ENCRYPTED DATA - COMPUTER VIRUS, MALWARE AND RANSOM WARE DETECTION SYSTEM

摘要

There is provided apparatus, systems and methods suitable for detectingmalware in encrypteddata. The term malware refers to any computer codes/instructions, whichperform actionsunauthorized or unwanted by the user, including computer viruses, worms,Trojans and exploits.Potential applications include, but are not limited to, secure and remotestorage systems such asemail servers and cloud servers, encrypted devices such as hard drives, USBflash drives and smartcards. Three approaches, with different properties, are provided for verifyingstandard hashsignatures and generic signatures such as code snippets patterns, usingencrypted indices andhomomorphic encryptions. The entire scanning process is executed in theencrypted domain. Oneor more method and system is provided for scanning the files for viruses andmalwares. Note that,in our system, the data to be scanned is encrypted under the data owner'sprivate key and not to beconfused with polymorphic viruses, which arc data encrypted by the malwarewriter/code. If asignature compatible to our system can be devised for a polymorphic virus, itcan also be detectedunder the present invention.This system allows storage of encrypted files on cloud computing/storageservers or theirpassage into secure system, by providing assurance that the encrypted filesare free of virusesand malwares that were available to the scanner. It may also provide assuranceto the file owner,that their files were not changed, such as when coupled with the invention in"Auditing usingEncrypted Indices", that the resident files were not tampered.One approach involves the data owner encrypting and sending the data files andtheir indices, inaccordance with an encryption scheme, to a storage repository, device, orcloud storage servers.Another consists of the storage of data encrypted using homomorphic encryptionand an anti-virusas a service provider sending encrypted virus/malware signatures, using dataowner's public key,for scanning on the storage device/server.This Invention covers three solutions for performing virus scanning overencrypted data,1) For a private encrypted data storage service/device, where the data ownerpossesses the anti-virus tools and database2) For a public encrypted data storage service/device, where the data ownerrequests thescanning service from an Anti-virus provider, which controls the anti-virustools anddatabase.3) For a public unencrypted data storage service/device, where the data ownerrequests thescanning service from the Anti-virus provider, which controls the anti-virustools anddatabase.