System and method of enforcing executable code identity verification over the network

US 20030177394A1
Filed: 12/26/2002
Published: 09/18/2003
Est. Priority Date: 12/26/2001
Status: Active Grant

First Claim

Patent Images

1. A process for monitoring and analyzing executable computer code comprising the steps of:

providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;

detecting an event on a client computer by said monitoring application;

identifying an executable code triggering the event and associated with an event;

creating a unique signature of a said executable code with said monitoring application on said client computer;

receiving in said central computer said unique signature;

comparing said unique signature with said plurality of executable code identity signatures in said database;

forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures; and

investigating the identity and intent of the said executable code if it is unknown transmitting from the said central computer to said client computer at least one item selected from the group consisting of;

a message and a command to the a monitoring application on a said client computer to perform a respective action.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for identity verification of executable code includes a central computer that is in communication with a computer network. The central computer includes a database that is adapted to store and analyze a plurality of executable code signatures, including signatures of malicious, legitimate, those executable codes identity of which is being investigated and those that have not been received for an investigation. The client computer has monitoring software that is adapted to monitor potentially dangerous events, such as an attempt to send or receive data over the network, receiving an e-mail, creation of a new process and likes. Any executable code on the client'"'"'s computer in the current system is assumed to be potentially dangerous unless its identity and intent has been determined. In operation, unique signatures that relate to potentially dangerous executable codes are received by the central computer. Upon receipt, the unique signatures are compared with the plurality of executable code signatures in the database. Any executable code signatures of which are not already in the database are forwarded to the central computer for investigation. Once a determination is made regarding the status of the unique executable code (i.e., is it legitimate or malicious) the central computer transmits a command regarding the disposition of the respective executable code.

162 Citations

42 Claims

1. A process for monitoring and analyzing executable computer code comprising the steps of:
- providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
  
  detecting an event on a client computer by said monitoring application;
  
  identifying an executable code triggering the event and associated with an event;
  
  creating a unique signature of a said executable code with said monitoring application on said client computer;
  
  receiving in said central computer said unique signature;
  
  comparing said unique signature with said plurality of executable code identity signatures in said database;
  
  forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures; and
  
  investigating the identity and intent of the said executable code if it is unknown transmitting from the said central computer to said client computer at least one item selected from the group consisting of;
  
  a message and a command to the a monitoring application on a said client computer to perform a respective action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 35)
- - 2. The process of claim 1, wherein said computer network comprises a wide area network.
  - 3. The process of claim 1, wherein said computer network comprises a local area network.
  - 4. The process of claim 1, further comprising a client computer in communication with said central computer through said computer network.
  - 5. The process of claim 1, wherein client computer forwards to the central computer a file containing said executable code or participating in generation of said executable code.
  - 6. The process of claim 1 wherein said monitoring application is adapted to identify said executable code in a stream of data being received/send over the network.
  - 7. The process of claim 1 wherein said monitoring application is also a firewall.
  - 8. The process of claim 1 wherein said monitoring application is also an antivirus.
  - 9. The process of claim 1, wherein said executable code is disabled during investigation.
  - 10. The process of claim 1, wherein said executable code is allowed to operate during investigation.
  - 11. The process of claim 9 wherein the user of the client computer overrides the disablement of said executable code.
  - 12. The process of claim 1 further comprising the step of storing within said database usage history data of said client computer.
  - 13. The process of claim 12 wherein usage history data comprises signatures of executable code previously found on said client computer and previously verified signatures.
  - 14. The process of claim 12 wherein said client computer receives from the central computer said usage history data prior the working session and said usage history data is stored it in a local database.
  - 15. The process of claim 14, wherein said local database is preferably stored in random access memory.
  - 16. The process of claim 14 wherein said unique signature of said executable code active in said event is compared to said usage history data in the said local database.
  - 17. The process of claim 16 wherein a match between said unique signature and a datum within said usage history data precludes forwarding of said unique signature to said central computer.
  - 18. The process of claim 14 further comprising the step of comparing of a status of usage history data signature within said local database is with a central database status for said usage history data signature.
  - 19. The process of claim 18 wherein said central database status controls relative to said status of usage history data signature within said local database.
  - 20. The process of claim 18 wherein said status of usage history data signature within said local database controls relative to said central database status.
  - 21. The process of claim 1 wherein said message transmitted is a warning when said unique signature matches a dangerous member of said plurality of executable code identity signatures.
  - 22. The process of claim 1, further comprising the step of adding said unique signature to said plurality of executable code identity signatures.
  - 23. The process of claim 1, wherein each signature of said plurality of executable code signatures in said database is comprised of:
    - signatures related to legitimate executable code, signatures related to malicious executable code, signatures related to potentially dangerous executable code, signatures related to executable codes identities and intent of which are being investigated and signatures relating to mass mailing executable code.
  - 24. The process of claim 1 wherein a plurality of executable codes are active in said event.
  - 25. The process of claim 24 wherein said executable code and plurality of executable codes are simultaneously identified.
  - 26. The process of claim 1 wherein a said respective action is termination of the process corresponding to or triggering the said event.
  - 27. The process of claim 1 wherein a said respective action is a termination of a thread.
  - 28. The process of claim 1 wherein a respective action is removing said executable code active with said event.
  - 29. The process of claim 1 wherein investigation of said executable code comprises the step of analyzing said executable code with a presumed manufacturer.
  - 35. The process of claim 14 wherein said database comprises usage history data of said client computer.

30. A process for monitoring and analyzing computer executable code comprising the steps of:
- providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
  
  detecting an event on a client computer by said monitoring application;
  
  identifying an executable code associated with an event or triggering the even;
  
  creating a unique signature of a said executable code with said monitoring application on said client computer;
  
  receiving in said central computer a unique signature associated with an executable code;
  
  comparing said unique signature with said plurality of executable code signatures in said database;
  
  matching said unique signature to a malicious executable computer file signature from said plurality of file signatures; and
  
  transmitting an message and command to monitoring application regarding said executable code.
- View Dependent Claims (31, 32, 33, 34, 36, 37)
- - 31. The process of claim 30, wherein said computer network comprises a wide area network.
  - 32. The process of claim 30, wherein said computer network comprises a local area network.
  - 33. The process of claim 30, further comprising a client computer in communication with said central computer through said computer network.
  - 34. The process of claim 30, wherein said client computer further comprises a monitoring application, said monitoring application being adapted to identify executable code within a data stream received over the network.
  - 36. The process of claim 30 further comprising the step of noticing a second client computer having a usage history datum within said database corresponding to said suspect signature matched said malicious executable computer code signature.
  - 37. The system of claim 30 wherein each signature of said plurality of identity signatures in said database is selected from a group consisting of:
    - signatures related to legitimate executable code, signatures related to malicious executable code, signatures related to potentially dangerous executable code, and signatures relating to mass mailing executable code.

38. A process for monitoring and analyzing an executable code comprising the steps of:
- providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
  
  providing a client computer in communication with said central computer through said computer network;
  
  detecting an event on a client computer by said monitoring application;
  
  identifying an executable code associated with an event or triggering the event;
  
  creating a unique signature of a said executable code with said monitoring application on said client computer;
  
  receiving in said server a unique signature transmitted from said client computer;
  
  investigating said unique signature to determine if it is related to a malicious executable computer code; and
  
  transmitting from said central computer a message and a respective command concerning said unique signature to said client computer.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The process of claim 38, wherein said computer network comprises a wide area network.
  - 40. The process of claim 38, wherein said computer network comprises a local area network.
  - 41. The process of claim 38, further comprising a client computer in communication with said central computer through said computer network.
  - 42. The process of claim 38, wherein said client computer further comprises a monitoring application, said monitoring application being adapted to identify and forward to the central computer a file containing said executable code or participating in creating said of executable code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Dmitri Dozortsev
Inventors
Dozortsev, Dmitri

Granted Patent

US 6,944,772 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

System and method of enforcing executable code identity verification over the network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

162 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of enforcing executable code identity verification over the network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links