Signature extraction system and method
DCFirst Claim
Patent Images
1. A method comprising:
- detecting an attack by malicious code on a first computer system;
extracting a malicious code signature from said malicious code comprising;
locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and
extracting a specific number of bytes backwards from said caller'"'"'s address;
creating an extracted malicious code packet including said malicious code signature; and
sending said extracted malicious code packet from said first computer system to a second computer system.
2 Assignments
Litigations
1 Petition
Accused Products
Abstract
Host computer systems automatically detect malicious code. The host computer systems automatically generate and send malicious code packets of the malicious code to a local analysis center (LAC) computer system. Based on the received malicious code packets, the LAC computer system provides a signature update to a network intrusion detection system. Further, the LAC computer system also automatically sends malicious code signatures of the malicious code to a global analysis center. In this manner, the spread of the malicious code is rapidly detected and prevented.
-
Citations
31 Claims
-
1. A method comprising:
-
detecting an attack by malicious code on a first computer system; extracting a malicious code signature from said malicious code comprising; locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and extracting a specific number of bytes backwards from said caller'"'"'s address; creating an extracted malicious code packet including said malicious code signature; and sending said extracted malicious code packet from said first computer system to a second computer system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
detecting an attack by malicious code on a first computer system; creating an extracted malicious code packet including parameters associated with said malicious code, said parameters being selected from the group consisting of a caller'"'"'s address of said malicious code in a memory of said first computer system, a name of a process in which said attack took place, ports connected to said process, service pack levels, operating system information, patch level information, and combinations thereof; and sending said extracted malicious code packet from said first computer system to a second computer system. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method comprising:
-
receiving an extracted malicious code packet from a first computer system with a second computer system, said first computer system being a host computer system and said second computer system being a local analysis center computer system; and determining whether an attack threshold has been exceeded based upon said extracted malicious code packet, wherein upon a determination that an attack threshold has been exceeded, said method further comprising delivering a signature update comprising a malicious code signature to an intrusion detection system. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system comprising:
-
a local analysis center signature extraction application for receiving an extracted malicious code packet from a first computer system with a second computer system, said first computer system being a host computer system and said second computer system being a local analysis center computer system; and said local analysis center signature extraction application further for determining whether an attack threshold has been exceeded based upon said extracted malicious code packet, wherein upon a determination that an attack threshold has been exceeded, said method further comprising delivering a signature update comprising a malicious code signature to an intrusion detection system.
-
-
30. A computer system comprising:
-
an intrusion prevention application for detecting an attack by malicious code on a first computer system; a host signature extraction application for extracting a malicious code signature from said malicious code comprising; locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and extracting a specific number of bytes backwards from said caller'"'"'s address; said host signature extraction application further for creating an extracted malicious code packet including said malicious code signature; and said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.
-
-
31. A computer system comprising:
-
an intrusion prevention application for detecting an attack by malicious code on a first computer system; a host signature extraction application for creating an extracted malicious code packet including parameters associated with said malicious code, said parameters being selected from the group consisting of a caller'"'"'s address of said malicious code in a memory of said first computer system, a name of a process in which said attack took place, ports connected to said process, service pack levels, operating system information, patch level information, and combinations thereof; and said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.
-
Specification