Method and system for protecting computer system from malicious software operation

US 20040225877A1
Filed: 03/03/2004
Published: 11/11/2004
Est. Priority Date: 05/09/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for protecting a computer from malicious software operation, comprising:

intercepting a system activity;

deriving a user initiation attribute indicating whether or not said system activity is being initiated by a user through at least one peripheral device connected to said computer;

taking a security action regarding said system activity based on information comprising said user initiation attribute;

wherein said system activity is a system operation to be carried out by the computer system on behalf of a software program.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting a computer system from malicious software operations in real-time is disclosed. The security system combines system and user activity information to derive a user initiation attribute indicating whether or not a system operation is initiated by a computer user, and stop secrete malicious software operations that are not initiated by a computer user. The security system incorporates a plurality of attributes to support flexible security policy design, warn about potentially damaging operations by Trojan programs, and dynamically create security policies to allow trusted programs to perform trusted operations.

Citations

24 Claims

1. A method for protecting a computer from malicious software operation, comprising:
- intercepting a system activity;
  
  deriving a user initiation attribute indicating whether or not said system activity is being initiated by a user through at least one peripheral device connected to said computer;
  
  taking a security action regarding said system activity based on information comprising said user initiation attribute;
  
  wherein said system activity is a system operation to be carried out by the computer system on behalf of a software program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said security action comprises any of the following actions:
    - passing through said system activity to be carried out by the operating system;
      
      stopping said system activity before being carried out by the operating system;
      
      popping up a window displaying a message and a plurality of optional actions to be chosen by a computer user, and taking the actions chosen by said computer user;
      
      logging a message in a file;
      
      displaying a message in a window;
      
      generating a sound beep in the computer;
      
      sending an email;
      
      sending a message to a server.
  - 3. The method of claim 2, wherein said system activity comprises any of the following operations:
    - requesting a network connection;
      
      accepting a network connection;
      
      sending data over a network connection;
      
      receiving data over a network connection. executing a command;
      
      executing a program;
      
      opening file;
      
      reading data from file;
      
      writing data to file;
      
      deleting file;
      
      renaming file;
      
      closing file;
      
      setting registry key;
  - 4. The method of claim 3, wherein said information comprising said user initiation attribute is a plurality of attributes comprising any of the following additional attributes:
    - command code representing the operation of said system activity;
      
      one or more identities of computer entities associated with said system activity;
      
      program identity uniquely identifying the software program associated with said system activity;
      
      software vendor identity uniquely identifying the vendor producing the software program associated with said system activity;
      
      whereby additional attributes allow flexible security policy design.
  - 5. The method of claim 1, wherein step of deriving a user initiation attribute further comprises a step of:
    - setting said user initiation attribute to false meaning said system activity not being initiated by a user if any of the following conditions is true;
      
      no user activity being detected in any of the user controlled peripheral devices connecting to said computer within a time window proceeding said system activity;
      
      the software program associated with said system activity having no user interface for receiving user activity;
      
      wherein said user activity is any of the following data;
      
      keystroke received from a keyboard connected to said computer;
      
      mouse click received from a mouse connected to said computer;
      
      mouse movement received from a mouse connected to said computer;
      
      screen touch received from a touch sensitive screen connected to said computer;
      
      voice command received from a microphone connected to said computer.
  - 6. The method of claim 1, wherein step of deriving a user initiation attribute further comprises steps of:
    - recording user activities generated in any of the user controlled peripheral devices connecting to said computer;
      
      determining association between said system activity and said user activities. wherein said user activities comprise any of the following data;
      
      keystroke received from a keyboard connected to said computer;
      
      mouse click received from a mouse connected to said computer;
      
      mouse movement received from a mouse connected to said computer;
      
      screen touch received from a touch sensitive screen connected to said computer;
      
      voice command received from a microphone connected to said computer.
  - 7. The method of claim 6, wherein step of determining association between said system activity and user activities further comprises steps of:
    - accounting user activities received by the software program associated with said system activity and occurred within a time window proceeding said system activity;
      
      setting said user initiation attribute to true meaning said system activity being initiated by a user if the amount of accounted user activities exceeds a threshold.
  - 8. The method of claim 4, wherein step of taking a security action regarding said system activity based on information of a plurality of attributes further comprises steps of:
    - searching for a security policy in a plurality of security policies matching said plurality of attributes, wherein each security policy comprises a plurality of attribute specifications and at least one security action, each said attribute specification specifying matching values for an attribute;
      
      taking security action specified by said security policy.
  - 9. The method of claim 8, wherein said plurality of security policies comprises a policy comprising:
    - attribute specifications comprising;
      
      user initiation attribute specification having value of false meaning not being initiated by a computer user;
      
      command code attribute specification comprising any of the following values;
      
      requesting a network connection;
      
      accepting a network connection;
      
      security action comprising;
      
      popping up window displaying a message and a plurality of optional actions comprising stopping activity and passing through activity to be chosen by a computer user.
  - 10. The method of claim 8, wherein said plurality of security policies comprises a policy comprising security action comprising:
    - popping up window displaying a message and comprising an option to grant the same operation by the same software program in the future;
      
      wherein said method further comprising a step of creating a new security policy granting said operation by said software program upon said option being chosen by the user.
  - 11. The method of claim 8, wherein said plurality of security policies are stored in any of the following locations:
    - said computer being protected by said method;
      
      a server connected through a network to said computer being protected by said method.
  - 12. The method of claim 8, wherein said plurality of security policies are comprised in an electronic document comprising a digital signature signed with an digital certificate, said method further comprises a step of:
    - verifying said digital signature using said digital certificate.

13. A system for protecting a computer from malicious software operation, comprising:
- a system activity intercept and control module for intercepting a system activity;
  
  a user association module for deriving a user initiation attribute indicating whether or not said system activity is being initiated by a computer user through at least one peripheral device connected to said computer;
  
  a policy execution module for taking a security action regarding said system activity based on information comprising said user initiation attribute;
  
  wherein said system activity is a system operation to be carried out by the computer system on behalf of a software program.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein said security action comprises any of the following actions:
    - passing through said system activity to be carried out by the operating system;
      
      stopping said system activity before being carried out by the operating system;
      
      popping up a window displaying a message and a plurality of optional actions to be chosen by a computer user, and taking the actions chosen by said computer user;
      
      logging a message in a file;
      
      displaying a message in a window;
      
      generating a sound beep in the computer;
      
      sending an email;
      
      sending a message to a server.
  - 15. The system of claim 14, wherein said system activity comprises any of the following operations:
    - requesting a network connection;
      
      accepting a network connection;
      
      sending data over a network connection;
      
      receiving data over a network connection. executing a command;
      
      executing a program;
      
      opening file;
      
      reading data from file;
      
      writing data to file;
      
      deleting file;
      
      renaming file;
      
      closing file;
      
      setting registry key;
  - 16. The system of claim 15, wherein in said policy execution module said information comprising said user initiation attribute is a plurality of attributes comprising any of the following additional attributes:
    - command code representing the operation of said system activity;
      
      one or more identities of computer entities associated with said system activity;
      
      program identity uniquely identifying the software program associated with said system activity;
      
      software vendor identity uniquely identifying the vendor producing the software program associated with said system activity;
      
      whereby additional attributes allow flexible security policy design.
  - 17. The system of claim 13, wherein said user association module for deriving a user initiation attribute is further configured to set said user initiation attribute to false meaning said system activity not being initiated by a computer user if any of the following conditions is true:
    - no user activity being detected in any of the user controlled peripheral devices connecting to said computer within a time window proceeding said system activity;
      
      the software program associated with said system activity having no user interface for receiving user activity;
      
      wherein said user activity is any of the following data;
      
      keystroke received from a keyboard connected to said computer;
      
      mouse click received from a mouse connected to said computer;
      
      mouse movement received from a mouse connected to said computer;
      
      screen touch received from a touch sensitive screen connected to said computer;
      
      voice command received from a microphone connected to said computer.
  - 18. The system of claim 13, wherein said user association module for deriving a user initiation attribute is further configured to perform the following functions:
    - recording user activities generated in any of the user controlled peripheral devices connecting to said computer;
      
      determining association between said system activity and said user activities. wherein said user activities comprise any of the following data;
      
      keystroke received from a keyboard connected to said computer;
      
      mouse click received from a mouse connected to said computer;
      
      mouse movement received from a mouse connected to said computer;
      
      screen touch received from a touch sensitive screen connected to said computer;
      
      voice command received from a microphone connected to said computer.
  - 19. The system of claim 18, wherein said user association module for deriving a user initiation attribute is further configured to perform the following functions:
    - accounting user activities received by the software program associated with said system activity and occurred within a time window proceeding said system activity;
      
      setting said user initiation attribute to true meaning said system activity is initiated by a computer user if the amount of accounted user activities exceeds a threshold.
  - 20. The system of claim 16, wherein said policy execution module is further configured to perform the following functions:
    - searching for a security policy in a plurality of security policies matching said plurality of attributes, wherein each security policy comprises a plurality of attribute specifications and at least one security action, each said attribute specification specifying matching values for an attribute;
      
      taking security action specified by said security policy.
  - 21. The system of claim 20, wherein said plurality of security policies comprises a policy comprising:
    - attribute specifications comprising;
      
      user initiation attribute specification having value of false meaning not being initiated by a computer user;
      
      command code attribute specification comprising any of the following values;
      
      requesting a network connection;
      
      accepting a network connection;
      
      security action comprising;
      
      popping up window displaying a message and a plurality of optional actions comprising stopping system activity and passing through system activity, wherein said optional actions can be chosen by a computer user.
  - 22. The system of claim 20, wherein said plurality of security policies comprises a policy comprising security action comprising:
    - popping up window displaying a message and comprising an option to grant the same operation by the same software program in the future;
      
      wherein said policy execution module is further configured to create a new security policy granting said operation by said software program upon said option being chosen by the user.
  - 23. The system of claim 20, wherein said plurality of security policies are stored in any of the following locations:
    - said computer being protected by said method;
      
      a server connected through a network to said computer being protected by said method.
  - 24. The system of claim 20, wherein said plurality of security policies are comprised in an electronic document comprising a digital signature signed with an digital certificate, said system further comprises a signature verification module being configured to verify said digital signature using said digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zezhen Huang
Original Assignee
Zezhen Huang
Inventors
Huang, Zezhen

Application Number

US10/792,506
Publication Number

US 20040225877A1
Time in Patent Office

Days
Field of Search
US Class Current

713/100
CPC Class Codes

G06F 21/552 involving long-term monitor...

Method and system for protecting computer system from malicious software operation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting computer system from malicious software operation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links