HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS

US 20110023115A1
Filed: 03/31/2010
Published: 01/27/2011
Est. Priority Date: 07/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:

A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database;

B) monitoring a computer code process executing during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database;

C) performing step B) a number of times to collect a plurality of code operation indications;

D) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and

E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.

350 Citations

69 Claims

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database;
  
  B) monitoring a computer code process executing during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database;
  
  C) performing step B) a number of times to collect a plurality of code operation indications;
  
  D) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
  
  E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.
- View Dependent Claims (2, 3, 4, 5, 6, 9, 13, 29, 30, 38, 39, 42, 43, 53, 62, 63)
- - 2. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, creating an audit record.
  - 3. The computer program product of claim 2, wherein the creation of the audit record includes updating a log file.
  - 4. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, forcing the usage session to occur within a restricted operating environment.
  - 5. The computer program product of claim 4, wherein the restricted operating environment is a sandbox.
  - 6. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, at least one of preventing a process that would cause a computer system failure, preventing a process that would cause a device failure, preventing a process that would cause a network states failure, reverting a computer software state back to a prior state that is known to be acceptable, device status change, and a change in the status of a peripheral.
  - 9. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, isolating, via quarantine, the computer on which the user interaction occurs and limiting network access to or from the computer.
  - 13. The computer program product of claim 1, wherein the user interaction with a computer is at least one of executing a link, executing an Internet link, executing an Intranet link, downloading content item from a server, forwarding an URL, forwarding an email, opening an application, closing an application, updating an application, patching an application, bookmarking website, placing a VoIP call, adding an item to shopping cart, entering financial data, making a purchase, using a webcam, creation of an application macro, creation of an application shortcut, a novel keystroke combination, accessing computer remotely, submitting password, a change in the status of a peripheral device or software application, a network route changes, a firewall enable, a firewall disable, a change in a firewall status, a DNS change, a bridging of two previously unconnected networks.
  - 29. The computer program product of claim 1, wherein the user interaction with a computer is an inactivity indicator.
  - 30. The computer program product of claim 29, wherein the inactivity indicator is activation of at least one of a screen saver and a hibernation process.
  - 38. The computer program product of claim 1, wherein the user interaction with a computer is a temporal indicator.
  - 39. The computer program product of claim 38, wherein the temporal indicator is at least one of a time amount spent on a page, a time amount spent in an application, and a time amount spent between a first user action and a second user action.
  - 42. The computer program product of claim 1, wherein the user interaction with a computer is a change in a network behavior.
  - 43. The computer program product of claim 42, wherein the change in the network behavior is at least one of a VPN enable, a VPN disable, a VPN start, and a VPN end.
  - 53. The computer program product of claim 1, wherein the user interaction with a computer occurs at least in part on at least one of a keyboard, a mouse, a display device, a biometric reader, a camera, a storage device, a scanning device, a printer, a telecommunication component.
  - 62. The computer program product of claim 1, wherein the indication of a code operation is an automatic code behavior.
  - 63. The computer program product of claim 62, wherein the automatic code behavior is at least one of a system startup, a login, a scheduled job process, a system service, and a remotely executed example.

7-8. -8. (canceled)

10-12. -12. (canceled)

14-28. -28. (canceled)

31-37. -37. (canceled)

40-41. -41. (canceled)

44-52. -52. (canceled)

54-61. -61. (canceled)

64-67. -67. (canceled)

68. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database;
  
  B) monitoring a computer code process executing during the usage session, for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database;
  
  C) performing step A) a number of times to collect a plurality of user behavior indications;
  
  D) comparing a combination of the code operation indication and the plurality of user behavior indications to a predetermined collection of code operation-user behavior indications, referred to as a phenotype, which comprises a grouping of specific code and behavioral genes that are typically present in a type of malicious usage session with a computer; and
  
  E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.

69. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database;
  
  B) storing the indication of a user behavior with computer code relating to the user interaction with the computer during the usage session;
  
  C) monitoring the stored computer code relating to the user interaction with the computer during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database;
  
  D) performing step C) a number of times to collect a plurality of code operation indications;
  
  E) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
  
  F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Wright, Clifford C.

Granted Patent

US 8,607,340 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

350 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

350 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links