Methods and apparatus providing recovery from computer and network security attacks

US 7,607,041 B2
Filed: 05/01/2006
Issued: 10/20/2009
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating a secondary stack containing execution information of at least one function operating on a computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;

receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing thenotifying identifier;

and, after the secondary stack has been created;

receiving an attack notification of an attack on the computer system;

determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and

recovering an exploited process using information located at the safe recovery point in the secondary stack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system creates a secondary stack containing execution information of at least one function operating on the computer system, and receives an attack notification of an attack on the computer system. The system determines a point in the secondary stack at which a recovery from the attack is possible. In one embodiment, the system then generates a signature of the attack based on the execution information contained within the secondary stack.

94 Citations

View as Search Results

14 Claims

1. A method, comprising:
- creating a secondary stack containing execution information of at least one function operating on a computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
  
  receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing thenotifying identifier;
  
  and, after the secondary stack has been created;
  
  receiving an attack notification of an attack on the computer system;
  
  determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
  
  recovering an exploited process using information located at the safe recovery point in the secondary stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12)
- - 2. The method of claim 1 comprising:
    - generating a signature of the attack based on the execution information contained within the secondary stack.
  - 3. The method of claim 1 where receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function comprises:
    - pushing the execution information onto the secondary stack.
  - 4. The method of claim 1 wherein creating a secondary stack containing execution information of at least one function operating on the computer system comprises:
    - receiving function notification that the at least one function has completed execution at an exit point in the at least one function; and
      
      popping the execution information from the secondary stack, the execution information pushed onto the secondary stack upon initiating execution of the at least one function.
  - 5. The method of claim 1 wherein determining a point in the secondary stack at which a recovery from the attack is possible comprises:
    - traversing the secondary stack to retrieve the execution information contained within the secondary stack.
  - 6. The method of claim 5 wherein traversing the secondary stack to retrieve the execution information contained within the secondary stack comprises:
    - identifying the secondary stack contains corrupted function information; and
      
      determining a safe entry point in the secondary stack at which to begin execution of a second function, the second function not associated with the corrupted information contained within the secondary stack.
  - 7. The method of claim 5 wherein traversing the secondary stack to retrieve the execution information contained within the secondary stack comprises:
    - utilizing the execution information to determine a safe entry point in the secondary stack at which to begin execution of the at least one function.
  - 8. The method of claim 1 wherein generating a signature of the attack based on the execution information contained within the secondary stack comprises:
    - identifying the attack occurred during execution of the at least one function;
      
      obtaining execution information to be used to generate the signature; and
      
      generating a signature of the attack, the signature of the attack identifying the at least one function as the origin of the attack.
  - 12. The computerized device of claim 1 wherein when the computerized device performs the operation of determining a point in the secondary stack at which a recovery from the attack is possible, the computerized device is capable of performing the operation of:
    - traversing the secondary stack to retrieve the execution information contained within the secondary stack.

9. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with an exploited process recovery application that when executed on the processor is capable of recovering an exploited process on the computerized device by performing the operations of;
  
  creating a secondary stack containing execution information of at least one function operating on the computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
  
  receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing the notifying identifier; and
  
  , after the secondary stack has been created;
  
  the computer system;
  
  receiving an attack notification of an attack on the computer system;
  
  determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
  
  recovering an exploited process using information located at the safe recovery point in the secondary stack.
- View Dependent Claims (10, 11)
- - 10. The computerized device of claim 9 wherein when the computerized device performs the operation of receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, the computerized device is capable of performing the operation of:
    - pushing the execution information onto the secondary stack.
  - 11. The computerized device of claim 9 wherein when the computerized device performs the operation of creating a secondary stack containing execution information of at least one function operating on the computer system, the computerized device is capable of performing the operations of:
    - receiving function notification that the at least one function has completed execution at an exit point in the at least one function; and
      
      popping the execution information from the secondary stack, the execution information pushed onto the secondary stack upon initiating execution of the at least one function.

13. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device recovers an exploited process, the medium comprising:
- instructions for creating a secondary stack containing execution information of at least one function operating on the computer system;
  
  instructions for receiving an attack notification of an attack on the computer system;
  
  instructions for determining a point in the secondary stack at which a recovery from the attack is possible.

14. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a exploited process recovery application that when executed on the processor configures the computerized device with a means for recovering an exploited process, the means including;
  
  means for creating a secondary stack containing execution information of at least one function operating on the computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
  
  receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing the notifying identifier;
  
  means for receiving an attack notification of an attack on the computer system after the secondary stack has been created;
  
  means for determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
  
  means for recovering an exploited process using information located at the safe recovery point in the secondary stack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ruchansky, Boris, Zawadowskiy, Andrew, Kraemer, Jeffrey A.
Primary Examiner(s)
Baderman; Scott T
Assistant Examiner(s)
PATEL, JIGAR P

Application Number

US11/414,810
Publication Number

US 20070174912A1
Time in Patent Office

1,268 Days
Field of Search

714/15
US Class Current

714/15
CPC Class Codes

G06F 11/3466 Performance evaluation by t...

G06F 21/552 involving long-term monitor...

Methods and apparatus providing recovery from computer and network security attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

94 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing recovery from computer and network security attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links