Methodology, system, computer readable medium, and product providing a security software suite for handling operating system exploitations
First Claim
1. A computer security system, comprising:
- (a) a non-volatile memory;
(b) a volatile memory; and
(c) a processor programmed to;
(1) detect exploitation of a computer operating system which is of a type that renders the computer insecure; and
(2) initiate a response to detection of said exploitation, which response entails at least one of;
(i) collecting forensics data characteristic of the exploitation; and
(ii) restoring the operating system to a pre-exploitation condition.
5 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments are provided relating to security of a computer, namely, a security software product, a computer-readable medium, a computerized method, and a computer security system. Illustrative is one embodiment of a security software product for use on a host computer to monitor for, and respond to, activity corresponding to a rootkit exploitation which renders the host computer'"'"'s operating system insecure. The security software product comprises computer readable media having a suite of interfaced software components, such as loadable kernel modules. An exploitation detection component detects the activity corresponding to the rootkit exploitation. A forensics data collection component collects forensics data characteristic of the rootkit exploitation so that it may be transferred to a removable storage device. An OS restoration component restores the operating system to a secure condition in response to detection of the exploit.
-
Citations
45 Claims
-
1. A computer security system, comprising:
-
(a) a non-volatile memory;
(b) a volatile memory; and
(c) a processor programmed to;
(1) detect exploitation of a computer operating system which is of a type that renders the computer insecure; and
(2) initiate a response to detection of said exploitation, which response entails at least one of;
(i) collecting forensics data characteristic of the exploitation; and
(ii) restoring the operating system to a pre-exploitation condition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer security system according to claim 10 wherein said response entails restoring said operating system to a pre-exploitation condition by removing any hidden kernel modules, removing any hidden system call patches, terminating any hidden processes, and removing any hidden files which have been detected.
-
11. A computer security system, comprising:
-
(a) removable storage means;
(b) non-volatile memory;
(c) volatile memory; and
(d) processing means programmed for;
(1) detecting exploitation of a computer operating system which is of a type that renders the computer insecure; and
(2) initiating a response to detection of said exploitation, which response entails at least one of;
(i) collecting forensics data characteristic of the exploitation whereby it is stored on the removable media means; and
(ii) restoring the operating system to a pre-exploitation condition. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer-readable medium for use with a computer and having executable instructions for performing a method comprising:
-
(a) detecting exploitation of an operating system which renders a computer insecure; and
(b) initiating a response to detection of said exploitation, said response entailing at least one of;
(1) enabling transfer of data characteristic of the exploitation onto a removable storage device; and
(2) restoring the operating system to a pre-exploitation condition. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer-readable medium for use with a host computer that includes an associated operating system, non-volatile memory, and volatile memory, said computer-readable medium having executable instructions for performing a method comprising:
-
detecting an occurrence of exploitation to the operating system which renders the host computer insecure;
collecting, from said volatile memory, forensics data that is characteristic of the exploitation;
transferring said forensics data onto a removable storage device in a manner which preserves integrity of other data residing in said non-volatile memory; and
restoring the operating system to a pre-exploit condition. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A security software product for use on a host computer to monitor for, and respond to, activity corresponding to a rootkit exploitation which renders the host computer'"'"'s operating system (OS) insecure, said security software product comprising:
(a) computer readable media having a suite of integrated software components adapted to interface with one another, said software components including;
(1) an exploitation detection component having executable instructions for detecting the activity corresponding to said rootkit exploitation;
(2) a forensics data collection component interfaced with said exploitation detection component for collecting forensics data characteristic of said rootkit exploitation so that said forensics data may be transferred to a removable storage device; and
(3) a OS restoration component interfaced with said exploitation detection component for restoring said operating system to a secure condition in response to detection of said activity. - View Dependent Claims (32, 33, 34, 35, 36, 39)
-
37. A security software product for use on a host computer running a Linux operating system to monitor for, and respond to, activity corresponding to a rootkit exploitation which renders the host computer insecure, said security software product comprising:
(a) a computer readable medium having a plurality of integrated software components adapted to interface with one another, said software components including;
(1) a first loadable kernel module having associated first executable instructions for detecting an occurrence of said rootkit exploitation;
(2) a second loadable kernel module interfaced with said first kernel module, and having associated second executable instructions for collecting forensics data characteristic of said rootkit exploitation and for enabling said forensics data to be transferred for storage onto a removable storage device; and
(3) a third loadable kernel module interfaced with said first kernel module, and having associated third executable instructions for restoring said operating system to a secure condition in response to detection of said rootkit exploitation by said first kernel module. - View Dependent Claims (38)
-
40. A computerized method, comprising:
(a) monitoring activity within a computer operating system in order to detect occurrence of an exploitation which renders the computer insecure, and thereafter performing at least one of;
(1) collecting forensics data characteristic of the exploitation in a manner which preserves integrity of characteristic information stored in both non-volatile and volatile memory resources of the computer; and
(2) restoring the operating system to a pre-exploitation condition. - View Dependent Claims (41, 42, 43, 44, 45)
Specification