Non-invasive whitelisting

US 10,050,993 B2
Filed: 09/24/2014
Issued: 08/14/2018
Est. Priority Date: 09/24/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a storage containing a graylist executable object; and

one or more logic elements comprising a security engine operable for;

detecting that the executable object has attempted to perform an action;

intercepting the action;

querying a confidence score cache for a cached confidence score for a combination of the executable object and the action;

assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score;

acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and

caching the present confidence score to the confidence score cache.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is disclosed a security architecture for enhanced, non-invasive whitelisting of executable objects. When an executable object tries to perform an action, a security engine seamlessly intercepts the action and determines whether the action is whitelisted, blacklisted, or graylisted, assigning the action a corresponding security score. Whitelisted actions may be allowed, blacklisted actions may be disallowed, and graylisted actions may require additional verification from a user. Because the score is assigned to the combination of the executable object and the action, false positives may be avoided, such as those that may occur when an executable object is prefetched but has not yet tried to perform any useful work.

23 Citations

View as Search Results

23 Claims

1. A computing device comprising:
- a storage containing a graylist executable object; and
  
  one or more logic elements comprising a security engine operable for;
  
  detecting that the executable object has attempted to perform an action;
  
  intercepting the action;
  
  querying a confidence score cache for a cached confidence score for a combination of the executable object and the action;
  
  assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score;
  
  acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and
  
  caching the present confidence score to the confidence score cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computing device of claim 1, wherein the security engine is further operable for determining that the present confidence score is below a threshold and blocking the action.
  - 3. The computing device of claim 1, wherein acting on the present confidence score comprises providing a warning to a user.
  - 4. The computing device of claim 1, wherein acting on the present confidence score comprises receiving a user decision related to the action.
  - 5. The computing device of claim 4, wherein the security engine is further operable for caching the user decision.
  - 6. The computing device of claim 1, wherein assigning a present confidence score to the action comprises using heuristics.
  - 7. The computing device of claim 1, wherein assigning a present confidence score to the action comprises:
    - identifying the executable object'"'"'s type;
      
      calculating a checksum for the object; and
      
      extracting object attributes.
  - 8. The computing device of claim 1, wherein assigning a present confidence score to the action comprises consulting a threat intelligence database.
  - 9. The computing device of claim 1, wherein assigning a present confidence score to the action comprises detecting an input/output request packet.
  - 10. The computing device of claim 1, wherein assigning a present confidence score comprises providing a self-approval.
  - 11. The computing device of claim 1, wherein acting on the present confidence score comprises detecting and avoiding false positives.
  - 12. The computing device of claim 11, wherein detecting and avoiding false positives comprises determining that the executable object has been pre-fetched, and allowing pre-fetch actions without requesting a user decision.

13. One or more non-transitory computer-readable mediums having stored thereon executable instructions operable for instructing a processor for:
- detecting that a graylist executable object has attempted to perform an action;
  
  intercepting the action;
  
  querying a confidence score cache for a cached confidence score for a combination of the executable object and the action;
  
  assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score;
  
  acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and
  
  caching the present confidence score to the confidence score cache.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The one or more non-transitory computer-readable mediums of claim 13, wherein the security engine is further operable for determining that the present confidence score is below a threshold and blocking the action.
  - 15. The one or more non-transitory computer-readable mediums of claim 13, wherein acting on the present confidence score comprises providing a warning to a user.
  - 16. The one or more non-transitory computer-readable mediums of claim 13, wherein acting on the present confidence score comprises receiving a user decision related to the action.
  - 17. The one or more non-transitory computer-readable mediums of claim 16, wherein the instructions are further operable for instructing the processor for caching the user decision.
  - 18. The one or more computer-readable mediums of claim 13, wherein assigning a present confidence score to the action comprises:
    - identifying the executable object'"'"'s type;
      
      calculating a checksum for the object; and
      
      extracting object attributes.
  - 19. The one or more computer-readable mediums of claim 13, wherein assigning a present confidence score to the action comprises detecting an input/output request packet.
  - 20. The one or more computer-readable mediums of claim 13, wherein acting on the present confidence score comprises detecting and avoiding false positives.
  - 21. The one or more computer-readable mediums of claim 20, wherein detecting and avoiding false positives comprises determining that the executable object has been pre-fetched, and allowing pre-fetch actions without requesting a user decision.

22. A method comprising:
- detecting that a graylist executable object has attempted to perform an action;
  
  intercepting the action;
  
  querying a confidence score cache for a cached confidence score for a combination of the executable object and the action;
  
  assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score;
  
  acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and
  
  caching the present confidence score to the confidence score cache.
- View Dependent Claims (23)
- - 23. The method of claim 22, wherein acting on the present confidence score comprises detecting and avoiding false positives.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Johri, Amritanshu, Singh, Balbir, Khurana, Jaskaran, Pandey, Ratnesh
Primary Examiner(s)
Dinh, Minh

Application Number

US14/495,692
Publication Number

US 20160088011A1
Time in Patent Office

1,420 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

Non-invasive whitelisting

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Non-invasive whitelisting

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links