Automated immune response for a computer

US 20060294590A1
Filed: 06/27/2005
Published: 12/28/2006
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A system operably connectable to a computer, the system comprising:

a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and

an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methodologies, media, and other embodiments associated with making an automated immune response on a computer that may be infected with a malicious software like a virus are described. One exemplary system embodiment includes a behavior logic that facilitates identifying that a computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software. The exemplary system embodiment may also include an immune response logic that is configured to facilitate identifying a process and/or program related to the behavior. The immune response logic may be configured to automatically make an immune response with respect to the process and/or program.

Citations

20 Claims

1. A system operably connectable to a computer, the system comprising:
- a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
  
  an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, the immune response logic being configured to identify that the computer is exhibiting the behavior by identifying that a request to connect to a remote host has been made, by identifying the remote host to which the request applies, and by identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
  - 3. The system of claim 2, the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
  - 4. The system of claim 2, where identifying the process that is related to the behavior includes identifying an executing process that initiated the request to connect.
  - 5. The system of claim 4, where identifying the executing process includes determining a relationship between an executable and a local communications socket port to which the executable attempts to bind.
  - 6. The system of claim 4, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process.
  - 7. The system of claim 4, the immune response logic being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program.
  - 8. The system of claim 7, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program.
  - 9. The system of claim 7, the immune response logic being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes.
  - 10. The system of claim 1, including a probability logic configured to assign a weighted probability to a process that has made a connection request to a remote host, the weighted probability describing a likelihood that the process is associated with a malicious software, the probability logic also being configured to establish a rank for the process relative to other processes with respect to a likelihood that the process is associated with a malicious software.
  - 11. The system of claim 10, the immune response logic being configured to automatically make an immune response based, at least in part, on the weighted probability and the rank for the process, to identify a program from which the process is descended and to take a program immune response action with respect to the program, and to identify one or more second processes that are descendants of the program and to make an immune response with respect to the second processes.

12. A system operably connectable to a computer, the system comprising:
- a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
  
  an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process, the immune response logic being configured to identify that the computer is exhibiting the behavior by identifying that a request to connect to a remote host has been made, by identifying the remote host to which the request applies, and by identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer, the immune response logic also being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program, the immune response logic also being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer, the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.

13. A computer-executable method, comprising:
- collecting from an operating computer a set of electronic data that describes an operating behavior of the computer;
  
  comparing the operating behavior to a non-infected behavior of the computer; and
  
  selectively automatically taking a counter-infection action based, at least in part, on determining that the operating behavior deviates by more than a pre-determined, configurable amount from the non-infected behavior, the counter-infection action being directed towards at least one executable that is at least partly responsible for the operating behavior deviating by more than the pre-determined, configurable amount.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, the operating behavior being related to a number of connection requests being made to remote hosts by executables running on the computer and an identity of the remote hosts for which the connection requests are intended.
  - 15. The method of claim 14, the counter-infection action comprising:
    - identifying an executable responsible for making a connection request; and
      
      automatically performing one or more of, terminating the executable, delaying the executable, destroying the executable, modifying the executable, changing a scheduling priority for the executable, and quarantining the executable.
  - 16. The method of claim 15, the counter-infection action comprising:
    - identifying a non-executing program from which the executable is descended, and automatically performing one or more of, destroying the non-executing program, modifying the non-executing program, relocating the non-executing program, renaming the non-executing program, changing an operating attribute of the non-executing program, and preventing additional executables from being descended from the non-executing program.
  - 17. The method of claim 16, where the counter-infection action to be taken is determined by a configuration option accessible to a user.
  - 18. The method of claim 15, where a process and a program file can be designated by a user to be exempt from experiencing a counter-infection action.
  - 19. The method of claim 13, the method being implemented as a set of processor executable instructions stored on a computer-readable medium.

20. A system, comprising:
- means for determining that a computer may be infected with a virus without analyzing a virus signature;
  
  means for identifying an executable running on the computer that may be affected by the virus;
  
  means for identifying a non-executing program residing on the computer, the executable being derived from the non-executing program; and
  
  means for automatically manipulating the executable and the non-executing program based, at least in part, on determining that the computer may be infected by a virus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Cureington, James Anthony, Enstone, Mark Richard

Granted Patent

US 7,877,803 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1425   Traffic logging, e.g. anoma...

Automated immune response for a computer

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated immune response for a computer

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links