TW542999B - A method and system for filtering computer virus using virus codewords - Google Patents

Abstract

The present invention provides a method and system for filtering computer virus using virus codewords. The computer system includes three parts: a virus codebook, a computer virus detection software, and an interception system. The virus codebook is a set composed of virus codewords. A codeword is composed of several virus elements representing the behavior of a virus. The computer virus detection system uses the virus codeword in the virus codebook to detect if a file or a document contains the virus. The interception system is used for the user to view the detection results, and decide to intercept or delete the infected file or document. The present invention can use simplified virus codewords to detect the virus and all the variant viruses, and further improve the defects of conventional larger virus definition codes causing slow virus scanning speed.

Description

Case number V. Description of invention (1) 89123667

[Technical field] Virus-like methods and systems, which are related to the virus scanning speed caused by only its all deformation codes ^ A method of filtering computer systems using virus code words, especially a method for filtering computer viruses Viruses can be detected with a more condensed virus codeword, thereby improving the disadvantage that traditional definitions of larger viruses are becoming slower and slower. [Learning skills]

Early computer viruses were considered to be a computer program that could only copy part or all of a computer virus program to other executable programs. However, the MACRO virus and the SCRiPT virus, such as the anti-I love you virus, have completely overturned the earlier definition of computer viruses. These two types of viruses can use files and web pages to infect computers and disrupt computer systems. Computer viruses have the ability to copy, because a computer virus that does not have the ability to copy cannot infect other computer systems at all to achieve the purpose of destruction or mischief. So what we call a computer virus here must have the ability to replicate. To 7, more than 10,000 computer viruses have been found.

With the use of the engine and the popularization of the Internet, we believe that more computer viruses are being created at a faster rate by caring people. However, most computers, due to lack of information on new viruses, have not updated the version of their anti-virus software, and have new virus definition codes (ViruS Definiti〇n pattern). Know how to properly deal with the relevant trillion dollars

According to a report from Computer Week in the United States, the virus has already cost American companies 7 and 9 years ago.

HI Page 4 Μ Loss includes most of the viruses in the threat. It has been developed to detect unknown functions with major damage and

Case No. 89123667 V. Description of the invention (2) The damage caused by poisoning is increasing for enterprises. Nowadays, 100% of the known virus detection technologies have been declared by the program to be anti-virus software. It can be said that a new technology based on a personal computer that is different from the traditional one can fast virus. J * machines, corrupted data, and the defense software of the Lieutenant General with the popularization of the Internet all claimed them, and many people reported that they were absolutely dead. But in fact, even the virus faces unknown new illnesses. The "I love you" virus is a good example. Virus detection method, this one quickly and effectively detects known interrupted production. The disease can be detected year by year. Most diseases can be detected. There are some anti-viruses nowadays causing enterprises and therefore we refer to virus code words and unknown new and currently developed various virus detection technologies. There are virus comparisons. Method (matchmg virus definition patterns), check-sum, virtual machine simulation (virtual mach ^ e simulation), real-time output / input scanning (real time 1 / 〇), behavior analysis (behavior- based 'Virus detection). Here, we will introduce a little bit.

Virus code refers to a characteristic or special code in a virus, and this code does not appear in normal programs. When a new virus is found, analyze the virus and find a special code to create a database of virus codes. When we scan a building case for virus infection, we are comparing whether there is the same code in this case as the specific code of these known viruses in the poor library. If so, the _K transfer case has been infected with a virus. Most anti-virus software on the market

Page 5 The body is compared with the virus code, which can accurately detect the known disease = species. However, this method is non-toxic. The virus pattern database also needs to be too fast. As the virus grows larger, relatively fast scanning and comparison methods use archives to generate specific algorithms to generate sub-codes attached to archives. Scan the archives using the total comparison method. Use this method to detect. Because many files will be different, the check code will be different, because it is large, and this method is not possible. The technology of virtual machine simulation method hlC virus, variant (nrntat virus detection methods are mainly missing in specific cases) Only 4 attacks occur next. The detection method uses detection to detect viruses. Symantec and this method detect some small new viruses. [Objective of the Invention] The main purpose of the present invention is to Compared with the system, use the formula :: test virus' because of this, and can correctly determine and detect the mutation of the disease ^ ^: hanging update, because now more viruses: the more the virus code database will be The greater the degree, the slower it becomes. The longer the length is, 'Create date and time / file / a check number, and later, or create a check code, the data describes that the virus will change the original test virus according to the virus, you can Most of the virus users have found their own modifications, and when the software is updated, they scan the virus in this way, and the false positive rate is reported to detect invisible viruses. This technique is mainly used for polymorphic and self-encrypting diseases. This point is a virus that scans slowly and cannot be detected. Some abnormal behaviors in computers and instructions of Trend Micro's anti-virus software, which use similar viruses, use this method to find a way to provide a virus code word. Filter the computer's more streamlined virus code words to check out one

V. # 苏 1 ^ 明 (4) Virus and all its deformed farmers [Detailed description of the preferred embodiment of the case The purpose of fast virus scanning speed In the field of data compression, some representative information is provided. ^ JC〇deWrd) refers to video data, we can build a code database, using these representative codeword database. This & den CoDeb 00k), that is, contains a plurality of these codewords in the codebook S, two, after the data is encoded, only stored in the present invention, I achieve the purpose of data compression. , Combined into a virus codeword. ^ For —, disease, the virus features are taken out with the same virus characteristics :: sick mother and its many deformations can detect a virus and the disease = a virus code word traditional Anti-virus methods are different, the traditional primary metamorphosis virus. Check for this at this point. Each variant virus uses the virus definition code to detect a virus. Seven different two have been derived = virus definition code. If a virus definition code is used, and if there is an I in the future, a total of eight illnesses are required. increase. Therefore, the traditional virus scan = the appearance of the virus, the number also scans the disadvantage of slow speed. The other side = /, has a large virus database and can synthesize new diseases quickly and in large quantities. We can also use virus codewords. Regarding the present invention, the virus codebook is thinner than a virus program. Order the virus pattern file and the macro symbol type (the two parts of the knife. Executable file / life) We will use two examples to explain how to "= 1 Pt" virus pattern file. So something. ^ Virus characteristics and construction of virus code Example 1: Executable files and commands We call the virus features virus files and command files with virus elements and behaviors (or action chart 1 lists some executables that know the behavior of the same virus Levy) to perform. Figure 2 shows the writing of different virus elements. (A virus-specific program does not have such a machine_sector and partition table. The virus elements to be dealt with by "100", "B9", p A program with a normal element index in the left block will not look for a virus feature, because the virus corresponding to an element index of 100 is cut off. If the program contains a program and contains a virus program, then we do n’t It ca n’t be judged that the blocked yuan goes to 丨 on Μ round. The private type has no destructive ability.

13 ”is the action of writing data. F _f4 〇3 · * * · * · ?? CD cited loo and 90 corresponding virus element Xinguo: Cheng: already contains the element search virus program, because A this program We will determine that the tooth expression contains this. We can define [1 00, 90] Α_Λ main I 纡 jitter loss. Because Γ qn 8Π 1 ^ ^ is a sick mother code. The same reason = 0] My cousin looks for the boot sector and writes data. [Of course, because the actual executable broadcast is also a large number of words, 'I have thousands or fewer, this one = no disease code (100, 90) and (80, 90) two virus codewords to illustrate. Cow, just to take the example 2 virus code of an email containing a macro symbol virus, after Microsoft developed a VBS file that supports HTML E-mail and web pages have become the target of virus invasion. For example, I love you in early 2000. E-mail viruses are such viruses. It uses VB /, which is beneficial and uses electrons at an amazing speed. E-mail spread to individual users and businesses' and caused serious losses to these individuals and businesses. ≫, Figure 2 uses VBS Virus elements of e-mail and web pages. Figure 4 is a program that steals contacts and distributes mail. It is obvious that "30, 20, 100, 19, 14, 3" on the left of Figure 3 represents the establishment of outi〇. 〇k object, read 89123667 V. Description of the invention (6) Six of the registration, address book, ^ and post mail; 7 is a text file attached to the file for any one program including this —, = master is the second disease. The typical characteristics of the code, because [20, 10 0, 14 3 without a code word constitutes a virus behavior. About Since G. Second action, yes, can be defined as-virus codeword, two,] and [20, 1 00, 1 9, 1 4] after m Ml Ur ψ r ，, these files will still be sent out and broken: two = "Two" alone, in terms of (2, 100, 19, 14), also types :: two:. You can understand how to construct various viruses in each collection:: poison; = C: After the code word f is constructed, we can hnnlr, Gan A session without a horse and become a virus codebook (Virus Code-: two V programs can be divided into executable file type, macro type, and Lou Zhangfu ( S cr 1 pt) type. For rabbits, we must treat different types of viruses with different types of diseases. In practice, the number of rune type viruses can also include giant Virus program%, because & we can combine the macro type disease # codebook and the number of virus codebooks: to become a macro number symbol virus codebook. However, due to the large number of virus codewords in the actual macro number There are at least thousands or more: The methods are listed here, only (20, 1 00, 1 9, 1 4) and (3〇, 2〇ι〇, 〇, 19, 1 4 3) Two virus code words Let's explain. ', Yu Shi invented that there are two types of virus codebooks: executable files / command slot disease codebooks and macro virus pattern (script) virus codebooks. After the virus codebooks are constructed, We can use the code to judge whether the first floor case contains the virus. First of all, we must judge whether a right case is a plain text mark, and we can use the auxiliary building η ′% / order eaves,-once 5-or the number sign (script) lii ± jl ^, from "Native page 9 642999 23667 V. Description of the invention (7) Judgment ^ The type of a file is a well-known case is a pure text. 浐 牯 ϊ 不再 ^ I will not repeat the capabilities :: The second case does not have any execution damage electricity. Now we can determine that it does not have any disease main electricity. 5 Methods to filter computer viruses using virus codewords: file • 忒 Description is as follows 俨 / Hit on—the project file judges its file type as Kobo from its file extension. Ϊ It has the function of executing macros or hiPt, or a plain text file. The file of the function • If the file Is a plain text file, it is determined that the file is not the main file. Order file, then determine the "Zaizai Jiujie" "executive / command file type virus code word. If it is, then determine whether the y,-person is sick or not, if not, determine that it does not contain a virus. Field case B such as忒 The file is a genus Quercus spp.3 with executable macro / numerical function. If there is no disease, it is judged to be free of viruses. 5. ·· The files that are judged to contain viruses are blocked / deleted, otherwise, That is, sending / receiving. When the Tian file contains a virus, we can intercept / delete the file to prevent it from spreading and damaging the computer system. The flow chart of this method is shown in Figure 5 to further reveal the specific technical content of the case. First refer to Figure six. Figure 6 is a schematic diagram of a computer system using a virus codeword to filter computer viruses in this case. The computer system includes: a host machine, which can be connected to a display screen 2 and / keyboard 3, and a communication device 4 can be connected to an Internet 5. This communication device 4 can be used for receiving or sending mail computer files. Λ_ Correction when the file page 10 tjfe 89123667

The device 12 includes a processor U and a storage device 12. The storage device has a program code and at least a computer virus codebook. The virus codewords in the virus codebook can be used for two purposes. The poison. This process mainly uses 1_ ^ to break the file, no 3 there is a computer disease. Xi Xian-to deal with computer virus detection. = Can be used to display computer system execution process and results. The brain department makes — ^ ^ t ^ ^ ^ ΛΛ " / 11 code. % A file contains 2 cases, whether it contains a virus or not This-the target case does not contain a computer virus, the inspector was blocked and deleted. As disclosed in this case, ::; = will be received / sent. It may also be modified and originated from the technical field of this species, such as local changes in the scope of patent rights in this case. To sum up, this technical feature 7 and the '+ segment and function are showing that it is different from the conventional technique. The case f is characterized by using the technology disclosed in this case to effectively detect it. This case has practical value, and is novel and progressive. Regarding the essentials of the invention patent, I implore your commission and pray for the early grant of the patent.

Page 11

[Simple icon description] Figure 1: Virus elements of executable file and command file Figure 2: Virus code that infects boot sector and partition table Figure 3: Virus elements of email and webpage using VBS Figure 4: Stealing Take the address book and distribute the virus code Figure 5: Virus filtering flowchart Figure 6 · Computer system for filtering computer viruses [Symbol] Storage device 1 2 Communication device 4 Host computer 1 Processor 11 Display screen 2 Keyboard 3 Internet Road 5

Page 12

Claims (1)

89123667 ---- • A method for filtering computer viruses by using virus codewords to detect viruses on received / sent broadcasts; the method includes: 'Roll in the first floor case' to determine its file type from its secondary file name BC executable file < command file, file or plain text file with executable macro / numerical function; knife and month b if the file is a plain text slot, the right, if the file is an executable slot / command file type , Then;: ,, whether f contains an executable file / command file type virus file, then it is determined to be a virus, if the file does not have it :: code word D. the second order broadcast type virus word, it is determined that it is not Contains: ϊ / The building case has an executable macro / numerical work: tj,, then it is determined whether the file contains a macro number character. The slot case is as if the file contains a macro number type virus codeword, 2 yards. The word “E ·” is a virus. If there is no macro number symbol in the slot case, the 'jli rule will determine that it does not contain a virus; only 1 扃 I code word, the file containing the virus, will be suspended / 2 received / Sent. J Chen, otherwise 5 ::: ^ The method described in item 1 using a virus codeword, where This executable file / command file type two method of filtering a computer-executable slot / command slot virus pattern book to take 5 virus code words from a virus, which is equal to the "word-crossing computer symbol virus pattern book: macro" The number of payment-type virus code words is from-giant = 542999 1 ψ ill. Supplementary case number 89123667, said amendment 6. Patent application scope 4 A virus code / file sent to a host, the device, the processor brain virus code is one less Contains a display screen of predetermined diseases, 6 7 results; and road links such as virus application, such as encephalovirus type virus, and virus signature keyboard application for patent scope system, which receives patent scope system, its codeword and macro The patent scope is unified, in which the thin and macro words are used to filter computer viruses for detecting virus on the receiving line. The system includes: The host includes a processor, one or more storages, and uses virus code words to determine whether a file contains electricity. , The one or more storage devices are used to store the virus codebook of the virus codeword; the display screen is used to display the computer execution process and for user input Enter data / command to the host. The virus filtering word computer described in item 4 further includes a communication device that can communicate with an Internet / send file. The virus codeword described in item 4 is used to filter the virus codeword into executable files / command files / symbol-type virus codewords. The virus codeword filtering computer described in item 4 The virus codebook is divided into executable file / command file type / number symbol type virus codebook. Page 14