Signature extraction system and method

US 20050022018A1
Filed: 06/30/2003
Published: 01/27/2005
Est. Priority Date: 06/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an attack by malicious code on a first computer system;

extracting a malicious code signature from said malicious code;

creating an extracted malicious code packet including said malicious code signature; and

sending said extracted malicious code packet from said first computer system to a second computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Host computer systems automatically detect malicious code. The host computer systems automatically generate and send malicious code packets of the malicious code to a local analysis center (LAC) computer system. Based on the received malicious code packets, the LAC computer system provides a signature update to a network intrusion detection system. Further, the LAC computer system also automatically sends malicious code signatures of the malicious code to a global analysis center. In this manner, the spread of the malicious code is rapidly detected and prevented.

Citations

29 Claims

1. A method comprising:
- detecting an attack by malicious code on a first computer system;
  
  extracting a malicious code signature from said malicious code;
  
  creating an extracted malicious code packet including said malicious code signature; and
  
  sending said extracted malicious code packet from said first computer system to a second computer system.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein prior to said sending, said method further comprising determining that said extracted malicious code packet is a new extracted malicious code packet.
  - 3. The method of claim 1 wherein prior to said sending, said method further comprising determining that a maximum number of extracted malicious code packets have not been sent from said first computer system.
  - 4. The method of claim 1 wherein said extracted malicious code packet is sent from said first computer system to said second computer system on a secure channel.

5. A method comprising:
- detecting an attack by malicious code on a first computer system;
  
  creating an extracted malicious code packet including parameters associated with said malicious code; and
  
  sending said extracted malicious code packet from said first computer system to a second computer system.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The method of claim 5 wherein prior to said sending, said method further comprising determining that said extracted malicious code packet is a new extracted malicious code packet.
  - 7. The method of claim 5 wherein prior to said sending, said method further comprising determining that a maximum number of extracted malicious code packets have not been sent from said first computer system.
  - 8. The method of claim 5 wherein said extracted malicious code packet is sent from said first computer system to said second computer system on a secure channel.
  - 9. The method of claim 5 further comprising determining whether said malicious code is sendable.
  - 10. The method of claim 9 wherein upon a determination that said malicious code is sendable, said method further comprising extracting said malicious code from a memory location.
  - 11. The method of claim 10 wherein said extracting comprises copying or cutting said malicious code from said memory location.
  - 12. The method of claim 10 further comprising appending said parameters to said malicious code after said extraction.
  - 13. The method of claim 9 wherein upon a determination that said malicious code is not sendable, said method further comprising extracting a snippet of said malicious code from a memory location.
  - 14. The method of claim 13 wherein said extracting comprises copying or cutting a portion of said malicious code from said memory location.
  - 15. The method of claim 13 further comprising appending said parameters to said snippet after said extraction.

16. A method comprising:
- receiving an extracted malicious code packet from a first computer system with a second computer system; and
  
  determining whether an attack threshold has been exceeded based upon said extracted malicious code packet.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The method of claim 16 wherein upon a determination that an attack threshold has been exceeded, said method further comprising delivering a signature update comprising a malicious code signature.
  - 18. The method of claim 17 wherein said signature update is delivered to an intrusion detection system.
  - 19. The method of claim 17 further comprising determining that a maximum number of signature updates have not been sent prior to said delivering a signature update.
  - 20. The method of claim 17 further comprising creating said signature update.
  - 21. The method of claim 16 wherein said extracted malicious code packet includes a malicious code signature, and wherein upon a determination that said attack threshold has been exceeded, said method further comprising delivering said malicious code signature to a global analysis center.
  - 22. The method of claim 21 further comprising determining that a maximum number of malicious code signatures have not been sent prior to said delivering said malicious code signature.
  - 23. The method of claim 21 further comprising extracting said malicious code signature from said extracted malicious code packet.
  - 24. The method of claim 16 further comprising determining whether said extracted malicious code packet includes a malicious code signature, wherein upon a determination that said extracted malicious code packet does not include a malicious code signature, said method further comprising extracting a malicious code signature from said extracted malicious code packet.
  - 25. The method of claim 16 wherein upon a determination that said attack threshold has been exceeded, said method further comprising delivering said extracted malicious code packet to a global analysis center.
  - 26. The method of claim 25 further comprising determining that a maximum number of extracted malicious code packets have not been sent prior to said delivering said extracted malicious code packet.

27. A computer system comprising:
- an intrusion prevention application for detecting an attack by malicious code on a first computer system;
  
  a host signature extraction application for extracting a malicious code signature from said malicious code;
  
  said host signature extraction application further for creating an extracted malicious code packet including said malicious code signature; and
  
  said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.

28. A computer system comprising:
- an intrusion prevention application for detecting an attack by malicious code on a first computer system;
  
  a host signature extraction application for creating an extracted malicious code packet including parameters associated with said malicious code; and
  
  said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.

29. A computer system comprising:
- a local analysis center signature extraction application for receiving an extracted malicious code packet from a first computer system with a second computer system; and
  
  said local analysis center signature extraction application further for determining whether an attack threshold has been exceeded based upon said extracted malicious code packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter

Granted Patent

US 7,392,543 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Signature extraction system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Signature extraction system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links