|Publication number||US20020042886 A1|
|Application number||US 09/939,717|
|Publication date||Apr 11, 2002|
|Filing date||Aug 28, 2001|
|Priority date||Aug 31, 2000|
|Also published as||EP1184772A2, EP1184772A3, US8925086, US20070220608|
|Publication number||09939717, 939717, US 2002/0042886 A1, US 2002/042886 A1, US 20020042886 A1, US 20020042886A1, US 2002042886 A1, US 2002042886A1, US-A1-20020042886, US-A1-2002042886, US2002/0042886A1, US2002/042886A1, US20020042886 A1, US20020042886A1, US2002042886 A1, US2002042886A1|
|Inventors||Pasi Lahti, Ismo Bergroth, Simo Huopio|
|Original Assignee||Pasi Lahti, Ismo Bergroth, Simo Huopio|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (5), Referenced by (63), Classifications (6), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
 The present invention relates to software virus protection, and in particular to virus protection for wireless devices.
 Viruses are a serious problem to users of computers. In order to combat the problem, there are a variety of anti-virus software products available which are able to identify viruses resident in the files or memory of a computer. Modem anti-virus software, such as for example F-Secure Anti-Virus for Windows NT, uses a virus signature comparison in order to identify viruses. Each virus contains code which can be analysed and recorded on a database. The database need not record all of the code contained in a virus if a unique “digital fingerprint” or signature can be recorded instead. This may be for example the overall pattern of the code, or two or three particular lines. When a signature comparison is made, the anti-virus program searches for viruses by scanning a file for the presence of a virus signature such as are present in the database.
 Clearly, if effective protection is to be maintained, the database used by the anti-virus software must contain signatures for all known viruses. Unfortunately, new viruses are detected all the time, currently at the rate of one per day. Once a newly detected virus has been analysed by the anti-virus software provider and a signature created, the database must be updated on all of the computers which are using the anti-virus software. There have been various methods up until now for carrying out this update.
 The earliest method used by virus software providers was to send a diskette through the mail to registered users of the anti-virus software, this diskette containing the required updates to the database. Another method has been to make the virus updates available on-line, so that they can be obtained by connecting to a remote server maintained by the anti-virus software provider. Updates have also been provided in the form of attachments to e-mail.
 Increasingly, mobile phones are being used to connect to the Internet. Mobile Internet access is being facilitated by new networks (incorporating HSCSD and GPRS) as well as other protocols such as WAP. As mobile “platforms” with wireless modems and internet connections become more powerful, Internet connections will be as easy to obtain as for a desktop PC. This increase in the usage and capacity of mobile platforms renders them susceptible to attack by viruses. The methods outlined above for updating anti-virus software can also be used for mobile platforms. However, in general they will not be permanently connected to the Internet, and indeed may only connect to the Internet occasionally. This can lead to the signature database used by anti-virus software becoming out of date, rendering protection incomplete. Out of date protection can be worse than no protection at all, as it can engender a false sense of security in a user.
 It is, therefore, an object of the present invention to provide a means for updating anti-virus signature databases on mobile platforms.
 According to a first aspect, the present invention provides a method of updating a virus signature database used by anti-virus software operating on a mobile wireless platform, the method comprising sending update data via a signalling channel of a mobile telecommunications network to the mobile wireless platform.
 The update data sent to the mobile wireless platform may be a virus signature database update, or may be a software update such as a software patch.
 Preferably, the network is a GSM based network or an evolved GSM network such as GSM phase 2 (including GPRS) or UMTS (3GPP).
 Preferably, the update data is obtained in one or more Short Message Service (SMS) messages. The SMS protocol, as set out for example in the ETSI GSM 03.40 specification, is a protocol which is well known and widely used for data transfer between mobile devices. For example, programs executing on top of the EPOC operating system have access to SMS communications.
 Alternatively, the update data may be carried by one or more Unstructured Supplementary Services Data (USSD) messages.
 In order to prevent the update information from attack, the payload of the message carrying the update data is preferably cryptographically signed.
 The mobile platform may be a mobile telephone, communicator, PDA, palmtop or laptop computer, or any other suitable platform.
 The mobile platform may send a report to a management centre following the successful receipt and installation of the update data. More preferably, this is returned to a management centre using an SMS message.
 In a preferred embodiment, the present invention provides a method of protecting a wireless device against viruses, comprising maintaining a database of virus signatures on the device, updating the database by receiving data containing virus signatures in one or more Short Message Service (SMS) or Unstructured Supplementary Services Data (USSD) messages, and searching for viruses contained in the database.
 Some preferred embodiments of the invention will now be described by way of example only and with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram showing a system according to a preferred embodiment of the invention; and
FIG. 2 is a flow diagram of a method of protecting a mobile device from attack by viruses according to a preferred embodiment of the present invention.
FIG. 1 illustrates a UMTS Mobile Network comprising a UMTS Terrestrial Radio Access Network (UTRAN) consisting of Base Stations (BS) 1 and Radio Network Controllers (RNCs) 2, and a core network consisting of MSCs (and SGSNs) 3 and a transmission network 4 (RNCs of the UTRAN may be supplemented with BSCs to facilitate interworking with the GSM standard). Also present in the core network are a Short Message Service (SMS) centre 5 and a GPRS Gateway Support Node (GGSN) 6. For the sake of simplicity, FIG. 1 shows only a single RNC 2 and MSC (SGSN) 3. It will be appreciated that further nodes will be present in a UMTS network in practice. A mobile wireless device 7 can connect to other telecommunication devices (e.g. mobile telephones, fixed line telephones, etc) via the UTRAN and the core network (of course other networks including “foreign” mobile networks and PSTN networks may be involved in such connections). Using the GGSN 6, the device 7 is able to connect to the Internet 8. A user of the mobile wireless device 1 may thus contact for example a remote web server 9 by entering the URL of the web server into his device's Internet browser. The mobile device 1 may also communicate with a bluetooth device 10 and a Local Area Network (LAN) 11. By way of example, the mobile device 1 may use the EPOC™ operating system.
 In view of the risk that viruses could be downloaded from another mobile device, from the remote server 9 via the Internet 8, from the bluetooth device 10, or from another node of the LAN 11, the device 1 is provided with an anti-virus software application which may check any files downloaded from an external source, together with files already resident on the device's system. As explained above, this software searches files for virus “signatures” so that, in order to be fully effective, it requires its database of virus signatures to be updated regularly.
 There are various known methods for obtaining updates to a database of virus signatures. One method is to periodically receive media (e.g. floppy disks, compact discs) with the updates recorded thereon. However, this is a cumbersome and expensive method and will result in fewer updates being made, with the database never being fully up to date. A better method is for the user of the mobile device to contact a remote web server operated by the provider of the anti-virus software. The necessary data to update the anti-virus database can then be downloaded from that server. As explained above however, very few mobile devices are permanently connected to the Internet, and in may cases users will only connect to the Internet infrequently. This method also relies on the user remembering to connect to the remote anti-virus server periodically in order to obtain the update data. Thus there will again be periods of time during which the database is not fully up to date.
 In order to overcome these problems use may be made of the SMS centre 5 within the UMTS core network. SMS is a service provided by current GSM networks for sending short messages over a signalling channel, and is expected to be provided also by UMTS networks.
 The SMS centre 5 is located in the core network part of the UMTS network and is coupled to the Internet 8 via an anti-virus server 12 which is operated and controlled by the UMTS network operator. The anti-virus server 12 receives regular updates (e.g. every morning) from an update server 13 maintained by the anti-virus software provider. The SMS server 12 maintains a record of all subscribers to the anti-virus service in a database 13, and initiates virus signature database updates by sending a Short Message Service (SMS) request for each of the registered subscribers (including the user of the mobile device 1) to the SMS centre 5. Upon receipt of a request, the SMS centre 5 generates a corresponding SMS message and send this to the destination mobile device via the Mobile Switching Centre 3 of the core network and the UTRAN. The SMS message contains virus signature data enabling the mobile device 1 to update the anti-virus database to include signatures for those viruses discovered since the last update was made.
 As SMS messages can carry only relatively small quantities of information, it may be necessary for the SMS centre 5 to send a “concatenated message”, (i.e. several SMS messages) to convey all the necessary information to perform a database update. For the same reason it is desirable to be able to reduce the volume of information sent as part of a virus signature database upgrade. Thus, whilst SMS updates may be sent automatically to all subscribers from the network, it is preferable to send an SMS message to the server 12 from a device 1 (via the SMS centre 5), containing details of which virus signatures are currently stored in the device's signature database. On receipt of such an SMS request, the anti-virus server 12 needs only to issue an SMS request to the SMS centre 5 containing virus signatures not currently on the signature database of the mobile device 1.
 As noted in the preceding paragraph, SMS updates may be sent automatically from the network to subscribers, or may be triggered by requests from subscribers. FIG. 2 is a flow diagram illustrating the sequence of steps involved in a subscriber initiated updating process. The mobile device executes the anti-virus software 21. This is usually done when the device is switched on. The anti-virus software, which uses a database of virus signatures, checks to determine when the database was last updated 22. If the last update took place more than a pre-defined period ago, e.g. one week, the software causes the device to send an SMS message 23 to the server anti-virus 12 via the SMS centre 5. This message contains data regarding the current status of the database.
 In reply to this SMS message, the anti-virus server 12 returns an SMS request 24 (or several SMS messages forming a “concatenated message”) to the SMS centre 5, the request containing signatures for viruses discovered and analysed since the previous update. The SMS centre 5 generates a corresponding SMS message 25 and sends this to the mobile device 1, which receives the message 26 and causes the new signature(s) to be incorporated into the anti-virus signature database for future use 27.
 When next requested, or otherwise triggered (e.g. by a scanning scheduler), the anti-virus software scans the files and memory of the mobile device in order to determine the presence of any of the virus signatures in its database 28. If an infected file is discovered 29, the user is warned 30 and given an opportunity to delete or clean that file. Otherwise, once all files have been scanned, the software informs the user that his system is “clean” 31.
 It will be appreciated that there are other embodiments which fall within the scope of the invention. For example, the method of the present invention may be used to update the anti-virus software itself, e.g. by sending software patches.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US2151733||May 4, 1936||Mar 28, 1939||American Box Board Co||Container|
|CH283612A *||Title not available|
|FR1392029A *||Title not available|
|FR2166276A1 *||Title not available|
|GB533718A||Title not available|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US6760908||Jul 15, 2002||Jul 6, 2004||Namodigit Corporation||Embedded software update system|
|US6836860 *||Sep 4, 2001||Dec 28, 2004||Networks Associates Technology, Inc.||Data scanning for updatable predefined properties|
|US7096501 *||Apr 10, 2002||Aug 22, 2006||Mcafee, Inc.||System, method and computer program product for equipping wireless devices with malware scanning capabilities|
|US7155461 *||Apr 21, 2003||Dec 26, 2006||Hitachi, Ltd.||Information processing system|
|US7210168 *||Oct 15, 2001||Apr 24, 2007||Mcafee, Inc.||Updating malware definition data for mobile data processing devices|
|US7401359 *||Dec 21, 2001||Jul 15, 2008||Mcafee, Inc.||Generating malware definition data for mobile computing devices|
|US7467201 *||Aug 22, 2003||Dec 16, 2008||International Business Machines Corporation||Methods, systems and computer program products for providing status information to a device attached to an information infrastructure|
|US7540031 *||Apr 12, 2002||May 26, 2009||Mcafee, Inc.||Wireless architecture with malware scanning component manager and associated API|
|US7650639 *||Mar 31, 2005||Jan 19, 2010||Microsoft Corporation||System and method for protecting a limited resource computer from malware|
|US7673137 *||Jan 3, 2003||Mar 2, 2010||International Business Machines Corporation||System and method for the managed security control of processes on a computer system|
|US7684787 *||Jul 16, 2002||Mar 23, 2010||Qualcomm Incorporated||Method and apparatus for routing messages of different message services in a wireless device|
|US7735138||May 10, 2005||Jun 8, 2010||Trend Micro Incorporated||Method and apparatus for performing antivirus tasks in a mobile wireless device|
|US7827611||Apr 12, 2002||Nov 2, 2010||Mcafee, Inc.||Malware scanning user interface for wireless devices|
|US7861303 *||Apr 12, 2002||Dec 28, 2010||Mcafee, Inc.||Malware scanning wireless service agent system and method|
|US7904608||May 4, 2005||Mar 8, 2011||Price Robert M||System and method for updating software in electronic devices|
|US7945955 *||Sep 11, 2007||May 17, 2011||Quick Heal Technologies Private Limited||Virus detection in mobile devices having insufficient resources to execute virus detection software|
|US7949329 *||Dec 18, 2003||May 24, 2011||Alcatel-Lucent Usa Inc.||Network support for mobile handset anti-virus protection|
|US7992207 *||Dec 22, 2005||Aug 2, 2011||Samsung Electronics Co., Ltd.||Method for curing a virus on a mobile communication network|
|US8090393 *||Jun 30, 2006||Jan 3, 2012||Symantec Operating Corporation||System and method for collecting and analyzing malicious code sent to mobile devices|
|US8108933||Oct 21, 2008||Jan 31, 2012||Lookout, Inc.||System and method for attack and malware prevention|
|US8214895 *||Sep 26, 2007||Jul 3, 2012||Microsoft Corporation||Whitelist and blacklist identification data|
|US8271608||Dec 7, 2011||Sep 18, 2012||Lookout, Inc.||System and method for a mobile cross-platform software system|
|US8347386||Aug 25, 2010||Jan 1, 2013||Lookout, Inc.||System and method for server-coupled malware prevention|
|US8365252||Dec 7, 2011||Jan 29, 2013||Lookout, Inc.||Providing access levels to services based on mobile device security state|
|US8381303||Dec 21, 2011||Feb 19, 2013||Kevin Patrick Mahaffey||System and method for attack and malware prevention|
|US8397301||Nov 18, 2009||Mar 12, 2013||Lookout, Inc.||System and method for identifying and assessing vulnerabilities on a mobile communication device|
|US8443446||Mar 27, 2006||May 14, 2013||Telecom Italia S.P.A.||Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor|
|US8467768||Jun 18, 2013||Lookout, Inc.||System and method for remotely securing or recovering a mobile device|
|US8490176||Apr 7, 2010||Jul 16, 2013||Juniper Networks, Inc.||System and method for controlling a mobile device|
|US8505095||Oct 28, 2011||Aug 6, 2013||Lookout, Inc.||System and method for monitoring and analyzing multiple interfaces and multiple protocols|
|US8510843||Oct 6, 2011||Aug 13, 2013||Lookout, Inc.||Security status and information display system|
|US8516592||Jun 13, 2011||Aug 20, 2013||Trend Micro Incorporated||Wireless hotspot with lightweight anti-malware|
|US8533844||Aug 25, 2010||Sep 10, 2013||Lookout, Inc.||System and method for security data collection and analysis|
|US8538815||Sep 3, 2010||Sep 17, 2013||Lookout, Inc.||System and method for mobile device replacement|
|US8561144||Jan 15, 2013||Oct 15, 2013||Lookout, Inc.||Enforcing security based on a security state assessment of a mobile device|
|US8655307||Nov 27, 2012||Feb 18, 2014||Lookout, Inc.||System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security|
|US8726338||Mar 29, 2012||May 13, 2014||Juniper Networks, Inc.||Dynamic threat protection in mobile networks|
|US8738765||Jun 14, 2011||May 27, 2014||Lookout, Inc.||Mobile device DNS optimization|
|US8774788||Oct 10, 2013||Jul 8, 2014||Lookout, Inc.||Systems and methods for transmitting a communication based on a device leaving or entering an area|
|US8825007||Oct 10, 2013||Sep 2, 2014||Lookout, Inc.||Systems and methods for applying a security policy to a device based on a comparison of locations|
|US8826441||Mar 8, 2013||Sep 2, 2014||Lookout, Inc.||Event-based security state assessment and display for mobile devices|
|US8844030 *||Nov 19, 2010||Sep 23, 2014||Samsung Sds Co., Ltd.||Anti-virus protection system and method thereof|
|US8855601||Mar 2, 2012||Oct 7, 2014||Lookout, Inc.||System and method for remotely-initiated audio communication|
|US8875289||Nov 29, 2012||Oct 28, 2014||Lookout, Inc.||System and method for preventing malware on a mobile communication device|
|US8997181||Sep 23, 2013||Mar 31, 2015||Lookout, Inc.||Assessing the security state of a mobile communications device|
|US9042876||Apr 15, 2013||May 26, 2015||Lookout, Inc.||System and method for uploading location information based on device movement|
|US9043919||May 30, 2012||May 26, 2015||Lookout, Inc.||Crawling multiple markets and correlating|
|US9058372 *||Aug 23, 2006||Jun 16, 2015||Kyocera Corporation||Database management in a wireless communication system|
|US9065846||Jun 17, 2013||Jun 23, 2015||Lookout, Inc.||Analyzing data gathered through different protocols|
|US9087188 *||Oct 30, 2009||Jul 21, 2015||Intel Corporation||Providing authenticated anti-virus agents a direct access to scan memory|
|US9100389||Aug 2, 2013||Aug 4, 2015||Lookout, Inc.||Assessing an application based on application data associated with the application|
|US9100925||Oct 10, 2013||Aug 4, 2015||Lookout, Inc.||Systems and methods for displaying location information of a device|
|US20040117401 *||Apr 21, 2003||Jun 17, 2004||Hitachi, Ltd.||Information processing system|
|US20040158741 *||Feb 7, 2003||Aug 12, 2004||Peter Schneider||System and method for remote virus scanning in wireless networks|
|US20040203614 *||Jul 16, 2002||Oct 14, 2004||Hai Qu||Method and apparatus for routing messages of different message services in a wireless device|
|US20050044212 *||Aug 22, 2003||Feb 24, 2005||Steven Lingafelt||Methods, systems and computer program products for providing status information to a device attached to an information infrastructure|
|US20050138395 *||Dec 18, 2003||Jun 23, 2005||Benco David S.||Network support for mobile handset anti-virus protection|
|US20050176415 *||Nov 30, 2004||Aug 11, 2005||Joon-Young Jang||System and method for providing anti-virus program using wireless communication terminal|
|US20110107423 *||May 5, 2011||Divya Naidu Kolar Sunder||Providing authenticated anti-virus agents a direct access to scan memory|
|US20110126287 *||May 26, 2011||Samsung Sds Co., Ltd.||Anti-virus protection system and method thereof|
|US20120167222 *||Dec 22, 2011||Jun 28, 2012||Electronics And Telecommunications Research Institute||Method and apparatus for diagnosing malicous file, and method and apparatus for monitoring malicous file|
|WO2003012644A1 *||Apr 30, 2002||Feb 13, 2003||Networks Assoc Tech Inc||System, method and computer program product for equipping wireless devices with malware scanning capabilities|
|WO2014048160A1 *||Jul 10, 2013||Apr 3, 2014||Tencent Technology (Shenzhen) Company Limited||Information processing method, apparatus, terminal, and server|
|International Classification||E06B9/00, G06F21/56, G06F1/00|
|Dec 28, 2001||AS||Assignment|
Owner name: F-SECURE OYJ, FINLAND
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LAHTI, PASI;HUOPIO, SIMO;BERGROTH, ISMO;REEL/FRAME:012401/0953;SIGNING DATES FROM 20011122 TO 20011205