System for maintaining a document and activity selective alterable document history log in a data processing system
Real time fault tolerant transaction processing system
System and method for protecting integrity of computer data and software
Method and apparatus for recording and diagnosing faults in an electronic reprographic printing system
Software modules for testing computer hardware and software
On-line processor based diagnostic system
Pattern-oriented intrusion-detection system and method
Method of detecting and processing abnormal message output from computer system and detecting and processing apparatus therefor
Rule-based method for testing of programming segments
In transit detection of computer virus with safeguard
ApplicationNo. 004872 filed on 01/19/1993
US Classes:714/2, Fault recovery714/33, Derived from analysis (e.g., of a specification or by stimulation)714/38Of computer software
ExaminersPrimary: Beausoliel, Robert W. Jr.
Assistant: Palys, Joseph E.
Attorney, Agent or Firm
International ClassG06F 011/00
AbstractA method includes the following component steps, or some functional subset of these steps: (A) periodic monitoring of a data processing system (10) for anomalous behavior that may indicate the presence of an undesirable software entity such as a computer virus, worm, or Trojan Horse; (B) automatic scanning for occurrences of known types of undesirable software entities and taking remedial action if they are discovered; (C) deploying decoy programs to capture samples of unknown types of computer viruses; (D) identifying machine code portions of the captured samples which are unlikely to vary from one instance of the virus to another; (E) extracting an identifying signature from the executable code portion and adding the signature to a signature database; (F) informing neighboring data processing systems on a network of an occurrence of the undesirable software entity; and (G) generating a distress signal, if appropriate, so as to call upon an expert to resolve difficult cases. A feature of this invention is the automatic execution of the foregoing steps in response to a detection of an undesired software entity, such as a virus or a worm, within a data processing system. The automatic extraction of the identifying signature, the addition of the signature to a signature data base, and the immediate use of the signature by a scanner provides protection from subsequent infections of the system, and also a network of systems, by the same or an altered form of the undesirable software entity.