Method, system and computer program product for detecting at least one of security threats and undesirable computer files
First Claim
1. A method of detecting security threats in a computer network, the method comprising:
- receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers;
monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and
generating a signal if a security threat is detected.
2 Assignments
0 Petitions
Accused Products
Abstract
Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files.
-
Citations
50 Claims
-
1. A method of detecting security threats in a computer network, the method comprising:
-
receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers; monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and generating a signal if a security threat is detected.
-
-
2. The method as claimed in claim 1 further comprising generating and adding new metadata to the whitelist.
-
3. The method as claimed in claim 1, wherein the metadata contains alert filters that specify sets of alerts to match.
-
4. The method as claimed in claim 1, wherein the messages include HTTP messages.
-
5. The method as claimed in claim 1, wherein substantially all of the computer processes are implemented inside the network.
-
6. The method as claimed in claim 1, wherein at least one of the second computer processes is implemented outside of the network.
-
7. The method as claimed in claim 3, and wherein the whitelist entries which associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.
-
8. The method as claimed in claim 3, wherein one of the alerts is a formatting alert.
-
9. The method as claimed in claim 8, wherein the formatting alert is an unknown user agent alert.
-
10. The method as claimed in claim 8, wherein the formatting alert is an unknown header field alert.
-
11. The method as claimed in claim 8, wherein the formatting alert is a bad header format alert.
-
12. The method as claimed in claim 3, wherein one of the alerts is a timing alert.
-
13. The method as claimed in claim 12, wherein the timing alert is a delay time alert.
-
14. The method as claimed in claim 12, wherein the timing alert is a regularity alert.
-
15. The method as claimed in claim 12, wherein the timing alert is a time of day alert.
-
16. The method as claimed in claim 3, wherein one of the alerts is a bandwidth alert.
-
17. The method as claimed in claim 3, wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application.
-
18. The method as claimed in claim 1, wherein the whitelist comprises a mapping from the metadata to legitimate applications.
-
19. A method of detecting undesirable computer files, the method comprising:
comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.
-
20. The method as claimed in claim 19, further comprising generating a signal if one or more of the set of computer files are not on the whitelist.
-
21. The method as claimed in claim 19, wherein each of the entries of the whitelist contains metadata that matches a set of files using a formatting filter.
-
22. The method as claimed in claim 19, wherein the whitelist contains application profiles that contain the one or more entries.
-
23. The method as claimed in claim 19, wherein each of the entries describes a plurality of legitimate computer files that can be read, written or executed by an application or operating system.
-
24. The method as claimed in claim 19, wherein each of the computer files is a data file.
-
25. A system for detecting security threats in a computer network, the system comprising:
-
means for receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers; means for monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and means for generating a signal if a security threat is detected.
-
-
26. The system as claimed in claim 25 further comprising means for generating and adding new metadata to the whitelist.
-
27. The system as claimed in claim 25, wherein the metadata contains alert filters that specify sets of alerts to match.
-
28. The system as claimed in claim 25, wherein the messages include HTTP messages.
-
29. The system as claimed in claim 25, wherein substantially all of the computer processes are implemented inside the network.
-
30. The system as claimed in claim 25, wherein at least one of the second computer processes is implemented outside of the network.
-
31. The system as claimed in claim 27, and wherein the whitelist entries which associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.
-
32. The system as claimed in claim 27, wherein one of the alerts is a formatting alert.
-
33. The system as claimed in claim 32, wherein the formatting alert is an unknown user agent alert.
-
34. The system as claimed in claim 32, wherein the formatting alert is an unknown header field alert.
-
35. The system as claimed in claim 32, wherein the formatting alert is a bad header format alert.
-
36. The system as claimed in claim 27, wherein one of the alerts is a timing alert.
-
37. The system as claimed in claim 36, wherein the timing alert is a delay time alert.
-
38. The system as claimed in claim 36, wherein the timing alert is a regularity alert.
-
39. The system as claimed in claim 36, wherein the timing alert is a time of day alert.
-
40. The system as claimed in claim 27, wherein one of the alerts is a bandwidth alert.
-
41. The system as claimed in claim 27, wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application.
-
42. The system as claimed in claim 25, wherein the whitelist comprises a mapping from the metadata to legitimate applications.
-
43. A system for detecting undesirable computer files, the system comprising:
-
a processor operable to execute computer program instructions; a memory operable to store computer program instructions accessible by the processor; and computer program instructions stored in the memory to perform the step of; comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.
-
-
44. The system as claimed in claim 43, further comprising means for generating a signal if one or more of the set of computer files are not on the whitelist.
-
45. The system as claimed in claim 43, wherein each of the entries of the whitelist contains metadata that matches a set of files using a formatting filter.
-
46. The system as claimed in claim 43, wherein the whitelist contains application profiles that contain the one or more entries.
-
47. The system as claimed in claim 43, wherein each of the entries describes a plurality of legitimate computer files that can be read, written or executed by an application or operating system.
-
48. The system as claimed in claim 43, wherein each of the computer files is a data file.
-
49. A computer program product for detecting security threats in a computer network, the product comprising:
-
a computer readable medium; and computer program instructions recorded on the medium and executable by a processor for performing the steps of; receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers; monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and generating a signal if a security threat is detected.
-
-
50. A computer program product for detecting undesirable computer files, the product comprising:
-
a computer readable medium; and computer program instructions recorded on the medium and executable by a processor for performing the step of; comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.
-
Specification