Browse Prior Art Database

Custom Modification Detection Algorithms for Modification Detectors

IP.com Disclosure Number: IPCOM000122425D
Original Publication Date: 1991-Dec-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 2 page(s) / 78K

Publishing Venue

IBM

Related People

Burton, CF: AUTHOR [+5]

Abstract

Disclosed is a method for using a modification-detection algorithm in such a way that, while an attacker may be able to make changes that will defeat any given instance of the modification detector, it will be difficult to defeat all the detectors in use in a given community. This invention is particularly applicable to the detection of computer viruses (where the "attacker" is itself a program, and therefore somewhat limited in function).

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Custom Modification Detection Algorithms for Modification Detectors

      Disclosed is a method for using a modification-detection
algorithm in such a way that, while an attacker may be able to make
changes that will defeat any given instance of the modification
detector, it will be difficult to defeat all the detectors in use in
a given community.  This invention is particularly applicable to the
detection of computer viruses (where the "attacker" is itself a
program, and therefore somewhat limited in function).

      The basic idea is that each instantiation of the modification
detector employs a slightly different version of the algorithm to
calculate the check-value for datasets. Methods for accomplishing
this include, but are not limited to the following:
 .   In a CRC-based algorithm, each instantiation might use a
different polynomial for the CRC calculation.
 .   In any byte-based algorithm, each instantiation might use a
different subset of the bytes in the objects being checked (one might
skip every fortieth byte, another every twenty-seventh, and so on).
 .   Any parameter-based transform (rotation, XOR, etc.) might be ap
plied to each byte (or other unit) of the data, before the algo
rithm is applied.  One instantiation might apply the algorithm to the
object just as it exists, another might rotate each byte left three
places before applying the algorithm, and so on (of course,
transforms must be chosen such that an attacker that defeats one
instantiation will not thereby defeat all others).
 .   Any combination of these or similar methods.

      In the context of a distributed system, each CPU (or each
workstation) in the system might have its own version of the
algorithm.  A virus designed to make changes in suc...