Methods and apparatus providing recovery from computer and network security attacks
First Claim
Patent Images
1. A method, comprising:
- creating a secondary stack containing execution information of at least one function operating on a computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing thenotifying identifier;
and, after the secondary stack has been created;
receiving an attack notification of an attack on the computer system;
determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
recovering an exploited process using information located at the safe recovery point in the secondary stack.
1 Assignment
0 Petitions
Accused Products
Abstract
A system creates a secondary stack containing execution information of at least one function operating on the computer system, and receives an attack notification of an attack on the computer system. The system determines a point in the secondary stack at which a recovery from the attack is possible. In one embodiment, the system then generates a signature of the attack based on the execution information contained within the secondary stack.
94 Citations
14 Claims
-
1. A method, comprising:
-
creating a secondary stack containing execution information of at least one function operating on a computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack; receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing the notifying identifier; and, after the secondary stack has been created; receiving an attack notification of an attack on the computer system; determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and recovering an exploited process using information located at the safe recovery point in the secondary stack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12)
-
-
9. A computerized device comprising:
-
a memory; a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; wherein the memory is encoded with an exploited process recovery application that when executed on the processor is capable of recovering an exploited process on the computerized device by performing the operations of; creating a secondary stack containing execution information of at least one function operating on the computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing the notifying identifier; and
, after the secondary stack has been created;
the computer system;receiving an attack notification of an attack on the computer system; determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
recovering an exploited process using information located at the safe recovery point in the secondary stack. - View Dependent Claims (10, 11)
-
-
13. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device recovers an exploited process, the medium comprising:
-
instructions for creating a secondary stack containing execution information of at least one function operating on the computer system; instructions for receiving an attack notification of an attack on the computer system; instructions for determining a point in the secondary stack at which a recovery from the attack is possible.
-
-
14. A computerized device comprising:
-
a memory; a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; wherein the memory is encoded with a exploited process recovery application that when executed on the processor configures the computerized device with a means for recovering an exploited process, the means including; means for creating a secondary stack containing execution information of at least one function operating on the computer system by inserting a notifying identifier in the at least one function, where the notifying identifier provides execution information associated with the at least one function to the secondary stack;
receiving execution information from the notifying identifier that the at least one function has begun execution at an entry point in the at least one function, where receiving execution information comprises capturing the execution information from the at least one function and storing the execution information from the at least one function, where the execution information includes a state of at least one register associated with the computer system, a hash of a current state of a primary stack, or a return address associated with the at least one function providing the notifying identifier;means for receiving an attack notification of an attack on the computer system after the secondary stack has been created; means for determining a safe recovery point in the secondary stack at which a recovery from the attack is possible; and
means for recovering an exploited process using information located at the safe recovery point in the secondary stack.
-
Specification