Method, system and computer program product for detecting at least one of security threats and undesirable computer files

US 20090158430A1
Filed: 12/18/2008
Published: 06/18/2009
Est. Priority Date: 10/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting security threats in a computer network, the method comprising:

receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers;

monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and

generating a signal if a security threat is detected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files.

Citations

50 Claims

1. A method of detecting security threats in a computer network, the method comprising:
- receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers;
  
  monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and
  
  generating a signal if a security threat is detected.

2. The method as claimed in claim 1 further comprising generating and adding new metadata to the whitelist.

3. The method as claimed in claim 1, wherein the metadata contains alert filters that specify sets of alerts to match.

4. The method as claimed in claim 1, wherein the messages include HTTP messages.

5. The method as claimed in claim 1, wherein substantially all of the computer processes are implemented inside the network.

6. The method as claimed in claim 1, wherein at least one of the second computer processes is implemented outside of the network.

7. The method as claimed in claim 3, and wherein the whitelist entries which associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.

8. The method as claimed in claim 3, wherein one of the alerts is a formatting alert.

9. The method as claimed in claim 8, wherein the formatting alert is an unknown user agent alert.

10. The method as claimed in claim 8, wherein the formatting alert is an unknown header field alert.

11. The method as claimed in claim 8, wherein the formatting alert is a bad header format alert.

12. The method as claimed in claim 3, wherein one of the alerts is a timing alert.

13. The method as claimed in claim 12, wherein the timing alert is a delay time alert.

14. The method as claimed in claim 12, wherein the timing alert is a regularity alert.

15. The method as claimed in claim 12, wherein the timing alert is a time of day alert.

16. The method as claimed in claim 3, wherein one of the alerts is a bandwidth alert.

17. The method as claimed in claim 3, wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application.

18. The method as claimed in claim 1, wherein the whitelist comprises a mapping from the metadata to legitimate applications.

19. A method of detecting undesirable computer files, the method comprising:
- comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.

20. The method as claimed in claim 19, further comprising generating a signal if one or more of the set of computer files are not on the whitelist.

21. The method as claimed in claim 19, wherein each of the entries of the whitelist contains metadata that matches a set of files using a formatting filter.

22. The method as claimed in claim 19, wherein the whitelist contains application profiles that contain the one or more entries.

23. The method as claimed in claim 19, wherein each of the entries describes a plurality of legitimate computer files that can be read, written or executed by an application or operating system.

24. The method as claimed in claim 19, wherein each of the computer files is a data file.

25. A system for detecting security threats in a computer network, the system comprising:
- means for receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers;
  
  means for monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and
  
  means for generating a signal if a security threat is detected.

26. The system as claimed in claim 25 further comprising means for generating and adding new metadata to the whitelist.

27. The system as claimed in claim 25, wherein the metadata contains alert filters that specify sets of alerts to match.

28. The system as claimed in claim 25, wherein the messages include HTTP messages.

29. The system as claimed in claim 25, wherein substantially all of the computer processes are implemented inside the network.

30. The system as claimed in claim 25, wherein at least one of the second computer processes is implemented outside of the network.

31. The system as claimed in claim 27, and wherein the whitelist entries which associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.

32. The system as claimed in claim 27, wherein one of the alerts is a formatting alert.

33. The system as claimed in claim 32, wherein the formatting alert is an unknown user agent alert.

34. The system as claimed in claim 32, wherein the formatting alert is an unknown header field alert.

35. The system as claimed in claim 32, wherein the formatting alert is a bad header format alert.

36. The system as claimed in claim 27, wherein one of the alerts is a timing alert.

37. The system as claimed in claim 36, wherein the timing alert is a delay time alert.

38. The system as claimed in claim 36, wherein the timing alert is a regularity alert.

39. The system as claimed in claim 36, wherein the timing alert is a time of day alert.

40. The system as claimed in claim 27, wherein one of the alerts is a bandwidth alert.

41. The system as claimed in claim 27, wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application.

42. The system as claimed in claim 25, wherein the whitelist comprises a mapping from the metadata to legitimate applications.

43. A system for detecting undesirable computer files, the system comprising:
- a processor operable to execute computer program instructions;
  
  a memory operable to store computer program instructions accessible by the processor; and
  
  computer program instructions stored in the memory to perform the step of;
  
  comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.

44. The system as claimed in claim 43, further comprising means for generating a signal if one or more of the set of computer files are not on the whitelist.

45. The system as claimed in claim 43, wherein each of the entries of the whitelist contains metadata that matches a set of files using a formatting filter.

46. The system as claimed in claim 43, wherein the whitelist contains application profiles that contain the one or more entries.

47. The system as claimed in claim 43, wherein each of the entries describes a plurality of legitimate computer files that can be read, written or executed by an application or operating system.

48. The system as claimed in claim 43, wherein each of the computer files is a data file.

49. A computer program product for detecting security threats in a computer network, the product comprising:
- a computer readable medium; and
  
  computer program instructions recorded on the medium and executable by a processor for performing the steps of;
  
  receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process wherein the computer processes are implemented on one or more computers;
  
  monitoring the data stream to detect a security threat based on a whitelist having entries which contains metadata, the whitelist describing legitimate application layer messages based on a set of heuristics; and
  
  generating a signal if a security threat is detected.

50. A computer program product for detecting undesirable computer files, the product comprising:
- a computer readable medium; and
  
  computer program instructions recorded on the medium and executable by a processor for performing the step of;
  
  comparing a set of computer files with a whitelist which characterizes all legitimate computer files wherein the whitelist contains one or more entries, each of the entries describing a plurality of legitimate computer files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David R. Syrowik
Original Assignee
David R. Syrowik
Inventors
Borders, Kevin R.

Granted Patent

US 9,055,093 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

Method, system and computer program product for detecting at least one of security threats and undesirable computer files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and computer program product for detecting at least one of security threats and undesirable computer files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links