System and Method for Classification of Unwanted or Malicious Software Through the Identification of Encrypted Data Communication

US 20100154032A1
Filed: 12/12/2008
Published: 06/17/2010
Est. Priority Date: 12/12/2008
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malware or unauthorized software communications implemented within a computer infrastructure, the method comprising:

detecting an encrypted communication;

determining identification data for the encrypted communication;

comparing the detected encrypted communication to at least one of;

a list of applications authorized for encrypted communications using the identification data; and

a list of authorized destinations of encrypted communications using the identification data;

identifying the detected encrypted communication as an unauthorized encrypted communication in response to a determination that at least one of;

the detected encrypted communication is from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing; and

the detected encrypted communication is to an unauthorized destination, which is not on the list of authorized destinations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for identifying malware or unauthorized software communications implemented within a computer infrastructure, the method including detecting an encrypted communication and determining identification data for the encrypted communication. Additionally, the method includes comparing the detected encrypted communication to at least one of a list of applications authorized for encrypted communications using the identification data and a list of authorized destinations of encrypted communications using the identification data. Furthermore, the method includes identifying the detected encrypted communication as an unauthorized encrypted communication in response to a determination that at least one of the detected encrypted communication is from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing and the detected encrypted communication is to an unauthorized destination, which is not on the list of authorized destinations.

167 Citations

20 Claims

1. A method for identifying malware or unauthorized software communications implemented within a computer infrastructure, the method comprising:
- detecting an encrypted communication;
  
  determining identification data for the encrypted communication;
  
  comparing the detected encrypted communication to at least one of;
  
  a list of applications authorized for encrypted communications using the identification data; and
  
  a list of authorized destinations of encrypted communications using the identification data;
  
  identifying the detected encrypted communication as an unauthorized encrypted communication in response to a determination that at least one of;
  
  the detected encrypted communication is from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing; and
  
  the detected encrypted communication is to an unauthorized destination, which is not on the list of authorized destinations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising blocking the unauthorized encrypted communication.
  - 3. The method of claim 1, further comprising identifying the detected encrypted communication as an authorized encrypted communication when the detected encrypted communication is:
    - from an authorized application, which is on the list of applications authorized for encrypted communications based on the comparing; and
      
      to an authorized destination, which is on the list of authorized destinations for encrypted communications based on the comparing.
  - 4. The method of claim 3, further comprising allowing the authorized encrypted communication.
  - 5. The method of claim 1, further comprising receiving at least one of the list of applications authorized for encrypted communications and the list of authorized destinations.
  - 6. The method of claim 1, further comprising storing at least one of the list of applications authorized for encrypted communications and the list of authorized destinations in a database.
  - 7. The method of claim 1, further comprising:
    - determining that the detected encrypted communication is from an application on a trusted network; and
      
      adding the application to the list of applications authorized for encrypted communications.
  - 8. The method of claim 1, further comprising associating the unauthorized encrypted communication with at least one of malware and an unauthorized software deployment.
  - 9. The method of claim 1, wherein at least one of the detecting, the comparing and the identifying is performed in real-time.
  - 10. The method of claim 1, further comprising:
    - providing the identification of the detected encrypted communication as an unauthorized encrypted communication to a user; and
      
      receiving an instruction from the user to one of;
      
      add the unauthorized application from which the detected encrypted communication was sent to the list of applications authorized for encrypted communications and allow the detected encrypted communication; and
      
      block the unauthorized encrypted communication.
  - 11. The method of claim 10, wherein the user is at least one of:
    - a desktop user;
      
      a network administrator; and
      
      a system administrator.
  - 12. The method of claim 1, wherein the detecting the encrypted communication comprises:
    - observing one or more packets on a network; and
      
      utilizing one or more mathematical and analytical methodologies to identify the one or more packets on the network as the encrypted communication.
  - 13. The method of claim 1, wherein the identification data for the encrypted communication comprises at least one of:
    - a source;
      
      a destination;
      
      a source port number;
      
      a destination port number;
      
      an encryption type; and
      
      a destination host.
  - 14. The method of claim 1, wherein a service provider at least one of creates, maintains, deploys and supports the computer infrastructure.
  - 15. The method of claim 1, wherein steps of claim 1 are provided by a service provider on a subscription, advertising, and/or fee basis.

16. A computer system for identifying malware or unauthorized software communications, the system comprising:
- a storage, a memory and a central processing unit;
  
  first program instructions to detect an encrypted communication;
  
  second program instructions to determine identification data for the encrypted communication;
  
  third program instructions to compare the encrypted communication to at least one of a list of applications authorized for encrypted communications and a list of authorized destinations of encrypted communications using the identification data;
  
  fourth program instructions to identify the encrypted communication as an unauthorized encrypted communication in response to a determination that the encrypted communication is at least one of;
  
  from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing the encrypted communication to the list of applications authorized for encrypted communications;
  
  to an unauthorized destination, which is not on the list of authorized destinations for encrypted communications, based on the comparing the encrypted communication to the list of authorized destinations of encrypted communications,wherein the first, second, third and fourth program instructions are stored in the storage for execution by the central processing unit via the memory.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, further comprising fifth program instructions to block the unauthorized encrypted communication, wherein the fifth program instructions are stored in the storage for execution by the central processing unit via the memory.
  - 18. The system of claim 16, further comprising sixth program instructions to:
    - identify the encrypted communication as an authorized encrypted communication when the encrypted communication is from an authorized application, which is on the list of applications authorized for encrypted communications based on the comparing the encrypted communication to the list of applications authorized for encrypted communications; and
      
      allow the authorized encrypted communication,wherein the sixth program instructions are stored in the storage for execution by the central processing unit via the memory.
  - 19. The system of claim 16, further comprising seventh program instructions to receive the list of applications authorized for encrypted communications and store the list of applications authorized for encrypted communications in a database,wherein the seventh program instructions are stored in the storage for execution by the central processing unit via the memory.

20. A computer program product comprising a computer usable storage medium having readable program code embodied in the storage medium, the computer program product includes at least one component operable to:
- receive at least one of a list of applications authorized for encrypted communications and a list of authorized destinations of encrypted communications;
  
  detect an encrypted communication;
  
  determine identification data for the encrypted communication;
  
  compare the detected encrypted communication to at least one of the list of applications authorized for encrypted communications and the list of authorized destinations of encrypted communications using the identification data;
  
  identify the detected encrypted communication as an unauthorized encrypted communication and block the detected encrypted communication in response to a determination that the detected encrypted communication is at least one of;
  
  from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing; and
  
  to an unauthorized destination, which is not on the list of authorized destinations for encrypted communications; and
  
  identify the detected encrypted communication as an authorized encrypted communication and allow the detected encrypted communication in response to a determination that the detected encrypted communication is;
  
  from an authorized application, which is on the list of applications authorized for encrypted communications, based on the comparing; and
  
  to an authorized destination, which is on the list of authorized destinations of encrypted communications, based on the comparing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
OLLMANN, Gunter D.

Granted Patent

US 8,549,625 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/606   by securing the transmissio...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 2463/144   Detection or countermeasure...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/145   the attack involving the pr...

System and Method for Classification of Unwanted or Malicious Software Through the Identification of Encrypted Data Communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

167 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Classification of Unwanted or Malicious Software Through the Identification of Encrypted Data Communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links