Method and computer program product for identifying or managing vulnerabilities within a data processing network

US 20090019547A1
Filed: 07/31/2008
Published: 01/15/2009
Est. Priority Date: 12/12/2003
Status: Active Grant

First Claim

Patent Images

1-29. -29. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods, apparatus and computer programs for identifying vulnerabilities to viruses of hacking. Hash values are computed and stored for resources stored on systems within a network. If a first resource or a collection of resources (such as files comprising an operating system, Web Browser or mail server) is associated with a vulnerability, hash values for the first resource or collection of resources are compared with the stored hash values to identify systems which have the vulnerability. Messages may be sent to the people responsible for the vulnerable systems, or the vulnerability may be removed by automatic downloading of patches or service packs.

Citations

47 Claims

1-29. -29. (canceled)

30. A method comprising:
- computing a set of first hash values derived from and representing a plurality of replicas of a resource, wherein the replicas of the resource are stored on respective data processing systems within a network;
  
  storing the computed set of first hash values;
  
  after computing and storing the set of first hash values, computing second hash values for the replicas of the resource, wherein the computing of the second hash values;
  
  at a central server within the network, automatically comparing the first and second hash values to find new hash values changed between computing the first hash values and computing the second hash values;
  
  statistically observing a creation pattern of the new hash values to evaluate the likelihood of a virus infection; and
  
  taking a selected action in response to determining a high likelihood of a virus infection from the statistical observation.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The method of claim 30, further comprising detecting a new hash value creation pattern in which a large number of replicas of the resource have remained unchanged for a long period and are then suddenly changed.
  - 32. The method of claim 30, further comprising, responsive to statistically observing the creation pattern of the new hash values, determining which replicas of the resource need a virus scan.
  - 33. The method of claim 30, further comprising:
    - distributing a set of decoy files over multiple machines;
      
      computing and monitoring hash values for the set of decoy files; and
      
      in response to detecting a change in a decoy file, generating an alert.
  - 34. The method of claim 33 further comprising, in response to detecting the change in the decoy file, isolating a selected machine containing the changed decoy file from the network.

35. A computer program product including at least one tangible, computer readable medium, said at least one computer readable medium having instructions stored thereon for execution by at least one computer system, wherein the instructions, when executed by the at least one computer system, cause the at least one computer system to implement a method comprising the steps of:
- computing a set of first hash values derived from and representing a plurality of replicas of a resource, wherein the replicas of the resource are stored on respective data processing systems within a network;
  
  storing the computed set of first hash values;
  
  after computing and storing the set of first hash values, computing second hash values for the replicas of the resource, wherein the computing of the second hash values;
  
  at a central server within the network, automatically comparing the first and second hash values to find new hash values changed between computing the first hash values and computing the second hash values;
  
  statistically observing a creation pattern of the new hash values to evaluate the likelihood of a virus infection; and
  
  taking a selected action in response to determining a high likelihood of a virus infection from the statistical observation.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The computer program product of claim 35, wherein the method further comprises detecting a new hash value creation pattern in which a large number of replicas of the resource have remained unchanged for a long period and are then suddenly changed.
  - 37. The computer program product of claim 35, wherein the method further comprises, responsive to statistically observing the creation pattern of the new hash values, determining which replicas of the resource need a virus scan.
  - 38. The computer program product of claim 35, wherein said at least one computer readable medium further includes instructions stored thereon for execution by the at least one computer system for:
    - distributing a set of decoy files over multiple machines;
      
      computing and monitoring hash values for the set of decoy files; and
      
      in response to detecting a change in a decoy file, generating an alert.
  - 39. The computer program product of claim 35, wherein said at least one computer readable medium further includes instructions stored thereon for execution by the at least one computer system for, in response to detecting the change in the decoy file, isolating a selected machine containing the changed decoy file from the network.

40. A method comprising the steps of:
- updating, at successive update times, virus definitions for scanning resources stored on a data processing system;
  
  scanning the stored resources for viruses in first and second scanning instances responsive to the virus definitions updated at respective first and second ones of the update times;
  
  computing hash values for the resources at the first and second update times;
  
  for a selected one or more of the resources, calculating a value indicative of how long the respective resource has remained unchanged between earliest and latest clear virus scans of the selected one or more of the resources;
  
  for the selected one or more of the resources, comparing the calculated value to a pre-selected reference value, the pre-selected reference value having been selected at least partially based on an expected time that a target virus may exist but remain undetected;
  
  prioritizing virus scanning of the selected one or more of the resources based at least partially on the result of comparing the calculated value to the pre-selected reference value;
  
  updating the virus definitions at a next update time;
  
  scanning at least one high-priority resource for viruses in a next scanning instance responsive to the virus definitions updated at the next time; and
  
  after scanning the at least one high-priority resource, deferring virus scanning of at least one low-priority resource until a period of low system activity.
- View Dependent Claims (41, 42, 43, 46, 47)
- - 41. The method of claim 40, further comprising excluding at least one low-priority resource from scanning by classifying it a safe.
  - 42. The method of claim 40, further comprising detecting the period of low system activity with an inactivity timer.
  - 43. The method of claim 40, wherein prioritizing virus scanning of the selected one or more of the resources is further based at least partially on whether hash values for the selected one or more of the resources are equal for the earliest and latest clear virus scans.
  - 46. The computer program product of claim 43, wherein the method further comprises detecting the period of low system activity with an inactivity timer.
  - 47. The computer program product of claim 43, wherein prioritizing virus scanning of the selected one or more of the resources is further based at least partially on whether hash values for the selected one or more of the resources are equal for the earliest and latest clear virus scans.

44. A computer program product including at least one tangible, computer readable medium, said at least one computer readable medium having instructions stored thereon for execution by at least one computer system, wherein the instructions, when executed by the at least one computer system, cause the at least one computer system to implement a method comprising the steps of:
- updating, at successive update times, virus definitions for resources stored on a data processing system;
  
  scanning the stored resources for viruses in first and second scanning instances responsive to the virus definitions updated at respective first and second ones of the update times;
  
  computing hash values for the resources at the first and second update times;
  
  for a selected one or more of the resources, calculating a value indicative of how long the respective resource has remained unchanged between earliest and latest clear virus scans of the selected one or more of the resources;
  
  for the selected one or more of the resources, comparing the calculated value to a pre-selected reference value, the pre-selected reference value having been selected at least partially based on an expected time that a target virus may exist but remain undetected;
  
  prioritizing virus scanning of the selected one or more of the resources based at least partially on the result of comparing the calculated value to the pre-selected reference value;
  
  updating the virus definitions at a next update time;
  
  scanning at least one high-priority resource for viruses in a next scanning instance responsive to the virus definitions updated at the next time; and
  
  after scanning at least one high-priority resource, deferring virus scanning of at least one low-priority resource until a period of low system activity.
- View Dependent Claims (45)
- - 45. The computer program product of claim 44, wherein the method further comprises excluding at least one low-priority resource from scanning by classifying it a safe.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Aswathanarayana, Tejasvi, Palliyil, Sudarshan, Venkateshamurthy, Shivakumara

Granted Patent

US 7,752,669 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6272   by registering files or doc...

G06F 21/645   using a third party

G06F 2221/033   Test or assess software

H04L 63/123   received data contents, e.g...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Method and computer program product for identifying or managing vulnerabilities within a data processing network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method and computer program product for identifying or managing vulnerabilities within a data processing network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links