Methods and apparatus providing computer and network security for polymorphic attacks

US 20070143848A1
Filed: 05/01/2006
Published: 06/21/2007
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security on a computer system, the method comprising:

detecting an attack on the computer system;

identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and

adjusting access to an interface to prevent further damage caused to the computer system by the attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.

90 Citations

View as Search Results

20 Claims

1. A method of providing computer security on a computer system, the method comprising:
- detecting an attack on the computer system;
  
  identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and
  
  adjusting access to an interface to prevent further damage caused to the computer system by the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 18)
- - 2. The method of claim 1 comprising:
    - determining generation of an effective signature has failed, the signature utilized to prevent execution of the attack.
  - 3. The method of claim 1 wherein detecting an attack on the computer system comprises:
    - providing at least one control point in the computer system, the at least one control point used to filter data associated with an execution of the attack.
  - 4. The method of claim 3 comprising:
    - receiving notification from the at least one control point that an attack has been identified on the interface.
  - 5. The method of claim 1 wherein detecting an attack on the computer system comprises:
    - determining that the attack causes a failure of at least one component of the computer system.
  - 6. The method of claim 1 wherein detecting an attack on the computer system comprises:
    - determining the attack contains an exploit code executable on the computer system.
  - 7. The method of claim 1 wherein detecting an attack on the computer system comprises:
    - using a type of policy violation resulting from the attack to identify the attack as a denial of service attack
  - 8. The method of claim 1 wherein identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack comprises:
    - identifying the attack as a possible first time instance of the attack;
      
      distinguishing the attack from a first time instance of the attack; and
      
      determining the attack contains random data not associated with identifiable previously known attack data.
  - 9. The method of claim 2 wherein determining generation of an effective signature has failed, the signature utilized to prevent execution of the attack comprises:
    - attempting to identify a signature associated with the attack, the signature to be used;
      
      i) to prevent future attacks on the computer system; and
      
      ii) to associate a current attack with at least one previous attack in an effort to identify the signature associated with this attack; and
      
      determining the attempt to generate an effective signature has failed.
  - 10. The method of claim 1 wherein adjusting access to an interface to prevent further damage caused to the computer system by the attack comprises:
    - disabling an interface to prevent access to that interface by the attack.
  - 11. The method of claim 10 wherein disabling an interface to prevent access to that interface by the attack comprises:
    - disabling the interface for a predetermined period of time.
  - 12. The method of claim 1 wherein adjusting access to an interface to prevent further damage caused to the computer system by the attack comprises:
    - filtering access to the interface to prevent successful launching of subsequent attempts of the attack.
  - 18. The apparatus of claim 12 wherein when the event correlation engine adjusts access to an interface to prevent further damage caused to the computer system by the attack, the event correlation engine disables an interface to prevent access to that interface by the attack.

13. A computer apparatus comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an application providing handling of a polymorphic attack that, when performed on the processor, provides a process for processing information, the process causing the computer apparatus to perform the operations of;
  
  providing an event correlation engine in communication with an application file interceptor; and
  
  wherein said event correlation engine detects an attack on the computer system, and wherein the attack is identified as a polymorphic attack by said event correlation engine, the polymorphic attack capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, and wherein said event correlation engine adjusts access to an interface to prevent further damage caused to the computer system by the attack.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13 wherein the event correlation engine determines generation of an effective signature has failed, the signature utilized to prevent execution of the attack.
  - 15. The apparatus of claim 13 wherein when the event correlation engine detects an attack on the computer system, the event correlation engine provides at least one control point in the computer system, the at least one control point used to filter data associated with an execution of the attack.
  - 16. The apparatus of claim 13 wherein when the event correlation engine detects an attack on the computer system, the event correlation engine uses a type of policy violation resulting from the attack to identify the attack as a denial of service attack.
  - 17. The apparatus of claim 14 wherein when the event correlation engine determines generation of an effective signature of the attack has failed, the signature utilized to prevent execution of the attack, the event correlation engine attempts to identify a signature associated with the attack, the signature to be used to prevent future attacks on the computer system, and ii) to associate a current attack with at least one previous attack in an effort to identify the signature associated with this attack, and wherein the event correlation engine and wherein the event correlation engine determines the attempt to generate an effective signature has failed.

19. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
- instructions for detecting an attack on the computer system;
  
  instructions for identifying the attack as polymorphic, capable of modifying itself for every instance of execution of the attack, the modification of the attack utilized to defeat detection of the attack;
  
  instructions for determining generation of an effective signature of the attack has failed, the signature utilized to prevent execution of the attack; and
  
  instructions for adjusting access to an interface to prevent further damage caused to the computer system by the attack.

20. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a polymorphic attack handling application that when executed on the processor configures the computerized device with a means for handling a polymorphic attack, the means including;
  
  means for detecting an attack on the computer system;
  
  means for identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and
  
  means for adjusting access to an interface to prevent further damage caused to the computer system by the attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zawadowskiy, Andrew, Kraemer, Jeffrey

Granted Patent

US 8,413,245 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

Methods and apparatus providing computer and network security for polymorphic attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing computer and network security for polymorphic attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links