Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Automated Program Analysis for Computer Virus Detection

IP.com Disclosure Number: IPCOM000121122D
Original Publication Date: 1991-Jul-01
Included in the Prior Art Database: 2005-Apr-03
Document File: 2 page(s) / 107K

Publishing Venue

IBM

Related People

Arnold, WC: AUTHOR [+3]

Abstract

A class of computer programs is disclosed which analyzes the potential behavior of program objects to determine heuristically whether they may contain computer viruses or similar threats.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Automated Program Analysis for Computer Virus Detection

      A class of computer programs is disclosed which analyzes
the potential behavior of program objects to determine heuristically
whether they may contain computer viruses or similar threats.

      It has been known for some time that no program can perfectly
distinguish between objects that contain a computer virus and objects
that do not [*].

      For many specific viruses, simply scanning an object for a
particular pattern of bytes suffices to detect all files infected
with that virus (generally with some sufficiently small chance of
false positives). Programs that do such scanning cannot detect the
presence of viruses that they have not been specifically programmed
to detect.

      There are a number of programs in the world that attempt to
examine the contents of objects to determine whether or not they
contain any "harmful code".  (An early popular one made available on
some public bulletin board systems was called CHK4BOMB.)  In part
because such programs do only static analysis of the objects
(examining them as they exist on a storage medium, rather than
dealing with their execution characteristics), it is trivially easy
for a harm-doing program to escape detection; for instance, some
computer viruses store the bulk of their code masked via an XOR or
similar operation, with only an innocuous-looking "degarbler" routine
stored in clear.

      The present invention consists of procedures that, without
attempting to provide absolutely reliable detection of computer
viruses, do more sophisticated analysis of executable objects, to
determine with a greater probability of success whether or not they
contain a computer virus or similar harmful code.

      There are various ways to determine something about what a
program does that lie between simply examining it for byte-patterns,
and actually allowing it to execute.  The methods covered by this
article analyze an executable object by employing knowledge of the
semantics of the object's content.  For objects consisting of machine
code, this is knowledge of the target machine's architecture and
instruction set; for objects consisting of code intended for
execution by some virtual machine (such as a BASIC interpreter, a
P-code machine, and so on), this is knowledge of the architecture and
"instruction set" of the virtual machine.  By employing such
knowledge, the analysis program can determine something about the
...