WO2001069356A3 - Histogram-based virus detection - Google Patents

Histogram-based virus detection Download PDF

Info

Publication number
WO2001069356A3
WO2001069356A3 PCT/US2001/008058 US0108058W WO0169356A3 WO 2001069356 A3 WO2001069356 A3 WO 2001069356A3 US 0108058 W US0108058 W US 0108058W WO 0169356 A3 WO0169356 A3 WO 0169356A3
Authority
WO
WIPO (PCT)
Prior art keywords
histogram
module
instructions
file
code
Prior art date
Application number
PCT/US2001/008058
Other languages
French (fr)
Other versions
WO2001069356A2 (en
Inventor
Carey S Nachenberg
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Priority to DE60105611T priority Critical patent/DE60105611T2/en
Priority to CA002403676A priority patent/CA2403676A1/en
Priority to EP01920344A priority patent/EP1297401B1/en
Publication of WO2001069356A2 publication Critical patent/WO2001069356A2/en
Publication of WO2001069356A3 publication Critical patent/WO2001069356A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)
  • Executing Machine-Instructions (AREA)

Abstract

A virus detection system (VDS) (400) uses a histogram to detect the presence of a computer virus in a computer file. The VDS (400) has a P-code data file (410) for holding P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating instructions in the file. The emulating module (426) contains a histogram generation module (HGM) (436) for generating a histogram of characteristics of instructions emulated by the emulating module (426) and a histogram definition module (HDF) (438) for specifying the characteristics to be included in the generated histogram. The emulating module (426) uses the generated histogram (500) to determine how many of the instructions of the computer file (100) to emulate. The emulating module (426) emulates (712) instructions and the HGM (436) generates a histogram of the instructions until active instructions are not detected. When active instructions are not detected (714), a P-code module is executed (722) to analyze the histogram (500) and determine whether a file (100) contains a virus. The P-code can also decide to extend (728) emulation. The HGM (436) is also used to detect (822) the presence of dummy loops during virus decryption.
PCT/US2001/008058 2000-03-14 2001-03-13 Histogram-based virus detection WO2001069356A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
DE60105611T DE60105611T2 (en) 2000-03-14 2001-03-13 DETECTION OF VIRUSES BY HISTOGRAMS
CA002403676A CA2403676A1 (en) 2000-03-14 2001-03-13 Histogram-based virus detection
EP01920344A EP1297401B1 (en) 2000-03-14 2001-03-13 Histogram-based virus detection

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/524,856 2000-03-14
US09/524,856 US6971019B1 (en) 2000-03-14 2000-03-14 Histogram-based virus detection

Publications (2)

Publication Number Publication Date
WO2001069356A2 WO2001069356A2 (en) 2001-09-20
WO2001069356A3 true WO2001069356A3 (en) 2003-01-30

Family

ID=24090930

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/008058 WO2001069356A2 (en) 2000-03-14 2001-03-13 Histogram-based virus detection

Country Status (5)

Country Link
US (1) US6971019B1 (en)
EP (1) EP1297401B1 (en)
CA (1) CA2403676A1 (en)
DE (1) DE60105611T2 (en)
WO (1) WO2001069356A2 (en)

Families Citing this family (75)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040073617A1 (en) 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US7350235B2 (en) * 2000-07-14 2008-03-25 Computer Associates Think, Inc. Detection of decryption to identify encrypted virus
US7093239B1 (en) * 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US8341743B2 (en) * 2000-07-14 2012-12-25 Ca, Inc. Detection of viral code using emulation of operating system functions
AU2002322109A1 (en) * 2001-06-13 2002-12-23 Intruvert Networks, Inc. Method and apparatus for distributed network security
EP1271283B1 (en) * 2001-06-29 2007-05-23 Stonesoft Corporation An intrusion detection method and system
US7421587B2 (en) * 2001-07-26 2008-09-02 Mcafee, Inc. Detecting computer programs within packed computer files
US7827611B2 (en) 2001-08-01 2010-11-02 Mcafee, Inc. Malware scanning user interface for wireless devices
US7657935B2 (en) 2001-08-16 2010-02-02 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
KR20040039357A (en) * 2001-09-14 2004-05-10 컴퓨터 어소시에이츠 싱크, 인코포레이티드 Virus detection system
US20030101381A1 (en) * 2001-11-29 2003-05-29 Nikolay Mateev System and method for virus checking software
US9306966B2 (en) 2001-12-14 2016-04-05 The Trustees Of Columbia University In The City Of New York Methods of unsupervised anomaly detection using a geometric framework
US7225343B1 (en) 2002-01-25 2007-05-29 The Trustees Of Columbia University In The City Of New York System and methods for adaptive model generation for detecting intrusions in computer systems
US7290282B1 (en) * 2002-04-08 2007-10-30 Symantec Corporation Reducing false positive computer virus detections
US7103913B2 (en) * 2002-05-08 2006-09-05 International Business Machines Corporation Method and apparatus for determination of the non-replicative behavior of a malicious program
US7370360B2 (en) * 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US7409717B1 (en) * 2002-05-23 2008-08-05 Symantec Corporation Metamorphic computer virus detection
US7526809B2 (en) * 2002-08-08 2009-04-28 Trend Micro Incorporated System and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same
GB2391965B (en) * 2002-08-14 2005-11-30 Messagelabs Ltd Method of, and system for, heuristically detecting viruses in executable code
US7188369B2 (en) * 2002-10-03 2007-03-06 Trend Micro, Inc. System and method having an antivirus virtual scanning processor with plug-in functionalities
US20040078580A1 (en) * 2002-10-18 2004-04-22 Trend Micro Incorporated Antivirus network system and method for handling electronic mails infected by computer viruses
GB2396227B (en) * 2002-12-12 2006-02-08 Messagelabs Ltd Method of and system for heuristically detecting viruses in executable code
US7013483B2 (en) * 2003-01-03 2006-03-14 Aladdin Knowledge Systems Ltd. Method for emulating an executable code in order to detect maliciousness
US8171551B2 (en) 2003-04-01 2012-05-01 Mcafee, Inc. Malware detection using external call characteristics
DE602004001293T2 (en) 2003-06-26 2007-05-31 St Microelectronics S.A. Program integrity check by means of statistics
US7644441B2 (en) * 2003-09-26 2010-01-05 Cigital, Inc. Methods for identifying malicious software
WO2005047862A2 (en) 2003-11-12 2005-05-26 The Trustees Of Columbia University In The City Of New York Apparatus method and medium for identifying files using n-gram distribution of data
US7370361B2 (en) * 2004-02-06 2008-05-06 Trend Micro Incorporated System and method for securing computers against computer virus
JP4025882B2 (en) * 2004-04-26 2007-12-26 国立大学法人岩手大学 Computer virus specific information extraction apparatus, computer virus specific information extraction method, and computer virus specific information extraction program
US7610610B2 (en) 2005-01-10 2009-10-27 Mcafee, Inc. Integrated firewall, IPS, and virus scanner system and method
US7546471B2 (en) * 2005-01-14 2009-06-09 Microsoft Corporation Method and system for virus detection using pattern matching techniques
US8046834B2 (en) * 2005-03-30 2011-10-25 Alcatel Lucent Method of polymorphic detection
DE602005024514D1 (en) * 2005-03-31 2010-12-16 Texas Instruments Inc Method and system for thwarting and neutralizing buffer overrun attacks
US7591016B2 (en) * 2005-04-14 2009-09-15 Webroot Software, Inc. System and method for scanning memory for pestware offset signatures
US7349931B2 (en) 2005-04-14 2008-03-25 Webroot Software, Inc. System and method for scanning obfuscated files for pestware
US7571476B2 (en) * 2005-04-14 2009-08-04 Webroot Software, Inc. System and method for scanning memory for pestware
US20070094726A1 (en) * 2005-10-26 2007-04-26 Wilson Michael C System and method for neutralizing pestware that is loaded by a desirable process
US20070118559A1 (en) * 2005-11-18 2007-05-24 Microsoft Corporation File system filters and transactions
US8255992B2 (en) * 2006-01-18 2012-08-28 Webroot Inc. Method and system for detecting dependent pestware objects on a computer
DE102006004240A1 (en) * 2006-01-30 2007-08-09 Siemens Ag Method and device for detecting pirated copy
US8443446B2 (en) * 2006-03-27 2013-05-14 Telecom Italia S.P.A. Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor
US9064115B2 (en) 2006-04-06 2015-06-23 Pulse Secure, Llc Malware detection system and method for limited access mobile platforms
US7657793B2 (en) * 2006-04-21 2010-02-02 Siemens Corporation Accelerating software rejuvenation by communicating rejuvenation events
US7945956B2 (en) * 2006-05-18 2011-05-17 Microsoft Corporation Defining code by its functionality
US20080016573A1 (en) * 2006-07-13 2008-01-17 Aladdin Knowledge System Ltd. Method for detecting computer viruses
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US20080134333A1 (en) * 2006-12-04 2008-06-05 Messagelabs Limited Detecting exploits in electronic objects
US8087079B2 (en) * 2007-05-04 2011-12-27 Finjan, Inc. Byte-distribution analysis of file security
US8375449B1 (en) 2007-08-10 2013-02-12 Fortinet, Inc. Circuits and methods for operating a virus co-processor
US8286246B2 (en) 2007-08-10 2012-10-09 Fortinet, Inc. Circuits and methods for efficient data transfer in a virus co-processing system
US9100319B2 (en) 2007-08-10 2015-08-04 Fortinet, Inc. Context-aware pattern matching accelerator
US8079084B1 (en) 2007-08-10 2011-12-13 Fortinet, Inc. Virus co-processor instructions and methods for using such
US8176477B2 (en) 2007-09-14 2012-05-08 International Business Machines Corporation Method, system and program product for optimizing emulation of a suspected malware
JP4488074B2 (en) * 2008-02-13 2010-06-23 日本電気株式会社 Pattern detection device, pattern detection system, pattern detection program, and pattern detection method
US8365283B1 (en) * 2008-08-25 2013-01-29 Symantec Corporation Detecting mutating malware using fingerprints
US7540030B1 (en) * 2008-09-15 2009-05-26 Kaspersky Lab, Zao Method and system for automatic cure against malware
IL195340A (en) 2008-11-17 2013-06-27 Shlomo Dolev Malware signature builder and detection for executable code
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
US8370934B2 (en) 2009-06-25 2013-02-05 Check Point Software Technologies Ltd. Methods for detecting malicious programs using a multilayered heuristics approach
US9202049B1 (en) 2010-06-21 2015-12-01 Pulse Secure, Llc Detecting malware on mobile devices
US8726338B2 (en) 2012-02-02 2014-05-13 Juniper Networks, Inc. Dynamic threat protection in mobile networks
RU2491615C1 (en) * 2012-02-24 2013-08-27 Закрытое акционерное общество "Лаборатория Касперского" System and method of creating software detection records
US9715325B1 (en) 2012-06-21 2017-07-25 Open Text Corporation Activity stream based interaction
US9256730B2 (en) * 2012-09-07 2016-02-09 Crowdstrike, Inc. Threat detection for return oriented programming
US9317686B1 (en) * 2013-07-16 2016-04-19 Trend Micro Inc. File backup to combat ransomware
US9355246B1 (en) * 2013-12-05 2016-05-31 Trend Micro Inc. Tuning sandbox behavior based on static characteristics of malware
US9594665B2 (en) 2014-03-05 2017-03-14 Microsoft Technology Licensing, Llc Regression evaluation using behavior models of software applications
US20150254162A1 (en) * 2014-03-05 2015-09-10 Concurix Corporation N-Gram Analysis of Software Behavior in Production and Testing Environments
US9880915B2 (en) 2014-03-05 2018-01-30 Microsoft Technology Licensing, Llc N-gram analysis of inputs to a software application
EP2996034B1 (en) * 2014-09-11 2018-08-15 Nxp B.V. Execution flow protection in microcontrollers
US10148675B1 (en) * 2016-03-30 2018-12-04 Amazon Technologies, Inc. Block-level forensics for distributed computing systems
US10178119B1 (en) 2016-03-30 2019-01-08 Amazon Technologies, Inc. Correlating threat information across multiple levels of distributed computing systems
US10333962B1 (en) 2016-03-30 2019-06-25 Amazon Technologies, Inc. Correlating threat information across sources of distributed computing systems
US10860716B2 (en) * 2018-03-23 2020-12-08 Juniper Networks, Inc. Detecting malware concealed by delay loops of software programs
EP4339816A1 (en) * 2022-09-15 2024-03-20 AO Kaspersky Lab System and method for detecting cyclic activity in an event flow for dynamic application analysis

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826013A (en) * 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
WO1999015966A1 (en) * 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses
US5964889A (en) * 1997-04-16 1999-10-12 Symantec Corporation Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5796989A (en) * 1995-03-20 1998-08-18 Apple Computer, Inc. Method and system for increasing cache efficiency during emulation through operation code organization
US5696822A (en) * 1995-09-28 1997-12-09 Symantec Corporation Polymorphic virus detection module
US6067410A (en) 1996-02-09 2000-05-23 Symantec Corporation Emulation repair system
US5712583A (en) * 1995-11-13 1998-01-27 International Business Machines Corporation Clock phase alignment using frequency comparison
US6088803A (en) * 1997-12-30 2000-07-11 Intel Corporation System for virus-checking network data during download to a client device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826013A (en) * 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
US5964889A (en) * 1997-04-16 1999-10-12 Symantec Corporation Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator
WO1999015966A1 (en) * 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NACHENBERG C S: "A NEW TECHNIQUE FOR DETECTING POLYMORPHIC COMPUTER VIRUSES. A THESIS SUBMITTED IN PARTIAL SATISFACTION OF THE REQUIREMENTS FOR THE DEGREE MASTER OF SCIENCE IN COMPUTER SCIENCE AND ENGINEERING", THESIS UNIVERSITY OF CALIFORNIA, XX, XX, PAGE(S) I-V,1-127, XP000197628 *

Also Published As

Publication number Publication date
DE60105611T2 (en) 2005-08-18
WO2001069356A2 (en) 2001-09-20
US6971019B1 (en) 2005-11-29
EP1297401B1 (en) 2004-09-15
CA2403676A1 (en) 2001-09-20
DE60105611D1 (en) 2004-10-21
EP1297401A2 (en) 2003-04-02

Similar Documents

Publication Publication Date Title
WO2001069356A3 (en) Histogram-based virus detection
RU2622627C2 (en) Method of detecting malicious executables, containing interpreter, by combining emulators
Pfoh et al. Nitro: Hardware-based system call tracing for virtual machines
Moser et al. Exploring multiple execution paths for malware analysis
Yin et al. HookFinder: Identifying and understanding malware hooking behaviors
US5978917A (en) Detection and elimination of macro viruses
US20130246038A1 (en) Emulator updating system and method
WO2008005765A3 (en) Network-extended storage
WO2007008506A3 (en) Selective pre-compilation of virtual code to enhance emulator performance
US20070240216A1 (en) Hypervisor area for email virus testing
CN109522235A (en) A method of it is detected for the privacy leakage of Android dynamically load
US20220414209A1 (en) Iterative memory analysis for malware detection
WO2015153037A1 (en) Systems and methods for identifying a source of a suspect event
WO2003069491A1 (en) Authentication method using input feature of input unit of computer, its program, and program recorded medium
CN108363919B (en) Method and system for generating virus-killing tool
Mori et al. A tool for analyzing and detecting malicious mobile code
Morales et al. Building malware infection trees
Webb Evaluating tool based automated malware analysis through persistence mechanism detection
CN114816438A (en) Software isomerization development environment construction method and device
Hou et al. SBE− A Precise Shellcode Detection Engine Based on Emulation and Support Vector Machine
WO2006047608A3 (en) System and method to emulate mobile logic in a communication system
WO2002091172A3 (en) Identifying references to objects during bytecode verification
CN105117273A (en) Method and system for obtaining client process information in xen virtualization platform
Yan et al. Transparent and Extensible Malware Analysis by Combining Hardware Virtualization and Software Emulation
EP4109309A1 (en) Machine learning through iterative memory analysis for malware detection

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): CA

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2403676

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2001920344

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2001920344

Country of ref document: EP

WWG Wipo information: grant in national office

Ref document number: 2001920344

Country of ref document: EP