Apparatus and method for blocking zombie behavior process

US 20120174221A1
Filed: 08/09/2011
Published: 07/05/2012
Est. Priority Date: 01/04/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:

a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies;

a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value;

a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic, and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage; and

a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process.

Citations

15 Claims

1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
- a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies;
  
  a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value;
  
  a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic, and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage; and
  
  a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the apparatus is disposed in a network driver stage of the computer connected to the network.
  - 3. The apparatus of claim 1, wherein the zombie behavior type includes at least one of a distributed denial of service (DDoS) attack, Internet protocol (IP) scanning, port scanning, and a spoofing attack.
  - 4. The apparatus of claim 1, wherein the zombie behavior type includes other types, andwhen the zombie behavior type of the abnormal process has not been detected, a security policy defined for the other types is applied to the abnormal process.
  - 5. The apparatus of claim 1, wherein the zombie-behavior-type-specific traffic characteristics stored in the security policy storage include zombie-behavior-type-specific traffic threshold values and allowed traffic threshold value exceeding times.
  - 6. The apparatus of claim 5, wherein the process and traffic analyzer detects the zombie behavior type associated with the abnormal process by searching for a zombie behavior type corresponding to a characteristic of the abnormal traffic caused by the abnormal process on the basis of the zombie-behavior-type-specific traffic threshold values stored in the security policy storage, and determining that the abnormal process is associated with the searched zombie behavior type when the abnormal traffic caused by the abnormal process continues for more than an allowed traffic threshold value exceeding time corresponding to the searched zombie behavior type.
  - 7. The apparatus of claim 1, wherein the predetermined reference value is defined in the security policy storage.
  - 8. The apparatus of claim 1, further comprising a new zombie behavior type storage,wherein, when the zombie behavior type associated with the abnormal process has not been detected, the process and traffic analyzer stores a characteristic of the abnormal traffic caused by the abnormal process in the new zombie behavior type storage.
  - 9. The apparatus of claim 1, further comprising an event log storage configured to store an event occurring in association with the abnormal process.
  - 10. The apparatus of claim 1, wherein the zombie-behavior-type-specific traffic characteristics and security policies are distributed and updated through an enterprise security management (ESM) server.

11. A method of blocking a zombie behavior process generated in a computer connected to a network and attacking an external computer, the method being performed in a network driver stage of the computer and comprising:
- monitoring traffic generated on the computer to detect abnormal traffic exceeding a predetermined reference value;
  
  finding an abnormal process causing the abnormal traffic, and finding a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of zombie-behavior-type-specific traffic characteristics stored in a security policy storage;
  
  when the zombie behavior type of the abnormal process has been found, handling the abnormal process according to a security policy for the zombie behavior type defined in the security policy storage;
  
  when the zombie behavior type having a characteristic of the abnormal traffic caused by the abnormal process has not been found, handling the abnormal process according to a security policy for other types defined in the security policy storage; and
  
  storing the characteristic of the traffic caused by the process whose zombie behavior type has not been found in a new zombie behavior type storage.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein the zombie-behavior-type-specific traffic characteristics stored in the security policy storage include zombie-behavior-type-specific traffic threshold values and allowed traffic threshold value exceeding times, andfinding the zombie behavior type associated with the abnormal process includes searching for a zombie behavior type corresponding to the characteristic of the abnormal traffic caused by the abnormal process on the basis of the zombie-behavior-type-specific traffic threshold values stored in the security policy storage, and determining that the process is associated with the searched zombie behavior type when the abnormal traffic caused by the abnormal process continues for more than an allowed traffic threshold value exceeding time corresponding to the searched zombie behavior type.
  - 13. The method of claim 11, further comprising storing an event log generated in association with the abnormal process,wherein the zombie-behavior-type-specific traffic characteristics and security policies are distributed and updated through an enterprise security management (ESM) server, and the event log and the characteristic of the traffic caused by the abnormal process stored in the new zombie behavior type storage are transmitted to the ESM server.

14. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer and attacking external computers, the apparatus comprising:
- a system process reference list storage configured to store reference information about system processes used by an operating system of the computer;
  
  a system process monitor configured to analyze a system process under execution in the computer, and sub-processes and files associated with the process on the basis of the reference information about the system processes, and determine the system process as a modified process when the system process, the sub-processes, and the files are different from the reference information; and
  
  a modified-process handler configured to handle the modified process, the associated sub-processes, and the associated files according to a security policy when the system process monitor detects the modified process.
- View Dependent Claims (15)
- - 15. The apparatus of claim 14, wherein extensions of the files associated with the system process are at least one of DLL, SYS and EXE, andthe modification may include change of the files associated with the system process and addition of a file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NPCore, Inc.
Original Assignee
NPCore, Inc.
Inventors
Han, Seung Chul

Granted Patent

US 9,060,016 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Apparatus and method for blocking zombie behavior process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for blocking zombie behavior process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links