Threat protection network

US 20060075504A1
Filed: 09/22/2005
Published: 04/06/2006
Est. Priority Date: 09/22/2004
Status: Active Grant

First Claim

Patent Images

1. A threat protection network for detecting potential threats, comprising:

at least one client computer connected to a network;

a server that stores threat definition data and is connected to the network;

an expert system in communication with the server;

wherein the client computer is configured to refer potential threats to the server;

wherein the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data;

wherein the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.

177 Citations

View as Search Results

33 Claims

1. A threat protection network for detecting potential threats, comprising:
- at least one client computer connected to a network;
  
  a server that stores threat definition data and is connected to the network;
  
  an expert system in communication with the server;
  
  wherein the client computer is configured to refer potential threats to the server;
  
  wherein the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data;
  
  wherein the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The threat protection network of claim 1, wherein the client is configured to generate a signature for each potential threat.
  - 3. The threat protection network of claim 2, wherein the signature includes two or more check sums generated using a file associated with the potential threat.
  - 4. The threat protection network of claim 1, wherein the server is configured to update the threat definition data based upon determinations made by the expert system.
  - 5. The threat protection network of claim 4, wherein the server is configured to notify clients that updated threat definition data is available.
  - 6. The threat protection network of claim 4, wherein:
    - the server and client computers form a secure peer-to-peer network; and
      
      the updated threat definition data is distributed to client computers via the secure peer-to-peer network.
  - 7. The threat protection network of claim 1, wherein the expert system includes multiple test computers.
  - 8. The threat protection network of claim 7, wherein at least two of the test computers use different operating systems.
  - 9. The threat protection network of claim 8, wherein at least two of the test computers use different versions of the same operating system.
  - 10. The threat protection network of claim 1, wherein the expert system is configured to assign a score to a potential threat based upon predetermined criteria.
  - 11. The threat protection network of claim 1, wherein the predetermined criteria are chosen such that an actual threat is likely to obtain a score above a first threshold.
  - 12. The threat protection network of claim 1, wherein the determination of whether a potential threat is an actual threat by the expert system is automatic.
  - 13. The threat protection network of claim 1, wherein the expert system is configured to refer potential threats to an operator in circumstances where the expert system is incapable of conclusively determining the nature of the potential threat.
  - 14. The threat protection network of claim 1, wherein the expert system is configured to isolate itself prior to exposing the test computer to the potential threat.

15. A computer, comprising:
- client software installed upon the computer;
  
  wherein the client software is configured to monitor for predetermined behavior;
  
  wherein the client software is configured to identify a source associated with the behavior;
  
  wherein the client software is configured to generate a signature identifying the source; and
  
  wherein the signature includes at least two independent pieces of information generated using the source.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer of claim 15, wherein:
    - the identified source is a file that includes a header; and
      
      the signature includes a checksum generated using at least one bit from the file header.
  - 17. The computer of claim 15, wherein:
    - the identified source is a file that includes a header and a body; and
      
      the signature includes a checksum generated using at least one bit from a location within the file body.
  - 18. The computer of claim 15, wherein:
    - the client software is configured to compare the signature to threat definition data; and
      
      the client software is configured to obtain updated threat definition data via a secure peer-to-peer network.
  - 19. The computer of claim 15, further comprising:
    - threat definition data stored on the computer;
      
      wherein the client software is configured to provide the threat definition data to peer computers upon request.

20. A server, comprising:
- threat definition data stored on the server;
  
  a list stored on the server; and
  
  verification information stored on the server;
  
  wherein the list identifies a number of peer computers on which the threat definition data is also stored; and
  
  wherein the verification information can be generated by applying a predetermined algorithm to the threat definition data.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The server of claim 20, wherein:
    - the server is configured to provide the list to a requesting computer upon request; and
      
      the server is configured to add the identity of the requesting computer to the list.
  - 22. The server of claim 21, wherein the server is configured to remove a peer computer from the list as part of the addition of the requesting computer to the list.
  - 23. The server of claim 22, wherein the server is configured to provide the verification information to requesting computer.
  - 24. The server of claim 20, wherein the server is configured to provide the threat definition data to a requesting computer.
  - 25. The server of claim 20, wherein the server is configured to generate the verification data by applying the predetermined algorithm to the threat definition data.

26. A threat identification system configured to evaluate potential threats to a remote computer system, comprising:
- an expert system installed on a host computer;
  
  at least one test computer connected to the host computer;
  
  wherein the expert system is configured to expose the test computer to the potential threat;
  
  wherein the expert system is configured to observe the behavior of the test computer;
  
  wherein the expert system determines a score based upon the observed behavior and a set of predetermined criteria.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The threat identification system of claim 26, wherein the expert system determines whether the potential threat is an actual threat based upon the score.
  - 28. The threat identification system of claim 26, wherein the expert system is configured to determine that:
    - a score above a first threshold constitutes a threat; and
      
      a score below a second threshold constitutes no threat.
  - 29. The threat identification system of claim 28, wherein the first threshold and second threshold have the same value.
  - 30. The threat identification system of claim 28, wherein the expert system is configured to refer potential threats to an operator that are assigned a score below the first threshold and above the second threshold.
  - 31. The threat identification system of claim 26, wherein at least two of the test computers use different operating systems.
  - 32. The threat identification system of claim 26, wherein at least two of the test computers use different versions of the same operating system.
  - 33. The threat identification system of claim 26, wherein the test computer is configured to operate in a simulated Internet environment during any exposure to a potential threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberDefender Corp.
Original Assignee
CyberDefender Corp.
Inventors
Liu, Bing

Granted Patent

US 7,836,506 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/2294   by remote test

G06F 21/1077   Recurrent authorisation

G06F 21/568   eliminating virus, restorin...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 67/104   Peer-to-peer [P2P] networks

H04L 67/1057   involving pre-assessment of...

H04L 67/1063   Discovery through centralis...

H04L 67/1072   Discovery involving ranked ...

H04L 67/108   characterised by resources ...

H04L 69/329   in the application layer [O...

Threat protection network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

177 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Threat protection network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

177 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links