ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES
First Claim
1. A system, comprising:
- a processor;
a memory; and
an intrusion prevention application, which, when executed by the processor is configured to verify anti-malware signatures by performing an operation, comprising;
detecting a first attack on a server application executing on the system,determining a candidate payload being processed by the server application contemporaneous to the detected attack,generating a provisional signature corresponding to the first attack,upon determining a first payload addressed to the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application, andupon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination.
-
Citations
21 Claims
-
1. A system, comprising:
-
a processor; a memory; and an intrusion prevention application, which, when executed by the processor is configured to verify anti-malware signatures by performing an operation, comprising; detecting a first attack on a server application executing on the system, determining a candidate payload being processed by the server application contemporaneous to the detected attack, generating a provisional signature corresponding to the first attack, upon determining a first payload addressed to the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application, and upon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method to generate and verify anti-malware signatures, comprising:
-
detecting a first attack on a server application on a host system, wherein the host system executes an intrusion prevention application and the server application; determining a candidate payload being processed by the server application contemporaneous to the detected attack; generating a provisional signature corresponding to the first attack; upon determining a first payload intended for the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application; and upon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable storage-medium containing a program which, when executed, performs an operation to generate and verify anti-malware signatures, the operation comprising:
-
detecting a first attack on a server application on a host system, wherein the host system executes an intrusion prevention application and the server application; determining a candidate payload being processed by the server application contemporaneous to the detected attack; generating a provisional signature corresponding to the first attack; assigning a confidence metric to the provisional signature; upon determining a first payload intended for the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application; and upon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature. - View Dependent Claims (18, 19, 20, 21)
-
Specification