It is often necessary, in fields including but not limited to computer security and computer virus prevention, to analyze a program or other piece of software in order to determine its potential behavior, when no (or insufficient) information outside of the program itself is available to use in the determination. As part of such an analysis, it is often desirable to execute the software being analyzed in a real or in an emulated environment. This is sometimes referred to as dynamic analysis (as opposed to static analysis, which involves simply examining the binary contents of the software without allowing it to execute).
However, it has been found that for software whose important behaviors are different when executed in an environment where access to a network is available, and in particular when the software executes in an environment that has at least some access to the full global Internet, the dynamic analysis of the software becomes very difficult. Simply executing the software on a single isolated real or emulated system will not normally elicit the desired important behaviors. However, allowing the suspect software to execute on a production network, or with a connection to a real network or to the real Internet, is often impossible as well as undesirable.
U.S. Pat. No. 5,440,723 teaches the dynamic analysis of suspected computer viruses, by executing them in an environment where a number of “goat files” are available for infection, and U.S. Pat. Nos. 5,398,196 and 5,978,917 teach the use of emulation in the analysis of potentially-malicious software. However, these prior art systems do not specifically involve an analysis of network-dependant behavior, or the emulation of activity or services on a network. U.S. Pat. No. 5,812,826 teaches the use of an entirely emulated network to test the correct function of a monitoring and control system whose expected functions are already fully specified. However, this patent does not specifically address the analysis of individual pieces of software, or software whose behavior is unknown, or of software which must for safety or other reasons be isolated from real networks.