US2007083937A1PendingUtilityA1

Method and apparatus for protection of electronic media

Assignee: WIDEVINE TECHNOLOGIES INCPriority: Dec 14, 2000Filed: Oct 5, 2006Published: Apr 12, 2007
Est. expiryDec 14, 2020(expired)· nominal 20-yr term from priority
H04L 63/10G06F 21/577H04L 63/1433H04L 63/145G06F 21/552G06N 3/126H04L 63/1408
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Described is a system and method for providing protection of media by the detection of unauthorized client behaviors and the communication of the unauthorized client behaviors to augment the invention's detection abilities. A variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client. Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that might enable unauthorized copying of protected media. Communication of unauthorized software behaviors includes sharing of memory detectors among servers on a network, and the sending of memory detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.

Claims

exact text as granted — not AI-modified
1 . A server device that is useable for protecting machine readable media, comprising: 
 a transceiver to send and receive data; and    a processor operable to perform actions, including: 
 receiving a response to a detector from a client device, wherein the detector comprises a sequence of different types of system calls; and  
 determining if there is unauthorized software behavior on the client device by using a matching rule to compare the response and the detector.  
   
     
     
         2 . The server device of  claim 1 , wherein the sent detector includes at least one self-detector that comprises a sequence of different types of system calls detectable in a normal execution of a process.  
     
     
         3 . The server device of  claim 1 , wherein the matching rule is configured to define at least a subset of possible system calls to compare between the response and the detector.  
     
     
         4 . The server device of  claim 1 , wherein the matching rule further comprises at least one token denoting that a match is established for any system call within a position associated with the at least one token.  
     
     
         5 . The server device of  claim 1 , wherein the matching rule is configured to adaptively evolve.  
     
     
         6 . The server device of  claim 1 , wherein the client device is configured to include at least one detector generator that is arranged to generate the detector.  
     
     
         7 . The server device of  claim 1 , wherein the processor is operable to perform actions, further including sending the detector to the client device.  
     
     
         8 . A method of detecting an unauthorized usage of machine readable media, the method comprising: 
 receiving a detector that comprises a sequence of different types of computer system calls;    determining a response to the detector based on at least one action of a client process; and    sending the response to a server, wherein a presence of an unauthorized client process behavior is determined based on a comparison between the response and the detector according to a matching rule associated with the sent detector.    
     
     
         9 . The method of  claim 8 , further comprising: 
 if presences of unauthorized client process behavior is detected based on the comparison, performing at least one of terminating the unauthorized client process, or terminating a transmission of media to a client device associated with the client process.    
     
     
         10 . The method of  claim 8 , further comprising: 
 enabling an exchange a set of detectors between the server and another server.    
     
     
         11 . The method of  claim 10 , wherein the other server discards any received detectors in the set of detectors that match another detector in the other server's database.  
     
     
         12 . A device that is configured to protect media from unauthorized client behavior, the device comprising: 
 a transceiver to send and receive data over the network; and    a program to perform actions when executed that include: 
 sending at least one detector to a client device, wherein the at least one detector comprises a sequence of different types of system calls; and  
 if unauthorized client behavior is detected on the client device based on at least one response from the client device to the at least one detector and at least one matching rule associated with the at least one detector, providing a detection notification.  
   
     
     
         13 . The device of  claim 12 , wherein providing the detection notification further results in at least one of terminating the unauthorized client behavior, or terminating a transmission to the media to the client device.  
     
     
         14 . The device of  claim 12 , wherein sequence of different types of system calls further comprises at least one of a sequence of system calls detectable in a normal execution of a process, a sequence of system calls associated with a known unauthorized process alteration, or a sequence of calls not previously detected in an execution of the process.  
     
     
         15 . The device of  claim 12 , wherein the at least one detector is configured to be inactivated based on exceeding an associated life span.  
     
     
         16 . The device of  claim 12 , wherein the program performs actions when executed that further include: 
 receiving from another device a set of detectors associated with a known unauthorized process alteration;    discarding any received detectors that match at least one other detector in a database of detectors; and    merging each retained detector from the received set of detectors into the database of detectors.    
     
     
         17 . The device of  claim 12 , wherein the device employs at least one of an Artificial Epidemiological Control (AEC) component, or an Artificial Immune System (AIS) detection unit.  
     
     
         18 . The device of  claim 12 , wherein sending the at least one detector, further comprises: 
 adjusting a frequency of sending the at least one detector to the client device, based in part, on a frequency of detecting unauthorized client behavior.    
     
     
         19 . A client device configured to protect media from unauthorized usage, the client device comprising: 
 a network interface unit configured to send and receive information; and    a program operative to perform actions, including: 
 generating a plurality of detectors, wherein each detector in the plurality comprises a sequence of different types of system calls;  
 employing the plurality of detectors to determine at least one response associated with a client process; and  
 sending the at least one response to a server device, wherein the server device is configured to detect a presence of unauthorized process usage based on the at least one response and a matching rule associated with each detector.  
   
     
     
         20 . The client device of  claim 19 , wherein one matching rule associated with one detector is different than at least one other matching rule associated with at least one other detector in the plurality of detectors.

Join the waitlist — get patent alerts

Track US2007083937A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.