Detection of Malicious Code Insertion in Trusted Environments
First Claim
1. A computer-implemented method of identifying malicious code insertion in trusted environments, the method comprising the steps of:
- (a) connecting an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program;
(b) collecting, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior;
(c) storing, in a database communicatively coupled to the analysis server, the behavioral tracking data;
(d) analyzing, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database;
(e) flagging, via the analysis server, the development action where the analysis indicates malicious code insertion; and
(f) presenting, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and computer program products which facilitate detection of malicious code insertion by an insider during the software development lifecycle are disclosed Aspects focus on behavioral characteristics associated with the introduction of malcode during the software development process. Injection of malcode by an insider threat, and the malcode itself, may leave behind behavioral signatures in the source code repository and source code that can be detected by a multi-dimensional combination of sensors. By detecting the behavioral signatures of malcode within artifacts generated by the software development process, instances of malcode can be isolated and prevented before release.
-
Citations
20 Claims
-
1. A computer-implemented method of identifying malicious code insertion in trusted environments, the method comprising the steps of:
-
(a) connecting an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program; (b) collecting, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior; (c) storing, in a database communicatively coupled to the analysis server, the behavioral tracking data; (d) analyzing, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database; (e) flagging, via the analysis server, the development action where the analysis indicates malicious code insertion; and (f) presenting, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer storage media having stored thereon multiple instructions that facilitate the identification of malicious code insertions by, when executed by one or more processors of a computing device, causing the one or more processors to:
-
(a) connect an analysis server to a computing device utilized by a software developer to develop at least a portion of a software program; (b) collect, via a plurality of sensor modules coupled to the analysis server, behavioral tracking data from the computing device, the behavioral tracking data indicating a software developer behavior during software development and including metadata indicating a development action, the development action caused by the software developer behavior; (c) store, in a database communicatively coupled to the analysis server, the behavioral tracking data; (d) analyze, via the analysis server, the software program for the presence of malicious code, the analysis including a comparison of the stored behavioral tracking data to a baseline behavior parameter stored in the database; (e) flag, via the analysis server, the development action where the analysis indicates malicious code insertion; and (f) present, via a user interface communicatively coupled to the analysis server, an analysis report, the analysis report comprising an analyzing step result and a flagging step result. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification