Methods and apparatus providing computer and network security utilizing probabilistic signature generation

US 20070256127A1
Filed: 08/04/2006
Published: 11/01/2007
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:

receiving information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;

determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the probabilistic link determined by attack information associated with previous attacks; and

based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system receives information from at least one security interceptor associated with at least one computer system. The information identifies details associated with a traffic flow in a computer system of the computer networking environment. The system determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information. The probabilistic link is determined by attack information associated with previous attacks. Based on the information provided by the at least one security interceptor, the system generates a signature utilized to prevent a similar attack on the computer system.

Citations

20 Claims

1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:
- receiving information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the probabilistic link determined by attack information associated with previous attacks; and
  
  based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - inserting at least one security interceptor in the computer system, the at least one security interceptor providing information associated with the computer system.
  - 3. The method of claim 1 wherein receiving information from at least one security interceptor associated with at least one computer system comprises:
    - receiving information from the at least one security interceptor monitoring at least one of;
      
      i) a system call;
      
      ii) a buffer overflow;
      
      iii) an instance of downloaded content;
      
      iv) an instance of CPU utilization;
      
      v) at least one network connection;
      
      vi) a process exception;
      
      vii) a system configuration modification;
      
      viii) an instance of a new software program installation;
      
      ix) an instance of a new service installation;
      
      x) a first time instance of a application invocation;
      
      xi) an instance of mobile code execution;
      
      xii) an instance of at least one root-kit detection; and
      
      xiii) an instance of memory utilization.
  - 4. The method of claim 2 further comprising:
    - using the at least one security interceptor to filter data processing in the computer system.
  - 5. The method of claim 2 further comprising:
    - controlling a behavior of at least one application on the computer system by the at least one security interceptor.
  - 6. The method of claim 1 wherein receiving information from at least one security interceptor associated with at least one computer system comprises:
    - receiving notification that at least one event has occurred on the computer system;
      
      receiving information associated with the at least one event that occurred on the computer system;
      
      mapping the information associated with the at least one event to at least one data entry point on the computer system; and
      
      identifying that the at least one event is specific to the at least one data entry point on the computer system.
  - 7. The method of claim 6 wherein receiving information associated with the at least one event that occurred on the computer system comprises:
    - detecting the at least one event is associated with a set of events, the at least one event occurring generally at a same time as the set of events
  - 8. The method of claim 7 wherein detecting the at least one event is associated with a set of events comprises:
    - identifying the at least one event is related to the set of events, the at least one event having a link to the set of events.
  - 9. The method of claim 7 wherein detecting the at least one event is associated with a set of events comprises:
    - identifying the at least one event is not related to the set of events despite having occurred generally at a same time as the set of events.
  - 10. The method of claim 7 wherein detecting the at least one event is associated with a set of events comprises:
    - observing an order of the set of events, the order including a placement of the at least one event within the order of the set of events.
  - 11. The method of claim 1 wherein determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information comprises:
    - associating the probability to a configurable limit, the configurable limit defining a threshold beyond which an attack is assumed to be in progress.
  - 12. The method of claim 11 wherein associating the probability to a configurable limit comprises:
    - initializing the configurable limit of the probability of an attack.
  - 13. The method of claim 11 wherein associating the probability to a configurable limit comprises:
    - defining the configurable limit of the probability of an attack as a range of configurable limits.
  - 14. The method of claim 1 wherein determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information comprises:
    - modifying the probability of an attack on the computer system based on the information provided by the at least one security interceptor.
  - 15. The method of claim 1 wherein based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system comprises:
    - probabilistically identifying a data packet responsible for the attack.
  - 16. The method of claim 1 wherein based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system comprises:
    - deducing a cause of the attack based on at least one tracked resource request.

17. A computer system comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an application providing generating a signature that, when performed on the processor, provides a process for processing information, the process causing the computer apparatus to perform the operations of;
  
  providing an event correlation engine in communication with an application file interceptor; and
  
  wherein said event correlation engine receives information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment, and wherein said event correlation engine determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the probabilistic link determined by attack information associated with previous attacks, and wherein based on the information provided by the at least one security interceptor, said event correlation engine generates a signature utilized to prevent a similar attack on the computer system.
- View Dependent Claims (18)
- - 18. The computer system of claim 17 wherein when the event correlation engine determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the event correlation engine correlates the probability to a configurable limit.

19. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
- instructions for receiving information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  instructions for determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the probabilistic link determined by attack information associated with previous attacks; and
  
  based on the information provided by the at least one security interceptor, instructions for generating a signature utilized to prevent a similar attack on the computer system.

20. A computer system comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a probabilistic signature generation application that when executed on the processor configures the computerized device with a means for generating a signature, the means including;
  
  means for receiving information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  means for determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the probabilistic link determined by attack information associated with previous attacks; and
  
  based on the information provided by the at least one security interceptor, means for generating a signature utilized to prevent a similar attack on the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zawadowskiy, Andrew, Kraemer, Jeffrey A.

Granted Patent

US 9,286,469 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Methods and apparatus providing computer and network security utilizing probabilistic signature generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing computer and network security utilizing probabilistic signature generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links