Host-based detection and prevention of malicious code propagation

US 7,325,185 B1
Filed: 08/04/2003
Issued: 01/29/2008
Est. Priority Date: 08/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

stalling a request on a host computer system prior to sending the request to a target computer system;

determining whether the request is suspicious;

wherein upon a determination that the request is not suspicious, releasing the request; and

wherein upon a determination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request,generating a counter value associated with the request entry,determining whether the counter value meets a counter value threshold, andwherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests issuing on a host computer are intercepted and stalled prior to sending to target computer systems. The requests are analyzed to determine whether they are suspicious. Requests determined to be suspicious are added as request entries to a request database. Each time a request entry is added to the request database, a determination is made whether malicious code activity is detected on the host computer system. Upon a determination that malicious code activity is detected, a notification of the malicious code detection is generated and protective actions are implemented, such as terminating the request. Requests not determined to be suspicious or to indicate malicious code activity are released for sending to the target computer systems.

63 Citations

View as Search Results

18 Claims

1. A method comprising:
- stalling a request on a host computer system prior to sending the request to a target computer system;
  
  determining whether the request is suspicious;
  
  wherein upon a determination that the request is not suspicious, releasing the request; and
  
  wherein upon a determination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request,generating a counter value associated with the request entry,determining whether the counter value meets a counter value threshold, andwherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising:
    - wherein upon a determination that malicious code activity is detected, generating a notification that malicious code activity is detected; and
      
      implementing one or more protective actions.

3. A method comprising:
- intercepting a request on a host computer system;
  
  stalling the request;
  
  determining whether the request is suspicious,wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, anddetermining whether malicious code activity is detected on the host computer system based upon the request entry; and
  
  wherein upon a determination that malicious code activity is detected on the host computer system, generating a notification that malicious code activity is detected on the host computer system, andimplementing one or more protective actions.
- View Dependent Claims (4, 5, 6, 7, 8, 9)
- - 4. The method of claim 3, further comprising:
    - wherein upon a determination that the request is not suspicious, releasing the request.
  - 5. The method of claim 3, further comprising:
    - wherein upon a determination that malicious code activity is not detected on the host computer system, releasing the request.
  - 6. The method of claim 3, wherein the implementing one or more protective actions comprises:
    - terminating the request.
  - 7. The method of claim 3, wherein the request is an HTTP GET request.
  - 8. The method of claim 3, wherein the intercepting a request on a host computer system utilizes a local proxy mechanism.
  - 9. The method of claim 3, wherein the intercepting a request on a host computer system occurs at the application level.

10. A method comprising:
- intercepting a request on a host computer system;
  
  stalling the request; and
  
  determining whether the request is suspicious,wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, anddetermining whether malicious code activity is detected on the host computer system based upon the request entry,wherein the determining whether malicious code activity is detected on the host computer system based upon the request entry further comprises;
  
  generating a counter value associated with the request entry; and
  
  determining whether the counter value meets a counter value threshold,wherein upon a determination that the counter value does not meet the counter value threshold, determining that malicious code activity is not detected on the host computer system, andwherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected on the host computer system.

11. A malicious code detection device comprising:
- an intercept module, the intercept module for intercepting a request issuing on a host computer system prior to the sending of the request from the host computer system to a target computer system;
  
  an analyzer module coupled to the intercept module, the analyzer module for determining whether the request is suspicious utilizing at least a standards list, the analyzer module further for adding a request entry corresponding to the request to a request database when the request is determined as suspicious, the analyzer module further for determining whether malicious activity is detected on the host computer system based on whether a counter value associated with a request entry meets a counter value threshold;
  
  a request database coupled to the analyzer module, the request database including one or more request entries, each of the one or more request entries identifying a request determined to be suspicious; and
  
  a standards list coupled to the analyzer module, the standards list including selected standards for use in determining whether the request is suspicious.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The malicious code detection device of claim 11, further comprising:
    - an inclusion profile list coupled to the analyzer module.
  - 13. The malicious code detection device of claim 11, further comprising:
    - an exclusion profile list coupled to the analyzer module.
  - 14. The malicious code detection device of claim 11, further comprising a memory area coupled to the intercept module and the analyzer module.
  - 15. The malicious code detection device of claim 11, wherein the intercept module includes an interception mechanism for intercepting a request.

16. A computer program product comprising a computer-readable medium storing computer program code for a method comprising:
- stalling a request on a host computer system prior to sending the request to a target computer system;
  
  determining whether the request is suspicious;
  
  wherein upon a determination that the request is not suspicious, releasing the request; and
  
  wherein upon a de termination that the request is suspicious, adding a request entry to a request database, the request entry identifying the request,generating a counter value associated with the request entry,determining whether the counter value meets a counter value threshold, andwherein upon a determination that the counter value meets the counter value threshold, determining that malicious code activity is detected.
- View Dependent Claims (17)
- - 17. The computer program product of claim 16, the method further comprising:
    - wherein upon a determination that malicious code activity is detected, generating a notification that malicious code activity is detected; and
      
      implementing one or more protective actions.

18. A computer program product comprising a computer-readable medium storing computer program code for a method comprising:
- intercepting a request on a host computer system;
  
  stalling the request;
  
  determining whether the request is suspicious,wherein upon a determination that the request is suspicious, adding a request entry representative of the request to a request database, anddetermining whether malicious code activity is detected on the host computer system based upon the request entry; and
  
  wherein upon a determination that malicious code activity is detected on the host computer system, generating a notification that malicious code activity is detected on the host computer system, andimplementing one or more protective actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Lamarre; Guy
Assistant Examiner(s)
Alphonse; Fritz

Application Number

US10/633,907
Time in Patent Office

1,639 Days
Field of Search

714/799, 714/38, 713/188, 713/200, 726/22, 726/24, 709/232
US Class Current

714/799
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1416 Event detection, e.g. attac...

Host-based detection and prevention of malicious code propagation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Host-based detection and prevention of malicious code propagation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links