |
US6081894A (en) * | 1997-10-22 | 2000-06-27 | Rvt Technologies, Inc. | Method and apparatus for isolating an encrypted computer system upon detection of viruses and similar data |
US6041347A (en) * | 1997-10-24 | 2000-03-21 | Unified Access Communications | Computer system and computer-implemented process for simultaneous configuration and monitoring of a computer network |
US6035323A (en) * | 1997-10-24 | 2000-03-07 | Pictra, Inc. | Methods and apparatuses for distributing a collection of digital media over a network with automatic generation of presentable media |
US6070244A (en) * | 1997-11-10 | 2000-05-30 | The Chase Manhattan Bank | Computer network security management system |
US6021510A (en) * | 1997-11-24 | 2000-02-01 | Symantec Corporation | Antivirus accelerator |
US6026442A (en) * | 1997-11-24 | 2000-02-15 | Cabletron Systems, Inc. | Method and apparatus for surveillance in communications networks |
US6052709A (en) * | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
US6035423A (en) * | 1997-12-31 | 2000-03-07 | Network Associates, Inc. | Method and system for providing automated updating and upgrading of antivirus applications using a computer network |
US6029256A (en) * | 1997-12-31 | 2000-02-22 | Network Associates, Inc. | Method and system for allowing computer programs easy access to features of a virus scanning engine |
JPH11212807A (ja) * | 1998-01-30 | 1999-08-06 | Hitachi Ltd | プログラム実行方法 |
US5987610A (en) | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
US6195687B1 (en) * | 1998-03-18 | 2001-02-27 | Netschools Corporation | Method and apparatus for master-slave control in a educational classroom communication network |
US6016442A (en) * | 1998-03-25 | 2000-01-18 | Cardiac Pacemakers, Inc. | System for displaying cardiac arrhythmia data |
US5896903A (en) * | 1998-04-07 | 1999-04-27 | Chen; Feng-Yuan | Method of fabricating bamboo slats for bamboo blinds |
US6725378B1 (en) * | 1998-04-15 | 2004-04-20 | Purdue Research Foundation | Network protection for denial of service attacks |
US6070190A (en) * | 1998-05-11 | 2000-05-30 | International Business Machines Corporation | Client-based application availability and response monitoring and reporting for distributed computing environments |
US6173413B1 (en) * | 1998-05-12 | 2001-01-09 | Sun Microsystems, Inc. | Mechanism for maintaining constant permissions for multiple instances of a device within a cluster |
US6397242B1 (en) * | 1998-05-15 | 2002-05-28 | Vmware, Inc. | Virtualization system including a virtual machine monitor for a computer with a segmented architecture |
US6347374B1 (en) * | 1998-06-05 | 2002-02-12 | Intrusion.Com, Inc. | Event detection |
US6185689B1 (en) * | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
US6711127B1 (en) * | 1998-07-31 | 2004-03-23 | General Dynamics Government Systems Corporation | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
AU9094198A (en) * | 1998-09-10 | 2000-04-03 | Sanctum Ltd. | Method and system for maintaining restricted operating environments for application programs or operating systems |
US6338141B1 (en) * | 1998-09-30 | 2002-01-08 | Cybersoft, Inc. | Method and apparatus for computer virus detection, analysis, and removal in real time |
US6230288B1 (en) * | 1998-10-29 | 2001-05-08 | Network Associates, Inc. | Method of treating whitespace during virus detection |
US6321338B1 (en) * | 1998-11-09 | 2001-11-20 | Sri International | Network surveillance |
US6530024B1 (en) * | 1998-11-20 | 2003-03-04 | Centrax Corporation | Adaptive feedback security system and method |
US6517587B2 (en) * | 1998-12-08 | 2003-02-11 | Yodlee.Com, Inc. | Networked architecture for enabling automated gathering of information from Web servers |
US6226372B1 (en) * | 1998-12-11 | 2001-05-01 | Securelogix Corporation | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities |
US6205552B1 (en) * | 1998-12-31 | 2001-03-20 | Mci Worldcom, Inc. | Method and apparatus for checking security vulnerability of networked devices |
US6510523B1 (en) * | 1999-02-22 | 2003-01-21 | Sun Microsystems Inc. | Method and system for providing limited access privileges with an untrusted terminal |
US6839850B1 (en) * | 1999-03-04 | 2005-01-04 | Prc, Inc. | Method and system for detecting intrusion into and misuse of a data processing system |
US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
US6725377B1 (en) * | 1999-03-12 | 2004-04-20 | Networks Associates Technology, Inc. | Method and system for updating anti-intrusion software |
US6681331B1 (en) * | 1999-05-11 | 2004-01-20 | Cylant, Inc. | Dynamic software system intrusion detection |
US6397245B1 (en) * | 1999-06-14 | 2002-05-28 | Hewlett-Packard Company | System and method for evaluating the operation of a computer over a computer network |
US6519647B1 (en) * | 1999-07-23 | 2003-02-11 | Microsoft Corporation | Methods and apparatus for synchronizing access control in a web server |
US6563959B1 (en) * | 1999-07-30 | 2003-05-13 | Pixlogic Llc | Perceptual similarity image retrieval method |
US6691232B1 (en) * | 1999-08-05 | 2004-02-10 | Sun Microsystems, Inc. | Security architecture with environment sensitive credential sufficiency evaluation |
US6405364B1 (en) * | 1999-08-31 | 2002-06-11 | Accenture Llp | Building techniques in a development architecture framework |
US6851057B1 (en) * | 1999-11-30 | 2005-02-01 | Symantec Corporation | Data driven detection of viruses |
US6535227B1 (en) * | 2000-02-08 | 2003-03-18 | Harris Corporation | System and method for assessing the security posture of a network and having a graphical user interface |
US6519703B1 (en) * | 2000-04-14 | 2003-02-11 | James B. Joyce | Methods and apparatus for heuristic firewall |
US6718383B1 (en) * | 2000-06-02 | 2004-04-06 | Sun Microsystems, Inc. | High availability networking with virtual IP address failover |
US8341743B2 (en) * | 2000-07-14 | 2012-12-25 | Ca, Inc. | Detection of viral code using emulation of operating system functions |
US6353385B1 (en) * | 2000-08-25 | 2002-03-05 | Hyperon Incorporated | Method and system for interfacing an intrusion detection system to a central alarm system |
US7124440B2 (en) * | 2000-09-07 | 2006-10-17 | Mazu Networks, Inc. | Monitoring network traffic denial of service attacks |
US6944673B2 (en) * | 2000-09-08 | 2005-09-13 | The Regents Of The University Of Michigan | Method and system for profiling network flows at a measurement point within a computer network |
AU2002320191A1 (en) * | 2001-06-27 | 2003-03-03 | Arbor Networks | Method and system for monitoring control signal traffic over a computer network |
US6546493B1 (en) * | 2001-11-30 | 2003-04-08 | Networks Associates Technology, Inc. | System, method and computer program product for risk assessment scanning based on detected anomalous events |
US6721806B2 (en) * | 2002-09-05 | 2004-04-13 | International Business Machines Corporation | Remote direct memory access enabled network interface controller switchover and switchback support |
-
2001
- 2001-06-19 US US09/885,427 patent/US7146305B2/en not_active Expired - Lifetime
- 2001-08-28 WO PCT/US2001/026804 patent/WO2002035328A1/en not_active Application Discontinuation
- 2001-08-28 EP EP01966324A patent/EP1330692A1/en not_active Withdrawn
- 2001-08-28 JP JP2002538248A patent/JP2004517390A/ja active Pending
- 2001-08-28 AU AU2001286849A patent/AU2001286849A1/en not_active Abandoned
- 2001-08-28 CN CNA018179142A patent/CN1476554A/zh active Pending
- 2001-08-28 CA CA002426065A patent/CA2426065A1/en not_active Abandoned
- 2001-09-04 TW TW090121833A patent/TW538376B/zh active
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101770551A (zh) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | 一种基于硬件模拟器的处理隐藏进程的方法 |
CN102378963A (zh) * | 2009-04-01 | 2012-03-14 | 摩托罗拉移动公司 | 利用模型来审查可执行程序的方法和装置 |
CN101959193A (zh) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | 一种信息安全检测方法及移动终端 |
CN107203717A (zh) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | 在虚拟机上执行文件的防病毒扫描的系统和方法 |
CN107203717B (zh) * | 2016-03-18 | 2020-06-26 | 卡巴斯基实验室股份制公司 | 在虚拟机上执行文件的防病毒扫描的系统和方法 |
CN109145599A (zh) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | 恶意病毒的防护方法 |
CN109145599B (zh) * | 2017-06-27 | 2022-01-07 | 关隆股份有限公司 | 恶意病毒的防护方法 |
CN112005176A (zh) * | 2018-03-15 | 2020-11-27 | 西门子股份公司 | 用于计算机支持地模拟以自动化方式工作的机器的运行方法 |
Also Published As
Publication number | Publication date |
---|---|
CA2426065A1 (en) | 2002-05-02 |
US20020056076A1 (en) | 2002-05-09 |
JP2004517390A (ja) | 2004-06-10 |
EP1330692A1 (en) | 2003-07-30 |
AU2001286849A1 (en) | 2002-05-06 |
WO2002035328A1 (en) | 2002-05-02 |
US7146305B2 (en) | 2006-12-05 |
TW538376B (en) | 2003-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1476554A (zh) | 分析型虚拟机 | |
US7657419B2 (en) | Analytical virtual machine | |
US7370360B2 (en) | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine | |
CN109918903B (zh) | 一种基于llvm编译器的程序非控制数据攻击防护方法 | |
CN108614960B (zh) | 一种基于前端字节码技术的JavaScript虚拟化保护方法 | |
JP4741782B2 (ja) | コンピュータ免疫システムおよびコンピュータシステムにおいて望ましくないコードを検出する方法 | |
CN106575237A (zh) | 用于在退出虚拟机器后暴露当前处理器指令的结果的系统及方法 | |
Wang et al. | IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. | |
US7263693B2 (en) | Combined verification and compilation of bytecode | |
KR101955189B1 (ko) | 스왑 아웃된 메모리 페이지의 가상 머신 가상화된 메모리로의 맵핑을 위한 가상 머신에서의 페이지 오류 삽입 | |
US20050187740A1 (en) | System and method for proactive computer virus protection | |
CN102043915B (zh) | 一种非可执行文件中包含恶意代码的检测方法及其装置 | |
CN1849585A (zh) | 处理特许事件的多个虚拟机监控器的使用 | |
US7251735B2 (en) | Buffer overflow protection and prevention | |
CN101183414A (zh) | 一种程序检测的方法、装置及程序分析的方法 | |
US20150096028A1 (en) | Method of Detecting Malware in an Operating System Kernel | |
Zhao et al. | Compile-time code virtualization for android applications | |
US6779188B1 (en) | Apparatus and method for improved devirtualization of method calls | |
US8756695B1 (en) | Analysis of binary code | |
CN105793864A (zh) | 检测恶意多媒体文件的系统和方法 | |
Hu et al. | Irqdebloat: Reducing driver attack surface in embedded devices | |
Erinfolami et al. | Devil is virtual: Reversing virtual inheritance in C++ binaries | |
CN110909347B (zh) | 一种基于Mcsema的Remill库栈污染分析方法及装置 | |
Song et al. | metaSafer: A Technique to detect heap metadata corruption in WebAssembly | |
CN111611579B (zh) | 一种基于驱动特征检测powershadow虚拟环境的方法及其系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |