Centralized timed analysis in a network security system

US 20070028304A1
Filed: 07/29/2005
Published: 02/01/2007
Est. Priority Date: 07/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for use with a server and a group of associated hosts, comprising:

storing in the server meta-information states relating to files seen on the hosts, the meta-information including a signature of the content of the files;

storing for each signature, an initial time;

at defined periods related to the initial time, performing at least one security analysis of the file, or analysis of the signature of the file contents; and

altering the file state and providing information related to the altered state to the hosts

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system stores meta-information for files relating to security and at defined times after a file or a file hash is first received, performs security related analyses from a central server. Analysis results are stored on the server, and the server can automatically change file meta-information. Changes in file meta-information are provided to hosts.

Citations

48 Claims

1. A method for use with a server and a group of associated hosts, comprising:
- storing in the server meta-information states relating to files seen on the hosts, the meta-information including a signature of the content of the files;
  
  storing for each signature, an initial time;
  
  at defined periods related to the initial time, performing at least one security analysis of the file, or analysis of the signature of the file contents; and
  
  altering the file state and providing information related to the altered state to the hosts
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The method of claim 1, wherein the performing process includes performing one of an anti-virus scan and an anti-spyware scan.
  - 3. The method of claim 1, wherein the signature includes one or more cryptographic hashes of the contents, and the server stores a single copy of each file having a unique hash.
  - 4. The method of claim 1, further comprising storing a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, wherein the performing process includes checking one or more lists of signatures for which certain file operations have been approved or banned under certain conditions.
  - 5. The method of claim 1, wherein the defined periods related to the initial time are all files having a date the file or the signature was first seen by the hosts and/or the server within a defined range.
  - 6. The method of claim 1, further comprising storing a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, wherein the states include banning, allowing, or allowing further monitoring for certain file operations under certain conditions.
  - 7. The method of claim 6, wherein the further monitoring includes logging or providing a report.
  - 8. The method of claim 1, further comprising storing for each meta-information record on the server, additional records associated with each analysis.
  - 9. The method of claim 8, wherein the additional records include data relating to the actor performing the analysis, an analysis time, and an analysis result.
  - 10. The method of claim 9, wherein the additional records further include a recommended state, and an analysis result information string.
  - 11. The method of claim 1, further comprising generating syslog messages and/or statistics updates and/or alarms in response to the analyses.
  - 12. The method of claim 1, wherein the analyses cause one or more of content forwarding, meta-information forwarding, analysis forwarding, and a change in security rules.
  - 13. The method of claim 1, wherein the acts of claim 1 are performed as an outsourced service to another party'"'"'s host computers.
  - 14. The method of claim 13, wherein the server automatically notifies other network devices of changes to lists of files with certain actions that are set as banned or approved.
  - 15. The method of claim 13, wherein the service transfers recent meta-information to other servers and network devices based on age and analysis results.
  - 16. The method of claim 1, wherein the security analysis includes comparing recent analysis results with other servers'"'"' recent analysis results.
  - 17. The method of claim 1, wherein the security analysis includes user-defined content analysis.
  - 18. The method of claim 1, wherein the server has a set of multiple analyses performed at multiple times based on the initial time.
  - 19. The method of claim 18, wherein one of the multiple times is less than a day after the initial time, and another of the multiple times is more than a day after the initial time.
  - 20. The method of claim 18, wherein one of the multiple times is less than a day after the initial time, and another of the multiple times is more than a week after the initial time.
  - 21. The method of claim 1, wherein the initial time is related to the time when the file or the hash of the file content is first seen in the system by a host.
  - 22. The method of claim 1, wherein the initial time is related to the time when the file or the hash of the file content is first seen in the system by the server.
  - 23. The method of claim 1, wherein the server propagates to the hosts a set of policies, the server also providing information indicating which of the policies are to be implemented by the hosts and under which conditions.
  - 24. The method of claim 1, further comprising the host receiving a first file, extracting content of interest within the first file, repackaging the content of interest into a file of valid formatted type to produce a reduced file, and applying a hash to the reduced file.
  - 25. The method of claim 1, wherein the process of performing at least one security analysis of the file includes providing the file to another computer system and receiving analysis results therefrom.
  - 26. The method of claim 1, further comprising storing a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, the server propagating meta-information to hosts when there has been a change in the state.
  - 27. The method of claim 26, wherein the server propagates by posting the meta-information such that the meta-information is accessed and obtained by the hosts.
  - 28. The method of claim 1, wherein the server performs a hash of the contents and compares the hash to a hash performed by at least one of the hosts.
  - 29. The method of claim 28, wherein the server performs a plurality of hashes.
  - 30. The method of claim 1, wherein a host queries the server to determine if the server has meta-information for a particular file before uploading the signature and/or the file contents to the server.
  - 31. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a white list of approved files.
  - 32. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a black list of banned files.
  - 33. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a pending list of new or unclassified files.
  - 34. The method of claim 1, wherein the server stores information which associates a file and signature with groups of other files and signatures.
  - 35. The method of claim 1, wherein the server stores information which associates a file and signature with statistics about information stored on other servers.
  - 36. The method of claim 1, wherein the signature includes one or more cryptographic hashes of the contents, and the server queries a remote network device to look up hashes against known product classification databases to identify related products and other files which correspond to the products associated with the file hash.
  - 37. The method of claim 1, wherein the server performs one or more of content querying, meta-information querying, analysis result querying, and security rule querying with the server querying another device on the network.

38. A computer system comprising:
- a server including a memory for storing security-related meta-information relating to files seen on hosts associated with the server, including for each file, a state indicating whether and with what conditions certain file operations can be performed on the file by the hosts;
  
  the server, at defined periods, causing at least one security analysis of the files, the defined periods based on the initial times when the files or signatures of the files have been received by the hosts and/or the server; and
  
  in response to at least some analyses, altering the state and providing information related to the altered state to the hosts.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 39. The system of claim 38, further comprising a group of hosts associated with the server.
  - 40. The system of claim 39, wherein the server stores a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, wherein the performing process includes checking one or more lists of files for which file operations have been approved or banned.
  - 41. The system of claim 38, wherein the server automatically notifies other network devices of changes to lists of actions that are set as banned or approved.
  - 42. The system of claim 39, wherein the service transfers recent meta-information to other servers and network devices based on age and analysis results.
  - 43. The system of claim 38, wherein the initial time is related to the time when the file or the hash of the file contents is first seen in the system by the server.
  - 44. The system of claim 39, wherein the server propagates to the hosts a set of policies, the server also providing information indicating which of the policies are to be implemented by the hosts and under what conditions.
  - 45. The system of claim 39, wherein the server stores states for files indicating whether and with what conditions certain file operations can be performed by the hosts on the file, the server propagating meta-information to hosts when there has been a change in the state.
  - 46. The system of claim 45, wherein the server propagates by posting the meta-information such that the meta-information is accessed and obtained by the hosts.
  - 47. The system of claim 39, wherein the signature includes one or more cryptographic hashes of the contents, and the server performs a hash of the contents and compares the hash to a hash performed by at least one of the hosts.
  - 48. The system of claim 47, wherein the server performs a plurality of hashes to obtain a signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Bit 7, Inc. (Bb7 LLC)
Inventors
Brennan, Todd

Granted Patent

US 8,272,058 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Centralized timed analysis in a network security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized timed analysis in a network security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links