Skip navigation.

Malware Patent Application

I recently came across this patent from Network Associates by Igor Muttik. Here's the abstract:

"One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls."

Reading through the claims it appears that they have patented much of what was the state of the art of academic research in the early 2000's. I'm shocked with how loosely the patent is written. Comparing system calls might have been novel at the time, but the real magic is finding a matching algorithm for them. That algorithm, I would think, would be the real patentable material. Then again that's why I'm not a patent lawyer.

First, it happened 10 years

First, it happened 10 years ago and he was the first one,
2nd - you didn't know what malware is at that time,
3d - yes, you are not patent lawyer,
4th - how does AV industry plan to pay him, since emulation is part of every AV engines by now.

I wasn't trying to blast the

I wasn't trying to blast the patent, the patent process, or trivialize this work. I'm just saying that this is a broad patent and it seems like pretty much every anti-virus product out there infringes on it in some form.


1st. It is an issued patent not just an application
2nd. I very much doubt that Danny Quist or anybody else did not know what malware was at the time. The AV industry did not start in 2000 when the Inteneks was invented by AOL
3rd. I suspect that a mildly competent patent examiner would have found sufficient prior art to require a revision of the application with much more precise claims
4th. The patent application was filed for Network Associates in 2000 but they later acquired Entercept in 2003 and at least two other vendors, Sana Security and Okena -later acquired by Cisco- seemed to be doing very similar things.
5th. The references and citations of the patent are interesting as well

The anti-virus industry is

The anti-virus industry is more than 30 years old. I was using Norton Antivirus before Symantec acquired them (1990).

Many patents are granted in error. The patent application was filed in 2000, when emulation was prior art. Maintaining a profile of malware was prior art. The patent was granted in 2004. The fact that it took so long should not be interpreted as rigorous research. Many patents are granted in error.

If I were to defend the examiner, I would claim that the combination of using emulation (prior art) and using a profile of malware behavior (prior art) was not in previous use, and not an obvious combination and the example given in product was sufficient to describe an invention.

I don't believe that contention is supportable. If it is not supportable, then Network Associates has an asset (the patent) of dubious value. If NA were to license the use of its patent, a more rigorous review of the patent would reject it. It wasn't novel.

I doubt they would try that. Better to have that patent number and its bragging rights, than no patent at all.