IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC
First Claim
Patent Images
1. A method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network comprising:
- in a web traffic log, reviewing HTTP traffic;
if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory;
reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising;
an application or module is not updated;
an unauthorized application was being used;
malware is identified;
an intrusion attempt has occurred;
an unknown vulnerability is present; and
a known exploit has occurred; and
if the reportable error is found, issuing an alert that the reportable error was located.
3 Assignments
0 Petitions
Accused Products
Abstract
Most machines in an organization'"'"'s computer network connect to the Internet and create web traffic logs which allow analysis of HTTP traffic in a simple, centralized way. The web traffic logs may contain error reports and error reports contain significant information that can be used to detect network security. By reviewing the error reports, significant information about a network and its security can be found as common sources of network security weakness may be watched for in the error reports.
-
Citations
20 Claims
-
1. A method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network comprising:
-
in a web traffic log, reviewing HTTP traffic; if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory; reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising; an application or module is not updated; an unauthorized application was being used; malware is identified; an intrusion attempt has occurred; an unknown vulnerability is present; and a known exploit has occurred; and if the reportable error is found, issuing an alert that the reportable error was located. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18)
-
-
16. A computer storage medium comprising computer executable instructions for physically configuring a processor to perform a method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network, the computer executable instructions comprising instructions for:
-
in a web traffic log, reviewing HTTP traffic; if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory; reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising; an application or module is not updated wherein determining whether the application or module is not updated comprises comparing a version of a crashed application or module to a most recent module; an unauthorized application was being used wherein determining that the unauthorized application was being used comprises comparing an application name in the error reporting traffic to a list of the unauthorized applications; malware is identified wherein the malware is detected by determining that a binary name comprises a zeroed out name or that a binary file date stamp in the error reporting traffic that is prior to the application named in the error reporting traffic; an intrusion attempt has occurred wherein detecting the intrusion attempt comprises reviewing the error reporting traffic to determine is a digital defense application was triggered and is listed in the error reporting traffic or determining that a crash offset in the error reporting traffic matches a listed crash offset related to the intrusion attempt; an unknown vulnerability is present wherein the unknown vulnerability may be indicated by locating a fully patched application that has a known attach offset string; and a known exploit has occurred; and if the reportable error is found, issuing an alert that the reportable error was located. - View Dependent Claims (17)
-
-
19. A computer system comprising a processor physically configured according to computer executable instructions, a memory for sustaining the computer executable instructions and an input/output circuit, the computer executable instructions comprising computer executable instructions for physically configuring a processor to perform a method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network, the computer executable instructions comprising instructions for:
-
in a web traffic log, reviewing HTTP traffic; if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory; reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising; an application or module is not updated wherein determining whether the application or module is not updated comprises comparing a version of a crashed application or module to a most recent module; an unauthorized application was being used wherein determining that the unauthorized application was being used comprises comparing an application name in the error reporting traffic to a list of the unauthorized applications; malware is identified wherein the malware is detected by determining that a binary name comprises a zeroed out name or that a binary file date stamp in the error reporting traffic that is prior to the application named in the error reporting traffic; an intrusion attempt has occurred wherein detecting the intrusion attempt comprises reviewing the error reporting traffic to determine is a digital defense application was triggered and is listed in the error reporting traffic or determining that a crash offset in the error reporting traffic matches a listed crash offset related to the intrusion attempt; an unknown vulnerability is present wherein the unknown vulnerability may be indicated by locating a fully patched application that has a known attach offset string; and a known exploit has occurred; and if the reportable error is found, issuing an alert that the reportable error was located. - View Dependent Claims (20)
-
Specification