SOFTWARE VULNERABILITY EXPLOITATION SHIELD

US 20070226797A1
Filed: 03/26/2007
Published: 09/27/2007
Est. Priority Date: 03/24/2006
Status: Active Grant

First Claim

Patent Images

1. At a computing system in a network computing environment, a method of minimizing the exploitation of vulnerabilities on software installed on the computing system by inspecting network traffic thereto and identifying the malicious code before it can be executed and/or installed, the method comprising:

monitoring, at a transport layer, incoming network traffic of a computing system using a security component installed thereon;

receiving as part of the network traffic a message at the transport layer identified as destined for the computing system;

comparing at least a portion of data included in the message received with exploit evidence used to identify malicious code, the exploit evidence provided to the security component by a security service that gathers information about the malicious code;

based on the comparison with the exploit evidence, identifying one or more rules that instruct the security component to perform one or more actions on the message received.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This paper describes a mechanism for minimizing the exploitation of vulnerabilities on software installed on a computing system. At a transport layer (e.g., transmission communication protocol (TCP) sockets layer), network traffic is monitored using a security component installed on a target computer. When a message destined for the computing system is received, data included in the message is compared with exploit evidence used to identify malicious code. The exploit evidence is provided to the security component by security service that gathers information about the malicious code. Based on the comparison of data in the message with the exploit evidence, rules are identified that instruct the security component to take an appropriate action on the message received.

66 Citations

View as Search Results

20 Claims

1. At a computing system in a network computing environment, a method of minimizing the exploitation of vulnerabilities on software installed on the computing system by inspecting network traffic thereto and identifying the malicious code before it can be executed and/or installed, the method comprising:
- monitoring, at a transport layer, incoming network traffic of a computing system using a security component installed thereon;
  
  receiving as part of the network traffic a message at the transport layer identified as destined for the computing system;
  
  comparing at least a portion of data included in the message received with exploit evidence used to identify malicious code, the exploit evidence provided to the security component by a security service that gathers information about the malicious code;
  
  based on the comparison with the exploit evidence, identifying one or more rules that instruct the security component to perform one or more actions on the message received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the transport layer is one or more of a TCP socket level.
  - 3. The method of claim 1, wherein the comparison identifies the at least a portion of data as corresponding to malicious code, and the one or more rules instruct the security component to do one or more of the following:
    - block the message received from entering the computing system;
      
      inform a user of the computing system about the correspondence of the message to the malicious code in order to allow the user to take appropriate action;
      
      ormodify the message in order to disable any harmful features of the malicious code.
  - 4. The method of claim 3, wherein the one or more rules allow other benign messages to pass to the computing system, while blocking the message received.
  - 5. The method of claim 3, wherein the one or more rules inform the user of the computing system about the correspondence of the message using a user interface and allowing the user to either accept or reject the message.
  - 6. The method of claim 1, wherein the exploit evidence includes a list of known electronic addresses associated with malicious code.
  - 7. The method of claim 6, wherein the electronic address list includes IP addresses or URLs for websites and wherein an IP address or a URL for a source of the message is compared to the list of known electronic address associated with malicious code.
  - 8. The method of claim 1, wherein the exploit evidence includes one or more signatures of the malicious code, which are unique data structures that represent the malicious code.
  - 9. The method of claim 1, further comprising:
    - receiving from the security service a command that indicates that exploit evidence used to identify malicious code should expire based on one or more events; and
      
      upon occurrence of the one or more events, taking action on the exploit evidence as defined by one or more rules.
  - 10. The method of claim 9, wherein the event is one or more of determining that a risk window has passed or that the malicious code is below some threat rating threshold, and wherein the action on the exploit evidence includes one or more of cancelling the comparing of the exploit evidence, deleting the exploit evidence from the security component, or temporarily pausing the comparing of the exploit evidence.

11. At a computing system in a network computing environment, a computer program product comprising a computer-readable storage medium having encoded thereon computer-readable instructions, the instructions, when executed in a computing environment, perform a method comprising:
- monitoring, at a transport layer, incoming network traffic of a computing system using a security component installed thereon;
  
  receiving as part of the network traffic a message at the transport layer identified as destined for the computing system;
  
  comparing at least a portion of data included in the message received with exploit evidence used to identify malicious code, the exploit evidence provided to the security component by a security service that gathers information about the malicious code;
  
  based on the comparison with the exploit evidence, identifying one or more rules that instruct the security component to perform one or more actions on the message received.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, wherein the transport layer is one or more of a TCP socket level.
  - 13. The computer program product of claim 11, wherein the comparison identifies the at least a portion of data as corresponding to malicious code, and the one or more rules instruct the security component to do one or more of the following:
    - block the message received from entering the computing system;
      
      inform a user of the computing system about the correspondence of the message to the malicious code in order to allow the user to take appropriate action;
      
      ormodify the message in order to disable any harmful features of the malicious code.
  - 14. The computer program product of claim 13, wherein the one or more rules allow other benign messages to pass to the computing system, while blocking the message received.
  - 15. The computer program product of claim 13, wherein the one or more rules inform the user of the computing system about the correspondence of the message using a user interface and allowing the user to either accept or reject the message.
  - 16. The computer program product of claim 11, wherein the exploit evidence includes a list of known electronic addresses associated with malicious code.
  - 17. The computer program product of claim 16, wherein the electronic address list includes IP addresses or URLs for websites and wherein an IP address or a URL for a source of the message is compared to the list of known electronic address associated with malicious code.
  - 18. The computer program product of claim 11, wherein the exploit evidence includes one or more signatures of the malicious code, which are unique data structures that represent the malicious code.
  - 19. The computer program product of claim 11, further comprising:
    - receiving from the security service a command that indicates that exploit evidence used to identify malicious code should expire based on one or more events; and
      
      upon occurrence of the one or more events, taking action on the exploit evidence as defined by one or more rules.
  - 20. The computer program product of claim 19, wherein the event is one or more of determining that a risk window has passed or that the malicious code is below some threat rating threshold, and wherein the action on the exploit evidence includes one or more of cancelling the comparing of the exploit evidence, deleting the exploit evidence from the security component, or temporarily pausing the comparing of the exploit evidence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software SRO (Gen Digital Inc.)
Original Assignee
Exploit Prevention Labs, Inc. (Gen Digital Inc.)
Inventors
Mosher, Gregory Andrew, Thompson, Roger John

Granted Patent

US 8,898,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/166   at the transport layer

SOFTWARE VULNERABILITY EXPLOITATION SHIELD

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SOFTWARE VULNERABILITY EXPLOITATION SHIELD

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links