Detection of file modifications performed by malicious codes
US8352522B1 · kind B1 · utility
Assignee
Inventor
Key dates
| Filing date | Sep 1, 2010 |
| Grant date | Jan 8, 2013 |
| Priority date | — |
| Expiry date | Dec 3, 2030 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/568
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
File modifications performed by malicious codes are detected by detecting a file modification for an original file before the file modification is performed on the original file. In response to detecting the file modification, a corresponding shadow file is created. The shadow file represents the original file as modified by the file modification. Before allowing the file modification to be performed on the original file, the original file is compared to the shadow file to determine if the file modification is being performed by malicious codes. The file modification may be deemed to be performed by malicious codes when the file modification involves, for example, entry point append, entry point prepend, entry point obfuscation, cavity, overwriting, or mal-tattoo.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.