An undesirable consequence of the widespread use of computer networks, and particularly the Internet, is the spread of computer viruses and other malware. Conventional anti-malware identifies the presence of malware by comparing a stored or known “signature” or token string of identified malware with the data stream in which the malware is sought. In order to make this comparison, the data stream must be written into a memory of some sort, so that the time sequence of the tokens may be examined or compared with the stored signature. When the comparison of the data stream with the signatures identifies the presence of malware, steps can be taken to cure, ameliorate, or eliminate its presence. In general, merely knowing that malware is present is insufficient to allow the malware to be removed. It is also necessary to identify the specific type of malware so that predetermined action can be taken. The types of action to be taken against malware in general are well known, although new variants appear frequently.
FIG. 1 is a simplified block diagram of a computer including a processor 12, read-only memory (ROM) 14, random-access or dynamic memory (RAM) 16, hard drive 17, and network interface 18. During normal operation of the computer 10, computer signals flow by way of a bus illustrated as 20 among the processor 12, ROM 14, RAM 16, hard drive 17, and, if used, the network associated with interface 18. Malware can exist in RAM, ROM, the hard drive, and on the network. In order to detect the presence of malware, signals are allowed to flow on bus 20 to an identification algorithm 12id, which is illustrated as being a block within the processor 12. Those skilled in the art will understand that the identification algorithm 12id appears in processor 12 when loaded from a memory, generally from hard drive 17 or ROM 14. The identification algorithm 12id flags or triggers an amelioration algorithm illustrated as a block 12am when it senses the presence of malware, and amelioration algorithm 12am performs a predetermined set of actions in order to prevent the malware from reaching its intended destination, or to remove or quarantine the malware.
In the prior art, a data stream from ROM 14, RAM 16, hard drive 17, or network interface 18 passes through identification algorithm 12id of FIG. 1, and the tokens (bits, bytes, or multiple bytes) of the data stream are compared element-by-element with predetermined “templates” which are known to characterize the various forms of malware. When a match is found, the malware associated with the particular template is deemed to have been detected, and the amelioration algorithm is invoked against its presence.
Improved malware detection arrangements and countermeasures are desired.