Methods and apparatus providing computer and network security for polymorphic attacks
First Claim
Patent Images
1. A method of providing computer security on a computer system, the method comprising:
- detecting an attack on the computer system;
identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and
adjusting access to an interface to prevent further damage caused to the computer system by the attack.
1 Assignment
0 Petitions
Accused Products
Abstract
A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.
-
Citations
20 Claims
-
1. A method of providing computer security on a computer system, the method comprising:
-
detecting an attack on the computer system;
identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and
adjusting access to an interface to prevent further damage caused to the computer system by the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 18)
-
-
13. A computer apparatus comprising:
-
a memory;
a processor;
a communications interface;
an interconnection mechanism coupling the memory, the processor and the communications interface; and
wherein the memory is encoded with an application providing handling of a polymorphic attack that, when performed on the processor, provides a process for processing information, the process causing the computer apparatus to perform the operations of;
providing an event correlation engine in communication with an application file interceptor; and
wherein said event correlation engine detects an attack on the computer system, and wherein the attack is identified as a polymorphic attack by said event correlation engine, the polymorphic attack capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, and wherein said event correlation engine adjusts access to an interface to prevent further damage caused to the computer system by the attack. - View Dependent Claims (14, 15, 16, 17)
-
-
19. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
-
instructions for detecting an attack on the computer system;
instructions for identifying the attack as polymorphic, capable of modifying itself for every instance of execution of the attack, the modification of the attack utilized to defeat detection of the attack;
instructions for determining generation of an effective signature of the attack has failed, the signature utilized to prevent execution of the attack; and
instructions for adjusting access to an interface to prevent further damage caused to the computer system by the attack.
-
-
20. A computerized device comprising:
-
a memory;
a processor;
a communications interface;
an interconnection mechanism coupling the memory, the processor and the communications interface;
wherein the memory is encoded with a polymorphic attack handling application that when executed on the processor configures the computerized device with a means for handling a polymorphic attack, the means including;
means for detecting an attack on the computer system;
means for identifying the attack as polymorphic, capable of modifying itself such that at least a portion of the attack is different from at least one previous instance of the attack, the modification of the attack utilized to defeat detection of the attack; and
means for adjusting access to an interface to prevent further damage caused to the computer system by the attack.
-
Specification