Host-based detection and prevention of malicious code propagation
First Claim
1. A method comprising:
- stalling a request on a host computer system prior to sending the request to a target computer system;
determining whether the request is suspicious;
wherein upon a determination that the request is not suspicious, releasing the request; and
wherein upon a determination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request,generating a counter value associated with the request entry,determining whether the counter value meets a counter value threshold, andwherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected.
2 Assignments
0 Petitions
Accused Products
Abstract
Requests issuing on a host computer are intercepted and stalled prior to sending to target computer systems. The requests are analyzed to determine whether they are suspicious. Requests determined to be suspicious are added as request entries to a request database. Each time a request entry is added to the request database, a determination is made whether malicious code activity is detected on the host computer system. Upon a determination that malicious code activity is detected, a notification of the malicious code detection is generated and protective actions are implemented, such as terminating the request. Requests not determined to be suspicious or to indicate malicious code activity are released for sending to the target computer systems.
63 Citations
18 Claims
-
1. A method comprising:
-
stalling a request on a host computer system prior to sending the request to a target computer system; determining whether the request is suspicious; wherein upon a determination that the request is not suspicious, releasing the request; and wherein upon a determination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request, generating a counter value associated with the request entry, determining whether the counter value meets a counter value threshold, and wherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected. - View Dependent Claims (2)
-
-
3. A method comprising:
-
intercepting a request on a host computer system; stalling the request; determining whether the request is suspicious, wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, and determining whether malicious code activity is detected on the host computer system based upon the request entry; and wherein upon a determination that malicious code activity is detected on the host computer system, generating a notification that malicious code activity is detected on the host computer system, and implementing one or more protective actions. - View Dependent Claims (4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
intercepting a request on a host computer system; stalling the request; and determining whether the request is suspicious, wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, and determining whether malicious code activity is detected on the host computer system based upon the request entry, wherein the determining whether malicious code activity is detected on the host computer system based upon the request entry further comprises; generating a counter value associated with the request entry; and determining whether the counter value meets a counter value threshold, wherein upon a determination that the counter value does not meet the counter value threshold, determining that malicious code activity is not detected on the host computer system, and wherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected on the host computer system.
-
-
11. A malicious code detection device comprising:
-
an intercept module, the intercept module for intercepting a request issuing on a host computer system prior to the sending of the request from the host computer system to a target computer system; an analyzer module coupled to the intercept module, the analyzer module for determining whether the request is suspicious utilizing at least a standards list, the analyzer module further for adding a request entry corresponding to the request to a request database when the request is determined as suspicious, the analyzer module further for determining whether malicious activity is detected on the host computer system based on whether a counter value associated with a request entry meets a counter value threshold; a request database coupled to the analyzer module, the request database including one or more request entries, each of the one or more request entries identifying a request determined to be suspicious; and a standards list coupled to the analyzer module, the standards list including selected standards for use in determining whether the request is suspicious. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer program product comprising a computer-readable medium storing computer program code for a method comprising:
stalling a request on a host computer system prior to sending the request to a target computer system; determining whether the request is suspicious; wherein upon a determination that the request is not suspicious, releasing the request; and wherein upon a de termination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request, generating a counter value associated with the request entry, determining whether the counter value meets a counter value threshold, and wherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected. - View Dependent Claims (17)
-
18. A computer program product comprising a computer-readable medium storing computer program code for a method comprising:
-
intercepting a request on a host computer system; stalling the request; determining whether the request is suspicious, wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, and determining whether malicious code activity is detected on the host computer system based upon the request entry; and wherein upon a determination that malicious code activity is detected on the host computer system, generating a notification that malicious code activity is detected on the host computer system, and implementing one or more protective actions.
-
Specification