THREAT PROTECTION NETWORK

US 20110078795A1
Filed: 09/24/2010
Published: 03/31/2011
Est. Priority Date: 09/22/2004
Status: Abandoned Application

First Claim

Patent Images

1-40. -40. (canceled)

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.

Citations

71 Claims

1-40. -40. (canceled)

41. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
- at least one client computer connected to a network;
  
  a server that stores threat definition data and is connected to the network;
  
  an expert system in communication with the server;
  
  at least one test computer connected to the expert system;
  
  wherein the client computer is configured to identify a suspicious file on the client computer;
  
  wherein the client computer is configured to automatically notify the server of the suspicious file;
  
  wherein the server is configured to send the suspicious file to the expert system;
  
  wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and
  
  wherein the expert system or the server is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 49, 50, 51)
- - 42. The threat protection network of claim 41, wherein the client is configured to generate a signature for the suspicious file.
  - 43. The threat protection network of claim 42, wherein the signature includes two or more check sums generated using the suspicious file.
  - 44. The threat protection network of claim 41, wherein the server is configured to update the threat definition data based upon determinations made by the expert system.
  - 45. The threat protection network of claim 44, wherein the server is configured to notify clients that updated threat definition data is available.
  - 46. The threat protection network of claim 41, wherein the server is configured to:
    - receive a signature of the suspicious file from the client computer;
      
      compare the signature with threat definition data comprising signatures of known threat files;
      
      compare the signature with data comprising signatures of suspicious files reported from other client computers; and
      
      if the signature is not found in the signatures of suspicious files reported from other client computers;
      
      request a copy of the suspicious file; and
      
      receive the suspicious file.
  - 47. The threat protection network of claim 41:
    - wherein the at least one test computer includes multiple test computers;
      
      wherein at least two of the test computers use different operating systems.
  - 49. The threat protection network of claim 41, wherein the expert system is configured to assign a score to a potential threat.
  - 50. The threat protection network of claim 49, wherein a score above a first threshold is indicative of an actual threat.
  - 51. The threat protection network of claim 41, wherein the determination of whether the suspicious file is an actual threat by the expert system is automatic.

48. The threat protection network of claim 48, wherein at least two of the test computers use different versions of the same operating system.

52. A method for responding in real-time to requests for analysis of suspicious files, the method comprising:
- receiving, at a server, a signature of a suspicious file from a client computer;
  
  comparing, at the server, the signature with threat definition data comprising signatures of known threat files;
  
  comparing, at the server, the signature with signatures of suspicious files reported from other client computers; and
  
  sending information to the client computer indicative of whether the suspicious file is safe or is a threat.
- View Dependent Claims (53, 54, 55, 56, 57, 58)
- - 53. The method of claim 52, further comprising:
    - receiving a request from the client computer for updated threat definition data;
      
      providing a list identifying a number of client computers on which the updated threat definition data is stored; and
      
      adding the client computer to the list.
  - 54. The method of claim 53, wherein the adding the client computer to the list comprises adding the client computer to the list and removing another client computer from the list.
  - 55. The method of claim 54, further comprising:
    - providing, upon request, information indicative of a validity of the updated threat definition data.
  - 56. The method of claim 55, further comprising determining the validity of the updated threat definition data by applying a predetermined algorithm to the threat definition data.
  - 57. The method of claim 52, further comprising providing the updated threat definition data to a requesting client computer.
  - 58. The method of claim 52, further comprising receiving, from the client computer, a copy of the suspicious file for analysis.

59. A threat identification system configured to evaluate suspicious files discovered on a remote computer system, comprising:
- an expert system installed on a host computer;
  
  at least one test computer connected to the host computer;
  
  wherein the expert system is configured to receive a suspicious file;
  
  wherein the expert system is configured to expose the at least one test computer to the suspicious file;
  
  wherein the expert system is configured to analyze the behavior of the suspicious file on the at least one test computer; and
  
  wherein the expert system is configured to determine a score based upon the analyzed behavior and a set of predetermined criteria.
- View Dependent Claims (60, 61, 62, 63, 64)
- - 60. The threat identification system of claim 59, wherein the expert system determines whether the suspicious file is an actual threat based upon the score.
  - 61. The threat identification system of claim 59, wherein the expert system is configured to determine that:
    - a score above a first threshold constitutes a threat; and
      
      a score below a second threshold constitutes no threat.
  - 62. The threat identification system of claim 61, wherein the first threshold and second threshold have the same value.
  - 63. The threat identification system of claim 59, wherein at least two of the test computers use different operating systems.
  - 64. The threat identification system of claim 59, wherein at least two of the test computers use different versions of the same operating system.

65. A method for generating requests for real-time analysis of suspicious files, the method comprising:
- detecting, at a client computer, a suspicious event;
  
  identifying, at the client computer, a file having caused the suspicious event;
  
  generating, at the client computer, a signature for the file having caused the suspicious event;
  
  comparing, at the client computer, the signature with threat definition data comprising signatures of known threat files; and
  
  if the signature was not found in the threat definition data;
  
  sending, to a server, the signature for analysis; and
  
  receiving a result of the analysis from the server.
- View Dependent Claims (66, 67, 68, 69, 70, 71)
- - 66. The method of claim 65, further comprising:
    - if the result indicate that the server found the signature within an updated threat definition data stored at the server;
      
      requesting a list of other client computers having the updated threat definition data; and
      
      requesting the updated threat definition data from a client computer on the list.
  - 67. The method of claim 65, further comprising:
    - requesting, at the server, a copy of the file having caused the suspicious event; and
      
      forwarding, from the server, the file having caused the suspicious event to an expert system for analysis;
      
      isolating the expert system from the server;
      
      allowing, on at least one test computer coupled to the expert system, the file having caused the suspicious event to run;
      
      analyzing, at the expert system, the behavior of the at least one test computer; and
      
      reporting the results of the analysis by the expert system.
  - 68. The method of claim 65, wherein:
    - the file having caused the suspicious event includes a header; and
      
      the signature includes a checksum generated using at least one bit from the file header.
  - 69. The method of claim 65, wherein:
    - the file having caused the suspicious event includes a header and a body; and
      
      the signature includes a checksum generated using at least one bit from a location within the file body.
  - 70. The method of claim 65, further comprising:
    - obtaining, at the client computer, updated threat definition data via a secure peer-to-peer network.
  - 71. The method of claim 65, further comprising:
    - providing, at the client computer, the threat definition data to peer computers upon request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberDefender Corp.
Original Assignee
CyberDefender Corp.
Inventors
Liu, Bing

Application Number

US12/890,552
Publication Number

US 20110078795A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/2294   by remote test

G06F 21/1077   Recurrent authorisation

G06F 21/568   eliminating virus, restorin...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 67/104   Peer-to-peer [P2P] networks

H04L 67/1057   involving pre-assessment of...

H04L 67/1063   Discovery through centralis...

H04L 67/1072   Discovery involving ranked ...

H04L 67/108   characterised by resources ...

H04L 69/329   in the application layer [O...

THREAT PROTECTION NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT PROTECTION NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links