Apparatus, and system for determining and cautioning users of Internet connected clients of potentially malicious software and method for operating such

US 20120272319A1
Filed: 04/21/2011
Published: 10/25/2012
Est. Priority Date: 04/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method for operating a customer data collection and protection apparatus which has a processor configured by a software product comprises at least two of the following steps:

transmitting backfeeds to a central server about traffic to or attempts to connect with uncategorized targets;

receiving a directory from the central server containing at least one identifier of at least one suspicious, malicious, or infectious target and appropriate actions; and

presenting end users with at least one warning of possible infection, malicious code, or suspicious behavior and controls for a malware cleanup tool, wherein a target is one of an IP address and a Uniform Resource Identifier (URI) for a real or fictitious host.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system at a central server and at a plurality of web filters is installed to observe traffic and to protect users from attempting connection to suspicious, malicious, and/or infectious targets. Targets are defined as Uniform Resource Identifiers (URI) and Internet Protocol (IP) addresses. Traffic is collected, analyzed, and reported for further analysis. Behavior is analyzed for each client attempting a connection to an uncategorized target. IP addresses and URIs are evaluated toward placement in either a Trusted target store or an Anomalous target store. The accumulated content of Anomalous target store is provided back to the Network Service Subscriber Clients. Warnings and tools are presented when appropriate.

23 Citations

View as Search Results

20 Claims

1. A method for operating a customer data collection and protection apparatus which has a processor configured by a software product comprises at least two of the following steps:
- transmitting backfeeds to a central server about traffic to or attempts to connect with uncategorized targets;
  
  receiving a directory from the central server containing at least one identifier of at least one suspicious, malicious, or infectious target and appropriate actions; and
  
  presenting end users with at least one warning of possible infection, malicious code, or suspicious behavior and controls for a malware cleanup tool, wherein a target is one of an IP address and a Uniform Resource Identifier (URI) for a real or fictitious host.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprises the step:
    - detecting a system visiting or attempting to connect to at least one suspicious, malicious, and/or infectious target based on identifiers received from the central server.
  - 3. The method of claim 1 further comprises the step:
    - observing, measuring, and recording meta data on traffic at a web filter which requests for an IP address for an uncategorized target or attempts to connect to an uncategorized target, wherein meta data includes how many sources per destination and the volume of activity per time unit.

4. A method for operation of a central server which has a processor configured by a software product to detect and distribute identifiers of suspicious, infectious, and malicious targets comprises at least two of the following steps:
- receiving backfeeds from a plurality of web filter apparatus about traffic to or attempts to connect with uncategorized targets;
  
  applying rules and patterns to identify a target as at least one of suspicious, malicious, or infectious; and
  
  provisioning a plurality of web filters with an update having at least one identifier of a suspicious, malicious, or infectious target, a warning, and a malware cleanup tool.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4 further comprises the step:
    - packaging identifiers of a plurality of suspicious, malicious, and/or infectious targets into an update also containing warnings and malware cleanup tools.
  - 6. The method of claim 4 further comprises the step:
    - detecting a suspicious target by traffic patterns at one web filter compared to traffic patterns at other web filters.

7. An apparatus comprising a network link circuit, a processor, data storage device, and non-transitory computer readable media having instructions to configure the processorto observe traffic requesting resolution of an uncategorized URI or having a destination of an uncategorized IP address, andto receive and store an update to a list of uncategorized IP addresses and uncategorized URIs which are observed with traffic that suggests suspicious, malicious or infectious behavior.
- View Dependent Claims (8, 9)
- - 8. The apparatus of claim 7 further comprising:
    - a circuit to transmit to a central server a report on traffic patterns to uncategorized targets; and
      
      a circuit to detect a dns request to resolve or a transmission to a target on a list of suspicious, malicious, or infectious targets.
  - 9. The apparatus of claim 7 further comprising a circuit to present users with a warning on the uncategorized status of the target.

10. An apparatus comprising a network link circuit, a processor, data storage device, and non-transitory computer readable media having instructions to configure the processor to receive and store a report of an anomalous target and analyze said anomalous target to determine a caveat if appropriate.
- View Dependent Claims (11, 12)
- - 11. The apparatus of claim 10 distribute a list of anomalous targets and provide a link to a caveat if appropriate.
  - 12. The apparatus of claim 10 further comprising a store of warnings to be transmitted to a client which requests resolution of or transmission to a target determined to be suspicious, malicious, or infectious.

13. An apparatus comprising a network link circuit, a processor, data storage device, and non-transitory computer readable media having instructions to configure the processorto receive reports of uncategorized targets and determine when a domain name system request or reverse domain name system request on the target is or is not successful.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13 further comprisinga circuit to detect if malicious code is operating on or is distributed from an uncategorized target.
  - 15. The apparatus of claim 13 further comprisinga circuit to detect if a traffic pattern suggests that an uncategorized target is under attack.

16. a system comprising a network, attached computer systems, and software to provision:
- a plurality of customer data collection and protection apparatuses configured to observe requests and traffic having targets which are not categorized targets communicatively coupled to a central server, andthe central server, configured to receive reports on uncategorized targets, analyze traffic to and concerning said uncategorized targets, and distribute updates to said customer data collection and protection apparatuses.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 wherein said customer data collection and protection apparatus comprises:
    - a local store of categorized targets, wherein targets comprise actual Internet Protocol address and/or Uniform Resource Identifiers and strings which are formatted as Internet Protocol (IP) addresses and/or Uniform Resource Identifiers (URI); and
      
      a circuit to report domain name system requests to resolve URI which are not found in the local store of categorized targets and a circuit to report IP application traffic which has as a destination IP addresses which are not found in the local store of categorized targets.
  - 18. The system of claim 16 wherein said customer data collection and protection apparatus comprises:
    - a circuit to receive and store an updated list of suspicious, malicious, or infectious targets, anda circuit to present a warning to the operator of a client apparatus which has requested from or transmitted to one of the targets on said list.
  - 19. The system of claim 16 wherein said central server comprises:
    - a receiver circuit to receive reports on traffic to or requesting resolution of targets not categorized, wherein targets comprise actual Internet Protocol address and/or Uniform Resource Identifiers and strings which are formatted as Internet Protocol (IP) addresses and/or Uniform Resource Identifiers (URI); and
      
      an analysis circuit to determine that traffic patterns suggest suspicious, malicious, or infectious behavior on the part of a sender.
  - 20. The system of claim 16 wherein said central server comprises:
    - an update packaging circuit to assemble a list of targets which are the subject or destination of traffic patterns which suggest suspicious, malicious, or infectious behavior, andan update distribution circuit which transmits to or responds to requests from a plurality of customer data collection and protection apparatuses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Group
Inventors
SHI, FLEMING, DRAKO, DEAN

Granted Patent

US 8,726,384 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 67/535 Tracking the activity of th...

Apparatus, and system for determining and cautioning users of Internet connected clients of potentially malicious software and method for operating such

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, and system for determining and cautioning users of Internet connected clients of potentially malicious software and method for operating such

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links