IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC

US 20100306847A1
Filed: 05/26/2009
Published: 12/02/2010
Est. Priority Date: 05/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network comprising:

in a web traffic log, reviewing HTTP traffic;

if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory;

reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising;

an application or module is not updated;

an unauthorized application was being used;

malware is identified;

an intrusion attempt has occurred;

an unknown vulnerability is present; and

a known exploit has occurred; and

if the reportable error is found, issuing an alert that the reportable error was located.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Most machines in an organization'"'"'s computer network connect to the Internet and create web traffic logs which allow analysis of HTTP traffic in a simple, centralized way. The web traffic logs may contain error reports and error reports contain significant information that can be used to detect network security. By reviewing the error reports, significant information about a network and its security can be found as common sources of network security weakness may be watched for in the error reports.

Citations

20 Claims

1. A method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network comprising:
- in a web traffic log, reviewing HTTP traffic;
  
  if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory;
  
  reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising;
  
  an application or module is not updated;
  
  an unauthorized application was being used;
  
  malware is identified;
  
  an intrusion attempt has occurred;
  
  an unknown vulnerability is present; and
  
  a known exploit has occurred; and
  
  if the reportable error is found, issuing an alert that the reportable error was located.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18)
- - 2. The method of claim 1, wherein determining that the unauthorized application was being used comprises comparing an application name in the error reporting traffic to a list of the unauthorized applications.
  - 3. The method of claim 2, wherein the list of unauthorized applications is created by a user.
  - 4. The method of claim 1, wherein the malware is detected by determining that a binary name comprises a zeroed out name.
  - 5. The method of claim 1, wherein the malware is detected by determining that a binary file date stamp in the error reporting traffic that is prior to the application named in the error reporting traffic.
  - 6. The method of claim 1, wherein detecting the intrusion attempt comprises reviewing the error reporting traffic to determine is a digital defense application was triggered and is listed in the error reporting traffic.
  - 7. The method of claim 1, wherein detecting the intrusion attempt comprises determining that a crash offset in the error reporting traffic matches a listed crash offset related to the intrusion attempt.
  - 8. The method of claim 1, wherein determining whether the application or module is not updated comprises comparing a version of a crashed application or module to a most recent module.
  - 9. The method of claim 1, further comprising using an anti-virus signature to identify the malware.
  - 10. The method of claim 1, further comprising accessing application vendors for version update information.
  - 11. The method of claim 1, further comprising adapting detection of the intrusion attempt to reflect updated intrusion attempts.
  - 12. The method of claim 1, further comprising permitting an administrator to create modify an unauthorized application list.
  - 13. The method of claim 1, wherein the unknown vulnerability may be indicated by locating a fully patched application that has a known attach offset string.
  - 14. The method of claim 1, further comprising analyzing web traffic logs to determine if proprietary applications are listed as causing crashes in the web traffic logs and if the proprietary applications are listed, adding the proprietary application to the reportable error list.
  - 15. The method of claim 1, further comprising analyzing the web traffic logs to determine an inventory of the applications operating and a frequency that the applications crash.
  - 18. The method of claim 1, further comprising:
    - analyzing the web traffic logs to determine an inventory of the applications operating and a frequency that the applications crash;
      
      using an anti-virus signature to identify the malware;
      
      accessing application vendors for version update information; and
      
      adapting detection of the intrusion attempt to reflect updated intrusion attempts.

16. A computer storage medium comprising computer executable instructions for physically configuring a processor to perform a method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network, the computer executable instructions comprising instructions for:
- in a web traffic log, reviewing HTTP traffic;
  
  if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory;
  
  reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising;
  
  an application or module is not updated wherein determining whether the application or module is not updated comprises comparing a version of a crashed application or module to a most recent module;
  
  an unauthorized application was being used wherein determining that the unauthorized application was being used comprises comparing an application name in the error reporting traffic to a list of the unauthorized applications;
  
  malware is identified wherein the malware is detected by determining that a binary name comprises a zeroed out name or that a binary file date stamp in the error reporting traffic that is prior to the application named in the error reporting traffic;
  
  an intrusion attempt has occurred wherein detecting the intrusion attempt comprises reviewing the error reporting traffic to determine is a digital defense application was triggered and is listed in the error reporting traffic or determining that a crash offset in the error reporting traffic matches a listed crash offset related to the intrusion attempt;
  
  an unknown vulnerability is present wherein the unknown vulnerability may be indicated by locating a fully patched application that has a known attach offset string; and
  
  a known exploit has occurred; and
  
  if the reportable error is found, issuing an alert that the reportable error was located.
- View Dependent Claims (17)
- - 17. The computer storage medium of claim 16, further comprising computer executable instructions for analyzing web traffic logs to determine if proprietary applications are listed as causing crashes in the web traffic logs and if the proprietary applications are listed, adding the proprietary application to the reportable error list.

19. A computer system comprising a processor physically configured according to computer executable instructions, a memory for sustaining the computer executable instructions and an input/output circuit, the computer executable instructions comprising computer executable instructions for physically configuring a processor to perform a method of monitoring electronic traffic on a network for undesired states of computing devices connected to the network, the computer executable instructions comprising instructions for:
- in a web traffic log, reviewing HTTP traffic;
  
  if the HTTP traffic is error reporting traffic wherein the error reporting traffic comprises event logs destined for an error reporting service, storing the error reporting traffic in a memory;
  
  reviewing the error reporting traffic stored in the memory for a reportable error wherein the reportable error comprises at least one selected from a group comprising;
  
  an application or module is not updated wherein determining whether the application or module is not updated comprises comparing a version of a crashed application or module to a most recent module;
  
  an unauthorized application was being used wherein determining that the unauthorized application was being used comprises comparing an application name in the error reporting traffic to a list of the unauthorized applications;
  
  malware is identified wherein the malware is detected by determining that a binary name comprises a zeroed out name or that a binary file date stamp in the error reporting traffic that is prior to the application named in the error reporting traffic;
  
  an intrusion attempt has occurred wherein detecting the intrusion attempt comprises reviewing the error reporting traffic to determine is a digital defense application was triggered and is listed in the error reporting traffic or determining that a crash offset in the error reporting traffic matches a listed crash offset related to the intrusion attempt;
  
  an unknown vulnerability is present wherein the unknown vulnerability may be indicated by locating a fully patched application that has a known attach offset string; and
  
  a known exploit has occurred; and
  
  if the reportable error is found, issuing an alert that the reportable error was located.
- View Dependent Claims (20)
- - 20. The computer system of claim 19, further comprising computer executable instructions for analyzing web traffic logs to determine if proprietary applications are listed as causing crashes in the web traffic logs and if the proprietary applications are listed, adding the proprietary application to the reportable error list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Canavor, Darren, Bucher, Matthew, Miller, Matthew Ryan, Lambert, John Joseph

Granted Patent

US 9,871,811 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1425   Traffic logging, e.g. anoma...

IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links