Signature extraction system and method

US 7,392,543 B2
Filed: 06/30/2003
Issued: 06/24/2008
Est. Priority Date: 06/30/2003
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

detecting an attack by malicious code on a first computer system;

extracting a malicious code signature from said malicious code comprising;

locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and

extracting a specific number of bytes backwards from said caller'"'"'s address;

creating an extracted malicious code packet including said malicious code signature; and

sending said extracted malicious code packet from said first computer system to a second computer system.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Host computer systems automatically detect malicious code. The host computer systems automatically generate and send malicious code packets of the malicious code to a local analysis center (LAC) computer system. Based on the received malicious code packets, the LAC computer system provides a signature update to a network intrusion detection system. Further, the LAC computer system also automatically sends malicious code signatures of the malicious code to a global analysis center. In this manner, the spread of the malicious code is rapidly detected and prevented.

Citations

31 Claims

1. A method comprising:
- detecting an attack by malicious code on a first computer system;
  
  extracting a malicious code signature from said malicious code comprising;
  
  locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and
  
  extracting a specific number of bytes backwards from said caller'"'"'s address;
  
  creating an extracted malicious code packet including said malicious code signature; and
  
  sending said extracted malicious code packet from said first computer system to a second computer system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein prior to said sending, said method further comprising determining that said extracted malicious code packet is a new extracted malicious code packet.
  - 3. The method of claim 1 wherein prior to said sending, said method further comprising determining that a maximum number of extracted malicious code packets have not been sent from said first computer system.
  - 4. The method of claim 1 wherein said extracted malicious code packet is sent from said first computer system to said second computer system on a secure channel.
  - 5. The method of claim 1 wherein the specific number of bytes is 32 bytes.

6. A method comprising:
- detecting an attack by malicious code on a first computer system;
  
  creating an extracted malicious code packet including parameters associated with said malicious code, said parameters being selected from the group consisting of a caller'"'"'s address of said malicious code in a memory of said first computer system, a name of a process in which said attack took place, ports connected to said process, service pack levels, operating system information, patch level information, and combinations thereof; and
  
  sending said extracted malicious code packet from said first computer system to a second computer system.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 7. The method of claim 6 wherein prior to said sending, said method further comprising determining, that said extracted malicious code packet is a new extracted malicious code packet.
  - 8. The method of claim 6 wherein prior to said sending, said method further comprising determining that a maximum number of extracted malicious code packets have not been sent from said first computer system.
  - 9. The method of claim 6 wherein said extracted malicious code packet is sent from said first computer system to said second computer system on a secure channel.
  - 10. The method of claim 6 further comprising determining whether said malicious code is sendable.
  - 11. The method of claim 10 wherein upon a determination that said malicious code is sendable, said method further comprising extracting said malicious code from a memory location.
  - 12. The method of claim 11 wherein said extracting comprises copying or cutting said malicious code from said memory location.
  - 13. The method of claim 11 further comprising appending said parameters to said malicious code after said extraction.
  - 14. The method of claim 10 wherein upon a determination that said malicious code is not sendable, said method further comprising extracting a snippet of said malicious code from a memory location.
  - 15. The method of claim 14 wherein said extracting comprises copying or cutting a portion of said malicious code from said memory location.
  - 16. The method of claim 14 further comprising appending said parameters to said snippet after said extraction.
  - 17. The method of claim 14 wherein said extracting a snippet comprises:
    - locating a caller'"'"'s address of said malicious code; and
      
      extracting a specific number of bytes above and below said caller'"'"'s address.
  - 18. The method of claim 17 wherein said extracting a specific number of bytes above and below said caller'"'"'s address comprises extracting 4 KB above said caller'"'"'s address and 4 KB below said caller'"'"'s address.
  - 19. The method of claim 10 wherein said malicious code is sendable if a size of said malicious code is 8 KB or less.

20. A method comprising:
- receiving an extracted malicious code packet from a first computer system with a second computer system, said first computer system being a host computer system and said second computer system being a local analysis center computer system; and
  
  determining whether an attack threshold has been exceeded based upon said extracted malicious code packet, wherein upon a determination that an attack threshold has been exceeded, said method further comprising delivering a signature update comprising a malicious code signature to an intrusion detection system.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The method of claim 20 further comprising determining that a maximum number of signature updates have not been sent prior to said delivering a signature update.
  - 22. The method of claim 20 further comprising creating said signature update.
  - 23. The method of claim 20 wherein said extracted malicious code packet includes a malicious code signature, and wherein upon a determination that said attack threshold has been exceeded, said method further comprising delivering said malicious code signature to a global analysis center.
  - 24. The method of claim 23 further comprising determining that a maximum number of malicious code signatures have not been sent prior to said delivering said malicious code signature.
  - 25. The method of claim 23 further comprising extracting said malicious code signature from said extracted malicious code packet.
  - 26. The method of claim 20 further comprising determining whether said extracted malicious code packet includes a malicious code signature, wherein upon a determination that said extracted malicious code packet does not include a malicious code signature, said method further comprising extracting a malicious code signature from said extracted malicious code packet.
  - 27. The method of claim 20 wherein upon a determination that said attack threshold has been exceeded, said method further comprising delivering said extracted malicious code packet to a global analysis center.
  - 28. The method of claim 27 further comprising determining that a maximum number of extracted malicious code packets have not been sent prior to said delivering said extracted malicious code packet.

29. A computer system comprising:
- a local analysis center signature extraction application for receiving an extracted malicious code packet from a first computer system with a second computer system, said first computer system being a host computer system and said second computer system being a local analysis center computer system; and
  
  said local analysis center signature extraction application further for determining whether an attack threshold has been exceeded based upon said extracted malicious code packet, wherein upon a determination that an attack threshold has been exceeded, said method further comprising delivering a signature update comprising a malicious code signature to an intrusion detection system.

30. A computer system comprising:
- an intrusion prevention application for detecting an attack by malicious code on a first computer system;
  
  a host signature extraction application for extracting a malicious code signature from said malicious code comprising;
  
  locating a caller'"'"'s address of said malicious code in a memory of said first computer system; and
  
  extracting a specific number of bytes backwards from said caller'"'"'s address;
  
  said host signature extraction application further for creating an extracted malicious code packet including said malicious code signature; and
  
  said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.

31. A computer system comprising:
- an intrusion prevention application for detecting an attack by malicious code on a first computer system;
  
  a host signature extraction application for creating an extracted malicious code packet including parameters associated with said malicious code, said parameters being selected from the group consisting of a caller'"'"'s address of said malicious code in a memory of said first computer system, a name of a process in which said attack took place, ports connected to said process, service pack levels, operating system information, patch level information, and combinations thereof; and
  
  said host signature extraction application further for sending said extracted malicious code packet from said first computer system to a second computer system.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Baum; Kristine
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/611,472
Publication Number

US 20050022018A1
Time in Patent Office

1,821 Days
Field of Search

726/26
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Signature extraction system and method

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Signature extraction system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links