Claims
- 1. A method of protecting machine readable media from unauthorized storage or copying, comprising:
sending a detector to a client process; receiving a response to the detector from the client process; detecting a presence of an unauthorized software behavior on the client based upon the response and a matching rule that is associated with the detector sent; and updating a database of detectors for a previously unseen and unauthorized behavior of the process such that the database of detectors evolves over time.
- 2. The method as in claim 1, wherein the sent detector includes at least one of a self-detector, a memory detector, and a novel detector.
- 3. The method as in claim 1, wherein the sent detector further comprises detecting the presence of an unauthorized substantially simultaneously executing client process.
- 4. The method as in claim 1, wherein the sending of the detector further comprises varying a sequence length of a computer system call within the detector such that the meaning of the detector is obscured.
- 5. The method as in claim 1, wherein the sending of the detector further comprises encoding numerically the detector such that the meaning of the detector is obscured.
- 6. The method as in claim 1, wherein the matching rule includes a criterion for each field in the detector that is to be matched before a match is validated, wherein each field includes a sequence of at least one computer system calls.
- 7. The method as in claim 1, further including sending the detector to detect previously unseen and unauthorized behavior to another client process.
- 8. The method as in claim 1, further including:
exchanging sets of memory detectors between a server and another server during an update period; evaluating the received set of memory detectors against each server's self database and a set of matching rules; discarding memory detectors in the received set of memory detectors that match another detector in each server's self database, wherein a false positive detection is minimized; and merging each new retained memory detector from the received set of memory detectors with each server's memory database, wherein the exchange of the sets of memory detectors between each server obstructs the spread of unauthorized copying and corruption of electronic media.
- 9. A method for obstructing unauthorized copying and corruption of media between clients that communicate over a network of servers, comprising:
exchanging a set of memory detectors between servers during an update period; evaluating each received set of memory detectors against each server's self database and a set of matching rules; discarding each detector in the received set of detectors that match another detector in each server's self database; and merging a new retained detector from each received set of detectors with each server's memory database, wherein the exchanging of the set of memory detectors prevents unauthorized copying and corruption of media.
- 10. The method as in claim 9, wherein the set of detectors include at least one of a self-detector, a memory detector, and a novel detector.
- 11. The method as in claim 9, wherein the set of detectors enable the detection of the presence of an unauthorized substantially simultaneously executing client process.
- 12. The method as in claim 9, wherein the exchanging the set of memory detectors further includes varying a sequence length of a computer system call within each detector such that each detector is obscured.
- 13. The method as in claim 9, wherein the exchanging the set of detectors includes encoding numerically the detector such that the meaning of the detector is obscured.
- 14. The method as in claim 9, wherein the matching rule includes at least one criterion for each field in each detector that is to be matched before a match is validated, and wherein each field includes a sequence of at least one computer system calls.
- 15. A method of providing detection of machine-readable media from an unauthorized usage, the method comprising:
evaluating a response from a process to a series of behavioral questions; detecting an unauthorized behavior of the process based on the evaluating; and communicating the unauthorized behavior of the process among a plurality of processes, wherein detection of unauthorized usage is enhanced.
- 16. A system to protect media from unauthorized usage, the system comprising:
a server to send media to a client; and a program to perform actions when executed that include:
sending a detector to the client, receiving a response to the detector from the client, detecting a presence of an unauthorized process on the client based on the response and a matching rule associated with the detector, and updating a database of memory detectors for a previously undetected and unauthorized process on the client such that the database of memory detectors evolves over time.
- 17. The system as in claim 16 further including employing the client to access the media.
- 18. The system as in claim 16, wherein the sending of the detector includes adjusting the frequency of a class of detectors sent in response to changes in responses from each client, such that the class of detectors includes at least one of a self-detector, a memory detector, and a novel detector.
- 19. The system as in claim 16, wherein the updating further includes eliminating detectors in the database that exceed a predetermined detector life span.
- 20. The system as in claim 16, wherein the matching rule includes at least one criterion for a field in the detector to be matched before a match is validated, and wherein the field includes a sequence of at least one computer system calls.
- 21. The system as in claim 16, wherein the detecting includes executing a Rabin-Karp algorithm of prime numbers and a sliding window across the response and the detector.
- 22. A computer readable medium having stored thereon a data structure to provide a detector pattern for use in data integrity of machine-readable media, the data structure comprising a plurality of data fields associated with a matching rule to validate a match of the plurality of data fields from a response to the data structure, and wherein each of the plurality of data fields comprises a computer system call.
- 23. A machine readable medium that provides instructions which, when executed by at least one processor, cause said processor to perform operations comprising:
sending a detector to a client process; receiving a response to the detector from the client process; detecting a presence of an unauthorized behavior on the client based upon the response and a matching rule that is associated with the detector sent; and updating a database of memory detectors for a previously unseen and unauthorized behavior of the client process such that the memory database evolves over time.
- 24. The medium as in claim 23, wherein the detector further includes at least one of a self-detector, a memory detector, and a novel detector.
- 25. The medium as in claim 23, wherein the detector detects the presence of an unauthorized substantially simultaneously executing client process.
- 26. The medium as in claim 23, wherein the sending of the detector further includes varying a sequence length of computer system calls within the detector such that the meaning of the detector is obscured.
- 27. The medium as in claim 23, wherein the sending of the detector further includes encoding numerically the detector such that the meaning of the detector is obscured.
RELATED APPLICATIONS
[0001] This application claims the benefit of U.S. Provisional Application No. 60/255,851 filed on Dec. 14, 2000.
Provisional Applications (1)
|
Number |
Date |
Country |
|
60255851 |
Dec 2000 |
US |