METHOD AND DEVICE FOR DETECTING AUTONOMOUS, SELF-PROPAGATING SOFTWARE

US 20170041329A1
Filed: 01/16/2015
Published: 02/09/2017
Est. Priority Date: 01/29/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting autonomous, self-propagating malware in at least one first computer unit in a first network, wherein the first network (NET1) is coupled to a second network via a first link, the method comprising:

a) generating at least one first indicator which specifies a first behavior of the at least one first computer unit;

b) generating at least one second indicator which specifies a second behavior of at least one second computer unit in the second network;

c) conveying the at least one first indicator and the at least one second indicator to a correlation component;

d) generating at least one correlation result by correlating the at least one first indicator with the at least one second indicator; and

e) outputting an instruction signal if, during a comparison, a definable threshold value is exceeded by the at least one correlation result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a device for detecting autonomous, self-propagating malicious software in at least one first computing unit in a first network, wherein the first network is coupled to a second network via a first link, having the following method steps: a) generating at least one first indicator which specifies a first behaviour of the at least one first computing unit; b) generating at least one second indicator which specifies a second behaviour of at least one second computing unit in the second network; c) transmitting the at least one first indicator and the at least one second indicator to a correlation component; d) generating at least one correlation result by correlating the at least one first indicator with the at least one second indicator; e) outputting an instruction signal if, when a comparison is made, a definable threshold value is exceeded by the correlation result, is provided.

Citations

14 Claims

1. A method for detecting autonomous, self-propagating malware in at least one first computer unit in a first network, wherein the first network (NET1) is coupled to a second network via a first link, the method comprising:
- a) generating at least one first indicator which specifies a first behavior of the at least one first computer unit;
  
  b) generating at least one second indicator which specifies a second behavior of at least one second computer unit in the second network;
  
  c) conveying the at least one first indicator and the at least one second indicator to a correlation component;
  
  d) generating at least one correlation result by correlating the at least one first indicator with the at least one second indicator; and
  
  e) outputting an instruction signal if, during a comparison, a definable threshold value is exceeded by the at least one correlation result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 13)
- - 2. The method as claimed in claim 1, wherein a system for monitoring and/or controlling technical processes of industrial installations is formed by the first network and an office communication network is formed by the second network.
  - 3. The method as claimed in claim 1, wherein the respective behavior with respect to at least one of the following information items of the at least one first computer unit and the at least one second computer unit is determined by the at least one first indicator and the at least one second indicator:
    - at least one file name on a storage medium;
      
      at least one name of a current or stopped process;
      
      at least one result of an intrusion detection system; and
      
      a characteristic of network traffic data within the first and second network.
  - 4. The method as claimed in claim 3, wherein the at least one first indicator and the at least one second indicator are determined in dependence on a change of the respective information.
  - 5. The method as claimed in claim 1, wherein the at least one first indicator and the at least one second indicator are generated at regular intervals.
  - 6. The method as claimed in claim 1, wherein a first type of behavior of the at least one first computer unit is indicated in a first time interval by the at least one first indicator and the first type of behavior of the at least one second computer unit is indicated in a second time interval by the at least one second indicator, the second time interval being arranged before the first time interval in time.
  - 7. The method as claimed in claim 1, wherein at least one of steps a), c), d), e) is performed only after at least one data word of the at least one second computer unit has been transmitted to the at least one first computer unit.
  - 13. The method as claimed in claim 4, wherein the at least one first indicator and the at least one second indicator are determined in dependence on a frequency of occurrence of the respective information.

8. A device for detecting autonomous, self-propagating malware in at least one first computer unit in a first network, wherein the first network is coupled to a second network via a first link and the second network is coupled to a public network via a second link, the device comprising:
- a) a first unit for generating at least one first indicator which specifies a first behavior of the at least one first computer unit;
  
  b) a second unit for generating at least one second indicator which specifies a second behavior of at least one second computer unit of the second network;
  
  c) a third unit for conveying the at least one first indicator and the at least one second indicator to a correlation component;
  
  d) a fourth unit for generating at least one correlation result by correlating the at least one first indicator with the at least one second indicator; and
  
  e) a fifth unit for outputting an instruction signal if, during a comparison, the at least one correlation result exceeds the a definable threshold value.
- View Dependent Claims (9, 10, 11, 12, 14)
- - 9. The device as claimed in claim 8, wherein the first unit and the second unit, for generating the at least one first indicator and the at least one second indicator, determine the respective behavior with respect to at least one of the following information items:
    - at least one file name on a storage medium;
      
      at least one name of a current or stopped process;
      
      at least one result of an intrusion detection system; and
      
      a characteristic of network traffic data within the first and second network.
  - 10. The device as claimed in claim 9, wherein the first unit and the second unit perform the generating of the at least one first indicator and the at least one second indicator in dependence on a change of the respective information.
  - 11. The device as claimed in claim 8, wherein the first unit and the second unit perform the generating of the at least one first indicator and the at least one second indicator at regular intervals.
  - 12. The device as claimed in claim 8, wherein a first type of behavior in a first time interval is indicated by the at least one first indicator and the first type of behavior in a second time interval is indicated by the at least one second indicator, the second time interval being arranged before the first time interval in time.
  - 14. The device as claimed in claim 9, wherein the first unit and the second unit perform the generating of the at least one first indicator and the at least one second indicator in dependence on a frequency of occurrence of the respective information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
GBEL, JAN GERRIT, PATZLAFF, HEIKO, ROTHMAIER, GERRIT

Application Number

US15/107,112
Publication Number

US 20170041329A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/18   using different networks or...

H04L 67/12   specially adapted for propr...

METHOD AND DEVICE FOR DETECTING AUTONOMOUS, SELF-PROPAGATING SOFTWARE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR DETECTING AUTONOMOUS, SELF-PROPAGATING SOFTWARE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links