Detection and blocking of malicious code

US 7,472,418 B1
Filed: 08/18/2003
Issued: 12/30/2008
Est. Priority Date: 08/18/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting inbound traffic on a host computer system;

copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic;

releasing the inbound traffic;

intercepting outbound traffic on the host computer system;

buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic;

comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic;

determining if malicious code is detected on the host computer system based on the comparing;

when malicious code is detected, providing a notification of the malicious code detection; and

if malicious code is not detected, releasing the buffered outbound traffic.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Inbound and outbound traffic on a computer system are intercepted and compared to determine if the presence of malicious code is indicated. Outbound traffic that is sufficiently similar to recently received inbound traffic is indicative of the presence of malicious code. In some embodiments, if the presence of malicious code is indicated, the user, as well as other individuals or systems, are notified of the detection. In some embodiments, if desired, protective actions are initiated to hinder or block the propagation of the malicious code from the host computer system to other computer systems, as well as to remove or inactivate the malicious code on the host computer system.

49 Citations

View as Search Results

17 Claims

1. A method comprising:
- intercepting inbound traffic on a host computer system;
  
  copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic;
  
  releasing the inbound traffic;
  
  intercepting outbound traffic on the host computer system;
  
  buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic;
  
  comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic;
  
  determining if malicious code is detected on the host computer system based on the comparing;
  
  when malicious code is detected, providing a notification of the malicious code detection; and
  
  if malicious code is not detected, releasing the buffered outbound traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the comparing is performed using a similarity comparison technique.
  - 3. The method of claim 1, wherein the inbound traffic is received at the host computer system from a source port,and wherein the outbound traffic is for sending to a destination port,and further wherein the source port and the destination port are the same port.
  - 4. The method of claim 1, wherein the inbound traffic is received on the host computer system from a source port,and wherein the outbound traffic is for sending to a destination port,and further wherein the source port and the destination port are different ports.
  - 5. The method of claim 1, further comprising:
    - implementing protective actions.
  - 6. The method of claim 1, wherein the comparing comprises:
    - comparing at least a portion of the copied inbound traffic with at least a portion of the buffered outbound traffic.
  - 7. The method of claim 1, further comprising:
    - prior to the buffering the outbound traffic, if the outbound traffic correlates to a prior name resolution lookup performed on the host computer system, releasing the outbound traffic.
  - 8. The method of claim 1, wherein the inbound traffic is copied to the inbound traffic memory area on a per port basis,and wherein the outbound traffic is buffered to the outbound traffic memory area on a per destination port basis.

9. A method comprising:
- intercepting inbound traffic on a host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system;
  
  copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic;
  
  releasing the inbound traffic;
  
  intercepting outbound traffic on the host computer system wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system;
  
  buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic;
  
  comparing at least a portion of the copied inbound traffic with at least a portion of the buffered outbound traffic;
  
  determining if malicious code is detected on the host computer system based on the comparing;
  
  if malicious code is detected, providing a notification of the malicious code detection; and
  
  if malicious code is not detected, releasing the at least a portion of the buffered outbound traffic.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the comparing is performed using a similarity comparison technique.
  - 11. The method of claim 9, wherein the at least a portion of the buffered outbound traffic is subsequent in time to the at least a portion of the copied inbound traffic.
  - 12. The method of claim 9, further comprising:
    - prior to buffering the outbound traffic, if the outbound traffic correlates to a prior name resolution lookup performed on the host computer system, releasing the outbound traffic.
  - 13. The method of claim 9, wherein the inbound traffic is copied to the inbound traffic memory area on a per port basis,and wherein the outbound traffic is buffered in the outbound traffic memory area on a per destination port basis.
  - 14. The method of claim 9, further comprising:
    - wherein if malicious code is detected, implementing protective actions.

15. A computer-program product comprising a computer readable medium configured to store computer program code comprising:
- a detection application for intercepting inbound traffic on a host computer system;
  
  the detection application further for copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic;
  
  the detection application further for releasing the inbound traffic;
  
  the detection application further for intercepting outbound traffic on the host computer system;
  
  the detection application further for buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic;
  
  the detection application further for comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic;
  
  the detection application further for determining if malicious code is detected on the host computer system based on the comparing;
  
  when malicious code is detected, the detection application further for providing a notification of the malicious code detection; and
  
  when malicious code is not detected, the detection application further for releasing the buffered outbound traffic.
- View Dependent Claims (16, 17)
- - 16. The computer-program product of claim 15, the computer readable medium configured to store computer program code further comprising:
    - wherein the comparing is performed using a similarity comparison technique.
  - 17. The computer-program product of claim 15, the computer readable medium configured to store computer program code further comprising:
    - wherein if malicious code is detected, the detection application further for implementing protective actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Khoshnoodi; Nadia

Application Number

US10/643,564
Time in Patent Office

1,961 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

Detection and blocking of malicious code

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and blocking of malicious code

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links