Method and apparatus for protection of electronic media
Abstract
Described is a system and method for providing protection of media by the detection of unauthorized client behaviors and the communication of the unauthorized client behaviors to augment the invention's detection abilities. A variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client. Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that might enable unauthorized copying of protected media. Communication of unauthorized software behaviors includes sharing of memory detectors among servers on a network, and the sending of memory detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.
Claims
exact text as granted — not AI-modified1 . A server device that is useable for protecting machine readable media, comprising:
a transceiver to send and receive data; and a processor operable to perform actions, including:
receiving a response to a detector from a client device, wherein the detector comprises a sequence of different types of system calls; and
determining if there is unauthorized software behavior on the client device by using a matching rule to compare the response and the detector.
2 . The server device of claim 1 , wherein the sent detector includes at least one self-detector that comprises a sequence of different types of system calls detectable in a normal execution of a process.
3 . The server device of claim 1 , wherein the matching rule is configured to define at least a subset of possible system calls to compare between the response and the detector.
4 . The server device of claim 1 , wherein the matching rule further comprises at least one token denoting that a match is established for any system call within a position associated with the at least one token.
5 . The server device of claim 1 , wherein the matching rule is configured to adaptively evolve.
6 . The server device of claim 1 , wherein the client device is configured to include at least one detector generator that is arranged to generate the detector.
7 . The server device of claim 1 , wherein the processor is operable to perform actions, further including sending the detector to the client device.
8 . A method of detecting an unauthorized usage of machine readable media, the method comprising:
receiving a detector that comprises a sequence of different types of computer system calls; determining a response to the detector based on at least one action of a client process; and sending the response to a server, wherein a presence of an unauthorized client process behavior is determined based on a comparison between the response and the detector according to a matching rule associated with the sent detector.
9 . The method of claim 8 , further comprising:
if presences of unauthorized client process behavior is detected based on the comparison, performing at least one of terminating the unauthorized client process, or terminating a transmission of media to a client device associated with the client process.
10 . The method of claim 8 , further comprising:
enabling an exchange a set of detectors between the server and another server.
11 . The method of claim 10 , wherein the other server discards any received detectors in the set of detectors that match another detector in the other server's database.
12 . A device that is configured to protect media from unauthorized client behavior, the device comprising:
a transceiver to send and receive data over the network; and a program to perform actions when executed that include:
sending at least one detector to a client device, wherein the at least one detector comprises a sequence of different types of system calls; and
if unauthorized client behavior is detected on the client device based on at least one response from the client device to the at least one detector and at least one matching rule associated with the at least one detector, providing a detection notification.
13 . The device of claim 12 , wherein providing the detection notification further results in at least one of terminating the unauthorized client behavior, or terminating a transmission to the media to the client device.
14 . The device of claim 12 , wherein sequence of different types of system calls further comprises at least one of a sequence of system calls detectable in a normal execution of a process, a sequence of system calls associated with a known unauthorized process alteration, or a sequence of calls not previously detected in an execution of the process.
15 . The device of claim 12 , wherein the at least one detector is configured to be inactivated based on exceeding an associated life span.
16 . The device of claim 12 , wherein the program performs actions when executed that further include:
receiving from another device a set of detectors associated with a known unauthorized process alteration; discarding any received detectors that match at least one other detector in a database of detectors; and merging each retained detector from the received set of detectors into the database of detectors.
17 . The device of claim 12 , wherein the device employs at least one of an Artificial Epidemiological Control (AEC) component, or an Artificial Immune System (AIS) detection unit.
18 . The device of claim 12 , wherein sending the at least one detector, further comprises:
adjusting a frequency of sending the at least one detector to the client device, based in part, on a frequency of detecting unauthorized client behavior.
19 . A client device configured to protect media from unauthorized usage, the client device comprising:
a network interface unit configured to send and receive information; and a program operative to perform actions, including:
generating a plurality of detectors, wherein each detector in the plurality comprises a sequence of different types of system calls;
employing the plurality of detectors to determine at least one response associated with a client process; and
sending the at least one response to a server device, wherein the server device is configured to detect a presence of unauthorized process usage based on the at least one response and a matching rule associated with each detector.
20 . The client device of claim 19 , wherein one matching rule associated with one detector is different than at least one other matching rule associated with at least one other detector in the plurality of detectors.Join the waitlist — get patent alerts
Track US2007083937A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.