THREAT PROTECTION NETWORK
4 Assignments
0 Petitions
Accused Products
Abstract
Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.
-
Citations
71 Claims
-
1-40. -40. (canceled)
-
41. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
-
at least one client computer connected to a network; a server that stores threat definition data and is connected to the network; an expert system in communication with the server; at least one test computer connected to the expert system; wherein the client computer is configured to identify a suspicious file on the client computer; wherein the client computer is configured to automatically notify the server of the suspicious file; wherein the server is configured to send the suspicious file to the expert system; wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and wherein the expert system or the server is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file. - View Dependent Claims (42, 43, 44, 45, 46, 47, 49, 50, 51)
-
-
48. The threat protection network of claim 48, wherein at least two of the test computers use different versions of the same operating system.
-
52. A method for responding in real-time to requests for analysis of suspicious files, the method comprising:
-
receiving, at a server, a signature of a suspicious file from a client computer; comparing, at the server, the signature with threat definition data comprising signatures of known threat files; comparing, at the server, the signature with signatures of suspicious files reported from other client computers; and sending information to the client computer indicative of whether the suspicious file is safe or is a threat. - View Dependent Claims (53, 54, 55, 56, 57, 58)
-
-
59. A threat identification system configured to evaluate suspicious files discovered on a remote computer system, comprising:
-
an expert system installed on a host computer; at least one test computer connected to the host computer; wherein the expert system is configured to receive a suspicious file; wherein the expert system is configured to expose the at least one test computer to the suspicious file; wherein the expert system is configured to analyze the behavior of the suspicious file on the at least one test computer; and wherein the expert system is configured to determine a score based upon the analyzed behavior and a set of predetermined criteria. - View Dependent Claims (60, 61, 62, 63, 64)
-
-
65. A method for generating requests for real-time analysis of suspicious files, the method comprising:
-
detecting, at a client computer, a suspicious event; identifying, at the client computer, a file having caused the suspicious event; generating, at the client computer, a signature for the file having caused the suspicious event; comparing, at the client computer, the signature with threat definition data comprising signatures of known threat files; and if the signature was not found in the threat definition data; sending, to a server, the signature for analysis; and receiving a result of the analysis from the server. - View Dependent Claims (66, 67, 68, 69, 70, 71)
-
Specification