Intrustion protection system utilizing layers

US 20050257265A1
Filed: 03/16/2005
Published: 11/17/2005
Est. Priority Date: 06/11/2003
Status: Active Grant

First Claim

Patent Images

1. An Intrusion Protected Layered System for isolating intrusive attacks on a computing system in isolation layers, those attacks including modifications to at least files on the computing system, comprising:

a computing system, said computing system capable of executing processes;

at least one storage device;

at least one file system located to said storage devices; and

computer executable instructions stored to said storage devices, said instructions executable by said computing system to perform the functions of;

(i) identifying running processes, said identifying optionally occurring at the the processes are initiated, (ii) assigning processes categorizations of trust, the categorizations of trust providing at least one “

suspicious”

categorization for processes at a level of suspicion sufficient to isolate write requests and at least one other categorization for other processes permitted to write to a file system or other storage container, (iii) operating at least one isolation layer capable of containing file objects, (iv) assigning an isolation layer to each process categorized under a “

suspicious”

categorization, (v) for processes categorized under a “

suspicious”

categorization, directing write requests into the isolation layer assigned for those processes, (vi) for processes not categorized under a “

suspicious”

categorization, permitting write requests to be written to a file system or other storage container rather than an isolation layer, and (vii) providing access to file objects located in isolation layers, the access being provided to at least the processes assigned to each corresponding isolation layer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventions relate generally to protection of computing systems by isolating intrusive attacks into layers, those layers containing at least file objects and being accessible to applications, those layers further maintaining potentially intrusive file objects separately from regular file system objects such that the regular objects are protected and undisturbed. Also disclosed herein are computing systems which use layers and/or isolation layers, and various systems and methods for using those systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

150 Citations

20 Claims

1. An Intrusion Protected Layered System for isolating intrusive attacks on a computing system in isolation layers, those attacks including modifications to at least files on the computing system, comprising:
- a computing system, said computing system capable of executing processes;
  
  at least one storage device;
  
  at least one file system located to said storage devices; and
  
  computer executable instructions stored to said storage devices, said instructions executable by said computing system to perform the functions of;
  
  (i) identifying running processes, said identifying optionally occurring at the the processes are initiated, (ii) assigning processes categorizations of trust, the categorizations of trust providing at least one “
  
  suspicious”
  
  categorization for processes at a level of suspicion sufficient to isolate write requests and at least one other categorization for other processes permitted to write to a file system or other storage container, (iii) operating at least one isolation layer capable of containing file objects, (iv) assigning an isolation layer to each process categorized under a “
  
  suspicious”
  
  categorization, (v) for processes categorized under a “
  
  suspicious”
  
  categorization, directing write requests into the isolation layer assigned for those processes, (vi) for processes not categorized under a “
  
  suspicious”
  
  categorization, permitting write requests to be written to a file system or other storage container rather than an isolation layer, and (vii) providing access to file objects located in isolation layers, the access being provided to at least the processes assigned to each corresponding isolation layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. An Intrusion Protected Layered System according to claim 1, further comprising a database containing process identity information and trust level information, and further whereby for processes identified from said database those processes are assigned trust categorizations from said database.
  - 3. An Intrusion Protected Layered System according to claim 2, further comprising network resources, and whereby said instructions are further executable by said computing system to perform the functions of:
    - (viii) accessing, by way of said network resources, an external database of process identity information.
  - 4. An Intrusion Protected Layered System according to claim 3, whereby if the access of an external database fails, a user query is produced requesting instructions as to the assignment of a categorization of trust.
  - 5. An Intrusion Protected Layered System according to claim 3, whereby if the access of an external database fails, a default assignment of trust categorization is made.
  - 6. An Intrusion Protected Layered System according to claim 2, wherein said database indicates at least one process identity is to be assigned a non-suspicious category of trust.
  - 7. An Intrusion Protected Layered System according to claim 2, wherein said database indicates at least one process identity is to be assigned a suspicious category of trust.
  - 8. An Intrusion Protected Layered System according to claim 2, wherein said database contains process fingerprints, and whereby said system utilizes a fingerprint algorithm to identify processes.
  - 9. An Intrusion Protected Layered System according to claim 1, wherein said system restricts access to file objects located in isolation layers to processes having an assignment to those particular layers.
  - 10. An Intrusion Protected Layered System according to claim 1, wherein said system permits access to file objects located in isolation layers to processes generally.
  - 11. An Intrusion Protected Layered System according to claim 1, wherein said system requires an authentication step before a non-suspicous characterization of a process.
  - 12. An Intrusion Protected Layered System according to claim 1, wherein spawned processes are assigned a trust characterization of processes from which they were spawned.
  - 13. An Intrusion Protected Layered System according to claim 1, wherein characterizations of trust are assigned by application type.
  - 14. An Intrusion Protected Layered System according to claim 1, wherein said system is integrated with a system management tool.

15. An Intrusion Protected Layered System for isolating intrusive attacks on a computing system in isolation layers, those attacks including modifications to at least files on the computing system, comprising:
- a computing system, said computing system capable of executing processes;
  
  at least one storage device;
  
  a database containing process identity information and trust level information;
  
  at least one file system located to said storage devices; and
  
  computer executable instructions stored to said storage devices, said instructions executable by said computing system to perform the functions of;
  
  (i) identifying running processes, said identifying optionally occurring at the the processes are initiated, (ii) assigning processes categorizations of trust, the assignment utilizing the trust level information contained in said database, the categorizations of trust providing at least one “
  
  suspicious”
  
  categorization for processes at a level of suspicion sufficient to isolate write requests and at least one other categorization for other processes permitted to write to a file system or other storage container, (iii) operating at least one isolation layer capable of containing file objects, (iv) assigning an isolation layer to each process categorized under a “
  
  suspicious”
  
  categorization, (v) for processes categorized under a “
  
  suspicious”
  
  categorization, directing write requests into the isolation layer assigned for those processes, (vi) for processes not categorized under a “
  
  suspicious”
  
  categorization, permitting write requests to be written to a file system or other storage container rather than an isolation layer, and (vii) providing access to file objects located in isolation layers, the access being provided to at least the processes assigned to each corresponding isolation layer.
- View Dependent Claims (16, 17, 18, 19)
- - 16. An Intrusion Protected Layered System according to claim 15, further comprising network resources, and whereby said instructions are further executable by said computing system to perform the functions of:
    - (viii) accessing, by way of said network resources, an external database of process identity information.
  - 17. An Intrusion Protected Layered System according to claim 15, wherein said database contains process fingerprints, and whereby said system utilizes a fingerprint algorithm to identify processes.
  - 18. An Intrusion Protected Layered System according to claim 15, wherein spawned processes are assigned a trust characterization of processes from which they were spawned.
  - 19. An Intrusion Protected Layered System according to claim 15, wherein characterizations of trust are assigned by application type.

20. An Intrusion Protected Layered System for isolating intrusive attacks on a computing system in isolation layers, those attacks including modifications to at least files on the computing system, comprising:
- a computing system, said computing system capable of executing processes;
  
  at least one storage device;
  
  a database containing process identity information and trust level information, wherein the process identity information includes executable file fingerprints;
  
  at least one file system located to said storage devices; and
  
  computer executable instructions stored to said storage devices, said instructions executable by said computing system to perform the functions of;
  
  (i) identifying running processes, said identifying optionally occurring at the the processes are initiated, (ii) assigning processes categorizations of trust, the assignment utilizing the trust level information contained in said database, the categorizations of trust providing at least one “
  
  suspicious”
  
  categorization for processes at a level of suspicion sufficient to isolate write requests and at least one other categorization for other processes permitted to write to a file system or other storage container, (iii) operating at least one isolation layer capable of containing file objects, (iv) assigning an isolation layer to each process categorized under a “
  
  suspicious”
  
  categorization, (v) for processes categorized under a “
  
  suspicious”
  
  categorization, directing write requests into the isolation layer assigned for those processes, (vi) for processes not categorized under a “
  
  suspicious”
  
  categorization, permitting write requests to be written to a file system or other storage container rather than an isolation layer, and (vii) providing access to file objects located in isolation layers, the access being provided to at least the processes assigned to each corresponding isolation layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sainsbury, Michael E., Cook, Randall R., Kinghorn, Dwain A.

Granted Patent

US 7,512,977 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1441   Countermeasures against mal...

H04L 63/16   Implementing security featu...

Intrustion protection system utilizing layers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrustion protection system utilizing layers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links