Automated immune response for a computer
First Claim
1. A system operably connectable to a computer, the system comprising:
- a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems, methodologies, media, and other embodiments associated with making an automated immune response on a computer that may be infected with a malicious software like a virus are described. One exemplary system embodiment includes a behavior logic that facilitates identifying that a computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software. The exemplary system embodiment may also include an immune response logic that is configured to facilitate identifying a process and/or program related to the behavior. The immune response logic may be configured to automatically make an immune response with respect to the process and/or program.
-
Citations
20 Claims
-
1. A system operably connectable to a computer, the system comprising:
-
a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system operably connectable to a computer, the system comprising:
-
a behavior logic configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
an immune response logic configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process, the immune response logic being configured to identify that the computer is exhibiting the behavior by identifying that a request to connect to a remote host has been made, by identifying the remote host to which the request applies, and by identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer, the immune response logic also being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program, the immune response logic also being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer, the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
-
-
13. A computer-executable method, comprising:
-
collecting from an operating computer a set of electronic data that describes an operating behavior of the computer;
comparing the operating behavior to a non-infected behavior of the computer; and
selectively automatically taking a counter-infection action based, at least in part, on determining that the operating behavior deviates by more than a pre-determined, configurable amount from the non-infected behavior, the counter-infection action being directed towards at least one executable that is at least partly responsible for the operating behavior deviating by more than the pre-determined, configurable amount. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system, comprising:
-
means for determining that a computer may be infected with a virus without analyzing a virus signature;
means for identifying an executable running on the computer that may be affected by the virus;
means for identifying a non-executing program residing on the computer, the executable being derived from the non-executing program; and
means for automatically manipulating the executable and the non-executing program based, at least in part, on determining that the computer may be infected by a virus.
-
Specification