Detection and blocking of malicious code
First Claim
Patent Images
1. A method comprising:
- intercepting inbound traffic on a host computer system;
copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic;
releasing the inbound traffic;
intercepting outbound traffic on the host computer system;
buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic;
comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic;
determining if malicious code is detected on the host computer system based on the comparing;
when malicious code is detected, providing a notification of the malicious code detection; and
if malicious code is not detected, releasing the buffered outbound traffic.
6 Assignments
0 Petitions
Accused Products
Abstract
Inbound and outbound traffic on a computer system are intercepted and compared to determine if the presence of malicious code is indicated. Outbound traffic that is sufficiently similar to recently received inbound traffic is indicative of the presence of malicious code. In some embodiments, if the presence of malicious code is indicated, the user, as well as other individuals or systems, are notified of the detection. In some embodiments, if desired, protective actions are initiated to hinder or block the propagation of the malicious code from the host computer system to other computer systems, as well as to remove or inactivate the malicious code on the host computer system.
49 Citations
17 Claims
-
1. A method comprising:
-
intercepting inbound traffic on a host computer system; copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic; releasing the inbound traffic; intercepting outbound traffic on the host computer system; buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic; comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic; determining if malicious code is detected on the host computer system based on the comparing; when malicious code is detected, providing a notification of the malicious code detection; and if malicious code is not detected, releasing the buffered outbound traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
intercepting inbound traffic on a host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system; copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic; releasing the inbound traffic; intercepting outbound traffic on the host computer system wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system; buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic; comparing at least a portion of the copied inbound traffic with at least a portion of the buffered outbound traffic; determining if malicious code is detected on the host computer system based on the comparing; if malicious code is detected, providing a notification of the malicious code detection; and if malicious code is not detected, releasing the at least a portion of the buffered outbound traffic. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer-program product comprising a computer readable medium configured to store computer program code comprising:
-
a detection application for intercepting inbound traffic on a host computer system; the detection application further for copying the inbound traffic to an inbound traffic memory area, the copying the inbound traffic generating copied inbound traffic; the detection application further for releasing the inbound traffic; the detection application further for intercepting outbound traffic on the host computer system; the detection application further for buffering the outbound traffic in an outbound traffic memory area, the buffering the outbound traffic generating buffered outbound traffic; the detection application further for comparing at least a portion of outbound traffic on the host computer system to at least a portion of inbound traffic on the host computer system, wherein the inbound traffic is received on the host computer system from a source external to the host computer system, and wherein the outbound traffic is generated on the host computer system for transmission from the host computer system to a destination external to the host computer system, and further wherein the at least a portion of the outbound traffic is subsequent in time to the at least a portion of the inbound traffic; the detection application further for determining if malicious code is detected on the host computer system based on the comparing; when malicious code is detected, the detection application further for providing a notification of the malicious code detection; and when malicious code is not detected, the detection application further for releasing the buffered outbound traffic. - View Dependent Claims (16, 17)
-
Specification