Behavior-based host-based intrusion prevention system

US 20040143749A1
Filed: 01/16/2003
Published: 07/22/2004
Est. Priority Date: 01/16/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of protecting a system from unauthorized use comprising:

decomposing processes running on a system into a plurality of process sets, wherein each process set has a corresponding behavior control description; and

controlling access to system resources by each process based on a behavior control description for the process set to which the process belongs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of protecting a system from attack that includes monitoring processes running on a system, identifying behavior of the processes and attributes of the processes, grouping the processes into process sets based on commonality of attributes, and generating behavior control descriptions for each process set.

329 Citations

36 Claims

1. A method of protecting a system from unauthorized use comprising:
- decomposing processes running on a system into a plurality of process sets, wherein each process set has a corresponding behavior control description; and
  
  controlling access to system resources by each process based on a behavior control description for the process set to which the process belongs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein each process is a thread.
  - 3. The method of claim 1, wherein each process is an application.
  - 4. The method of claim 1, wherein the behavior control description includes at least one grant access/deny access rule based on any one of:
    - process parentage, pathname, file owner, file system type, encryption presence, object type, connection direction, protocol, port, and remote address.
  - 5. The method of claim 1, wherein the behavior control description is based on a single action by the process.
  - 6. The method of claim 1, wherein the behavior control description is based on a sequence of actions by the process.
  - 7. The method of claim 1, wherein the controlling step includes any one of:
    - accessing resources on another server, using a network socket, reading a file, and writing to a file.
  - 8. The method of claim 1, wherein modifying a behavior control description for one process set does not affect other behavior control descriptions for other process sets.

9. A method of protecting a system from unauthorized use comprising:
- identifying processes running on a system, wherein each process has an independent behavior control description; and
  
  controlling access to system resources by each process based on the behavior control description for the process.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the independent behavior control description includes at least one grant access/deny access rule based on any one of:
    - process parentage, pathname, file owner, file system type, encryption presence, object type, connection direction, protocol, port, and remote address.
  - 11. The method of claim 9, wherein the independent behavior control description is based on a single action by the process.
  - 12. The method of claim 9, wherein the independent behavior control description is based on a sequence of actions by the process.
  - 13. The method of claim 9, wherein the controlling step includes any one of:
    - accessing resources on another server, using a network socket, reading a file, and writing to a file.
  - 14. The method of claim 9, wherein modifying a behavior control description for one process set does not affect other behavior control descriptions for other process sets.

15. A method of protecting a system from attack comprising:
- monitoring processes running on a system;
  
  identifying behavior of the processes and attributes of the processes;
  
  grouping the processes into process sets based on commonality of attributes; and
  
  generating behavior control descriptions for each process set.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein each behavior control description includes at least one grant access/deny access rule based on any one of:
    - process parentage, pathname, file owner, file system type, encryption presence, object type, connection direction, protocol, port, and remote address.
  - 17. The method of claim 15, wherein each behavior control description is based on a single action by the process.
  - 18. The method of claim 15, wherein each behavior control description is based on a sequence of actions by the process.
  - 19. The method of claim 15, wherein modifying a behavior control description for one process set does not affect other behavior control descriptions for other process sets.

20. A system for protecting a system from unauthorized use comprising:
- means for decomposing processes running on a system into a plurality of process sets, wherein each process set has a corresponding behavior control description; and
  
  means for controlling access to system resources by each process based on a behavior control description for the process set to which the process belongs.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20, wherein each process is a thread.
  - 22. The system of claim 20, wherein each process is an application.
  - 23. The system of claim 20, wherein the behavior control description includes at least one grant access/deny access rule based on any one of:
    - process parentage, pathname, file owner, file system type, encryption presence, object type, connection direction, protocol, port, and remote address.
  - 24. The system of claim 20, wherein each behavior control description is based on a single action by the process.
  - 25. The system of claim 20, wherein each behavior control description is based on a sequence of actions by the process.
  - 26. The system of claim 20, wherein each controlling step includes any one of:
    - accessing resources on another server, using a network socket, reading a file, and writing to a file.
  - 27. The system of claim 20, wherein modifying a behavior control description for one process set does not affect other behavior control descriptions for other process sets.

28. A system for protecting a system from unauthorized use comprising:
- means for identifying processes running on a system, wherein each process has an independent behavior control description; and
  
  means for controlling access to system resources by each process based on the behavior control description for the process.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The system of claim 28, wherein the independent behavior control description includes at least one grant access/deny access rule based on any one of:
    - process parentage, pathname, file owner, file system type, encryption presence, object type, connection direction, protocol, port, and remote address.
  - 30. The system of claim 28, wherein the independent behavior control description is based on a single action by the process.
  - 31. The system of claim 28, wherein the independent behavior control description is based on a sequence of actions by the process.
  - 32. The system of claim 28, wherein modifying a behavior control description for one process set does not affect other behavior control descriptions for other process sets.

33. A system for protecting a system from attack comprising:
- means for monitoring processes running on a system;
  
  means for identifying behavior of the processes and attributes of the processes;
  
  means for grouping the processes into process sets based on commonality of attributes; and
  
  means for generating behavior control descriptions for each process set.

34. A computer program product for protecting a system from unauthorized use, the computer program product comprising a computer useable medium having computer program logic recorded thereon for controlling a processor, the computer program logic comprising:
- means for enabling a processor to decompose processes running on a system into a plurality of process sets, wherein each process set has a corresponding behavior control description; and
  
  means for enabling a processor to control access to system resources by each process based on a behavior control description for the process set to which the process belongs.

35. A system for protecting a system from unauthorized use comprising:
- means for enabling a processor to identify processes running on a system, wherein each process has an independent behavior control description; and
  
  means for enabling a processor to control access to system resources by each process based on the behavior control description for the process.

36. A system for protecting a system from attack comprising:
- means for enabling a processor to monitor processes running on a system;
  
  means for enabling a processor to identify behavior of the processes and attributes of the processes;
  
  means for enabling a processor to group the processes into process sets based on commonality of attributes; and
  
  means for enabling a processor to generate behavior control descriptions for each process set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Platform Logic (NortonLifeLock Inc.)
Inventors
Tajalli, Homayoon, Fraser, Timothy J., Graham, Jeffrey J.

Application Number

US10/345,137
Publication Number

US 20040143749A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/566 Dynamic detection, i.e. det...

Behavior-based host-based intrusion prevention system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

329 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Behavior-based host-based intrusion prevention system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

329 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links