Proactively protecting computers in a networking environment from malware

US 20060259967A1
Filed: 05/13/2005
Published: 11/16/2006
Est. Priority Date: 05/13/2005
Status: Abandoned Application

First Claim

Patent Images

1. In a computer networking environment that includes a plurality of event detection systems and an event evaluation computer communicatively connected to the event detection systems, a method of proactively protecting computers and resources in the networking environment from malware, the method comprising:

(a) using the event detection systems to observe suspicious events that are potentially indicative of malware;

(b) determining whether the suspicious events observed satisfy a threshold indicative of malware; and

(c) if the suspicious events observed satisfy the threshold indicative of malware, implementing a restrictive security policy on the networking environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with the present invention, a system, method, and computer-readable medium for sharing information between computers, computing devices, and computing systems in a networking environment to determine whether a network is under attack by malware is provided. In instances when the network is under attack, one or more restrictive security policies that protect computers and/or resources available from the network are implemented.

Citations

20 Claims

1. In a computer networking environment that includes a plurality of event detection systems and an event evaluation computer communicatively connected to the event detection systems, a method of proactively protecting computers and resources in the networking environment from malware, the method comprising:
- (a) using the event detection systems to observe suspicious events that are potentially indicative of malware;
  
  (b) determining whether the suspicious events observed satisfy a threshold indicative of malware; and
  
  (c) if the suspicious events observed satisfy the threshold indicative of malware, implementing a restrictive security policy on the networking environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method as recited in claim 1, wherein the restrictive nature of the security policy is configured to be in proportion to the probability that the suspicious events observed are characteristic of malware.
  - 3. The method as recited in claim 1, wherein data that describes the suspicious events is used to identify the restrictive security policy that will be implemented.
  - 4. The method as recited in claim 3, wherein data that describes the suspicious event is reported to the event evaluation computer by an event detection system that issues an application programming interface call to a software component maintained by the event evaluation computer.
  - 5. The method as recited in claim 3, wherein data that describes the suspicious event is obtained from a data store maintained by an event detection system.
  - 6. The method as recited in claim 1, wherein:
    - (a) the event detection systems are maintained by a trusted entity that detects malware infections on computers connected to the Internet; and
      
      (b) if the trusted entity determines that a malware is spreading over the Internet, implementation of the restrictive security policy is initiated by a malware alert generated by the trusted entity.
  - 7. The method as recited in claim 1, wherein the networking environment is a server-based network in which the event evaluation computer maintains a server-client relationship with other computers, computing devices, or computing systems in the networking environment.
  - 8. The method as recited in claim 1, wherein the networking environment is a peer-to-peer network in which the event evaluation computer maintains a peer-based relationship with other computers, computing devices, or computing systems in the networking environment.
  - 9. The method as recited in claim 1, wherein determining whether the suspicious events observed satisfy a threshold indicative of malware includes:
    - (a) assigning a value to each suspicious event observed based on the probability the suspicious event is characteristic of malware; and
      
      (b) generating a weighted summation of the values assigned to the suspicious events observed.
  - 10. The method as recited in claim 1, wherein determining whether the suspicious events observed satisfy a threshold indicative of malware includes:
    - (a) identifying patterns of events that occur when a network is infected with or under attack by malware; and
      
      (b) comparing the suspicious events observed to the patterns of events that are known to occur or indicate a change to normal events when a network is infected with or under attack by malware.
  - 11. The method as recited in claim 1, wherein the restrictive security policy limits access to a resource on the network.
  - 12. The method as recited in claim 1, wherein the restrictive security policy limits the ability of computers in the network to communicate over the network.
  - 13. The method as recited in claim 12, wherein the limits placed on computers imposed by the restrictive security policy include:
    - (a) blocking network traffic on specific communication ports;
      
      (b) blocking communications involving certain network-based applications;
      
      (c) blocking access to hardware and software components on the computer; and
      
      (d) blocking network traffic involving specific addresses.
  - 14. The method as recited in claim 1, wherein the event detection systems monitor network traffic, e-mail correspondence, computer resource usage, and events generated from application programs or an operating system.

15. A software system that proactively protects a network from malware, the software system comprising:
- (a) an evaluation component for determining whether suspicious events observed in the network are indicative of malware;
  
  (b) a plurality of event detection systems operative to observe suspicious events that occur in the network;
  
  (c) a collection module that collects data that describes the suspicious events observed by the event detection systems; and
  
  (d) a policy implementor operative to implement a restrictive security policy when the evaluation component determines that the suspicious events observed are indicative of malware.
- View Dependent Claims (16, 17, 18)
- - 16. The software system as recited in claim 15, further comprising an administrative interface for obtaining data from an administrative entity that defines the restrictive security policy that will be implemented.
  - 17. The software system as recited in claim 15, wherein the evaluation component is further configured to set a security level that is based on the probability that the suspicious events or a pattern of events observed are indicative of malware.
  - 18. The software system as recited in claim 17, wherein the restrictive nature of the security policy implemented by the policy implementor is based on the security level set by the evaluation component.

19. A computer-readable medium bearing computer-executable instructions that, when executed on a computer in a networking environment that is communicatively connected to a plurality of event detection systems, causes the computer to:
- (a) use the event detection systems to observe suspicious events or a pattern of events that are potentially indicative of malware;
  
  (b) determine whether the suspicious events or a pattern of events observed satisfy a threshold indicative of malware; and
  
  (c) if the suspicious events or a pattern of events observed satisfy a threshold, implement a restrictive security policy on the networking environment.
- View Dependent Claims (20)
- - 20. The computer readable medium as recited in claim 19, wherein the computer is further configured to:
    - (a) assign a value to each suspicious event or pattern of events observed based on the probability the suspicious event is characteristic of malware; and
      
      (b) generate a weighted summation of the values assigned to the suspicious events observed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dadhia, Rajesh K., Bahl, Pradeep, Kramer, Michael, Costea, Mihai, Thomas, Anil Francis

Application Number

US11/129,695
Publication Number

US 20060259967A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/145 the attack involving the pr...

H04L 63/20 for managing network securi...

Proactively protecting computers in a networking environment from malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Proactively protecting computers in a networking environment from malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links