VULNERABILITY DETECTION BASED ON AGGREGATED PRIMITIVES

US 20100263049A1
Filed: 04/14/2009
Published: 10/14/2010
Est. Priority Date: 04/14/2009
Status: Active Grant

First Claim

Patent Images

1. A vulnerability detection system comprising:

an interface configured to receive a plurality of data transmissions at a computer;

a translation module configured to identify at least one primitive associated with each of the data transmissions;

an aggregation module configured to aggregate each of the data transmissions, including aggregating the at least one primitive associated with each of the data transmissions;

an analysis module configured to generate an analysis output identifying a match between the aggregated primitives and a policy; and

an enforcement module configured to generate a security alert based on the analysis output.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer-readable media are disclosed for detecting vulnerabilities based on aggregated primitives. A particular method includes receiving a plurality of data transmissions. At least one of the data transmissions includes a protocol anomaly that is not indicative of a security threat. The method includes identifying a plurality of primitives associated with the data transmissions. The primitives are aggregated, and an attack condition is identified based on the aggregated primitives. A security alert is generated based on the identified attack condition.

Citations

20 Claims

1. A vulnerability detection system comprising:
- an interface configured to receive a plurality of data transmissions at a computer;
  
  a translation module configured to identify at least one primitive associated with each of the data transmissions;
  
  an aggregation module configured to aggregate each of the data transmissions, including aggregating the at least one primitive associated with each of the data transmissions;
  
  an analysis module configured to generate an analysis output identifying a match between the aggregated primitives and a policy; and
  
  an enforcement module configured to generate a security alert based on the analysis output.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the interface is a network interface.
  - 3. The system of claim 2, wherein the network interface is located at an intermediary device.
  - 4. The system of claim 3, wherein the security alert is sent to the intermediary device.
  - 5. The system of claim 1, wherein the analysis module is located at or coupled to an intrusion prevention system or an intrusion detection system.
  - 6. The system of claim 1, wherein the plurality of data transmissions and the at least one primitive associated with each of the data transmissions are stored at a data store, and wherein the aggregation module is further configured to retrieve the plurality of data transmissions and the at least one primitive associated with each of the data transmissions from the data store.
  - 7. The system of claim 1, wherein the policy is retrieved from a policy database, wherein the policy is expressed in a meta language, and wherein the policy is a rule based policy that does not include information defining a known malware, a known security exploit, or a known vulnerable data structure.
  - 8. The system of claim 7, wherein the meta language includes an extensible markup language (XML), a binary representation, a generic application level protocol analyzer language (GAPAL), or any combination thereof.

9. A method comprising:
- receiving a plurality of data transmissions, at least one of the data transmissions including a protocol anomaly that is not individually indicative of a security threat;
  
  identifying a plurality of primitives associated with the data transmissions;
  
  aggregating the plurality of primitives;
  
  identifying an attack condition based on the aggregated primitives; and
  
  generating a security alert based on the identified attack condition.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the protocol anomaly includes a data structure overflow, a missing expected data structure, an invalid data value, an improper sequence of numbers, an out of order message, a name mismatch, or any combination thereof.
  - 11. The method of claim 9, wherein the plurality of primitives includes a low-level language primitive or a high-level typed primitive.
  - 12. The method of claim 9, wherein the attack condition is identified further based on a match between the aggregated primitives and a policy, wherein the policy does not rely upon information defining a known malware, a known security exploit, or a known vulnerable data structure.
  - 13. The method of claim 9, further comprising determining an identity of a specific source of one or more of the plurality of data transmissions.
  - 14. The method of claim 13, wherein identifying the attack condition includes calculating a frequency of anomalous data transmissions from the specific source and determining that the frequency is greater than an allowed anomalous data transmission frequency threshold.
  - 15. The method of claim 9, wherein generating the security alert includes generating an event of an event-based alert system or generating a synchronous security notification.

16. A computer-readable storage medium comprising instructions, that when executed by a computer, cause the computer to:
- receive a plurality of anomalous data transmissions, wherein each of the anomalous data transmissions does not individually trigger a security response;
  
  identify one or more primitives associated with each of the anomalous data transmissions;
  
  aggregate the one or more primitives associated with each of the anomalous data transmissions;
  
  identify an attack condition based on the aggregated primitives; and
  
  trigger an action based on the identified attack condition.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage medium of claim 16, wherein the aggregated primitives include a first primitive of a first primitive data type and a second primitive of a second primitive data type, wherein the second primitive data type is different from the first primitive data type.
  - 18. The computer-readable storage medium of claim 16, wherein the action occurs at an intrusion detection system associated with the computer or at an intrusion prevention system associated with the computer.
  - 19. The computer-readable storage medium of claim 16, wherein the action includes a behavior change of an application at the computer.
  - 20. The computer-readable storage medium of claim 16, wherein the action includes blocking subsequent data transmissions from one or more sources of the plurality of anomalous data transmissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nice, Nir, Cross, David B.

Granted Patent

US 9,231,964 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1416 Event detection, e.g. attac...

VULNERABILITY DETECTION BASED ON AGGREGATED PRIMITIVES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VULNERABILITY DETECTION BASED ON AGGREGATED PRIMITIVES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links