Detection of Malicious Code Insertion in Trusted Environments

US 20150302198A1
Filed: 04/22/2014
Published: 10/22/2015
Est. Priority Date: 04/24/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of identifying malicious code insertion in trusted environments, the method comprising the steps of:

(a) connecting an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program;

(b) collecting, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior;

(c) storing, in a database communicatively coupled to the analysis server, the behavioral tracking data;

(d) analyzing, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database;

(e) flagging, via the analysis server, the development action where the analysis indicates malicious code insertion; and

(f) presenting, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and computer program products which facilitate detection of malicious code insertion by an insider during the software development lifecycle are disclosed Aspects focus on behavioral characteristics associated with the introduction of malcode during the software development process. Injection of malcode by an insider threat, and the malcode itself, may leave behind behavioral signatures in the source code repository and source code that can be detected by a multi-dimensional combination of sensors. By detecting the behavioral signatures of malcode within artifacts generated by the software development process, instances of malcode can be isolated and prevented before release.

Citations

20 Claims

1. A computer-implemented method of identifying malicious code insertion in trusted environments, the method comprising the steps of:
- (a) connecting an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program;
  
  (b) collecting, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior;
  
  (c) storing, in a database communicatively coupled to the analysis server, the behavioral tracking data;
  
  (d) analyzing, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database;
  
  (e) flagging, via the analysis server, the development action where the analysis indicates malicious code insertion; and
  
  (f) presenting, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, analyzing step (d) further comprising:
    - performing a static code analysis of the software program;
      
      wherein the analysis indicates malicious code insertion when a behavioral anomaly and a static code analysis anomaly are detected.
  - 3. The method of claim 1, wherein the plurality of sensors are configured to collect behavioral tracking data related to at least one of:
    - coding behavior, testing behavior, build behavior, and work habits.
  - 4. The method of claim 1, wherein the development action is one of:
    - a coding action;
      
      a testing action;
      
      a build action; and
      
      a work action.
  - 5. The method of claim 1, wherein collecting step (b) occurs over time.
  - 6. The method of claim 2, wherein collecting step (b) occurs throughout a software development lifecycle.
  - 7. The method of claim 1, wherein the analysis indicates malicious code insertion based on collected behavioral tracking data from at least two of the plurality of sensors.
  - 8. The method of claim 1, further comprising the steps of:
    - (g) creating the baseline behavior parameter; and
      
      (h) storing the baseline behavior parameter in the database.
  - 9. The method of claim 8, wherein the baseline behavior parameter is created based on industry accepted software development processes.
  - 10. The method of claim 8, wherein the baseline behavior parameter is based on collected behavioral tracking data.
  - 11. The method of claim 8, wherein the baseline behavior parameter is based on collected behavioral tracking data from a plurality of software developers.

12. One or more computer storage media having stored thereon multiple instructions that facilitate the identification of malicious code insertions by, when executed by one or more processors of a computing device, causing the one or more processors to:
- (a) connect an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program;
  
  (b) collect, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior;
  
  (c) store, in a database communicatively coupled to the analysis server, the behavioral tracking data;
  
  (d) analyze, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database;
  
  (e) flag, via the analysis server, the development action where the analysis indicates malicious code insertion; and
  
  (f) present, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. One or more computer storage media as recited in claim 12, wherein the multiple instructions further cause one or more processors to:
    - (g) perform a static code analysis of the software program;
      
      wherein the analysis indicates malicious code insertion when a behavioral anomaly and a static code analysis anomaly are detected.
  - 14. One or more computer storage media as recited in claim 12, wherein the plurality of sensors are configured to collect behavioral tracking data related to at least one of:
    - coding behavior, testing behavior, build behavior, and work habits.
  - 15. One or more computer storage media as recited in claim 12, wherein the development action is one of:
    - a coding action;
      
      a testing action;
      
      a build action; and
      
      a work action.
  - 16. One or more computer storage media as recited in claim 12, wherein collection of behavioral tracking data from the computing device occurs over time.
  - 17. One or more computer storage media as recited in claim 12, wherein collection of behavioral tracking data from the computing device occurs throughout a software development lifecycle.
  - 18. One or more computer storage media as recited in claim 12, wherein the analysis indicates malicious code insertion based on collected behavioral tracking data from at least two of the plurality of sensors.
  - 19. One or more computer storage media as recited in claim 12, wherein the multiple instructions further cause one or more processors to:
    - (g) create the baseline behavior parameter; and
      
      (h) store the baseline behavior parameter in the database.
  - 20. One or more computer storage media as recited in claim 19, wherein the baseline behavior parameter is based on collected behavioral tracking data from a plurality of software developers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Coveros, Inc.
Original Assignee
Coveros, Inc.
Inventors
Payne, Jeffery, Fenner, Mark, Mills, Richard

Granted Patent

US 9,424,426 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/562 Static detection

Detection of Malicious Code Insertion in Trusted Environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of Malicious Code Insertion in Trusted Environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links