Method and system for detecting blocking and removing spyware

US 7,636,943 B2
Filed: 06/13/2005
Issued: 12/22/2009
Est. Priority Date: 06/13/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting spyware activity in a system including a user'"'"'s computer connected to gateway server via a local area network (LAN), the method comprising:

monitoring, by the gateway server connected to the user'"'"'s computer via the LAN, outgoing communication data sent from the user'"'"'s computer to the Internet via the gateway server;

searching, by the gateway server for at least one bait keyword within said communication data; and

indicating, by the gateway server, spyware activity in the user'"'"'s computer by presence of at least one of said bait keyword within said communication data; and

in response to said indicated spyware activity, automatically blocking, by the gateway server, said outgoing communication data by preventing a forwarding of said outgoing data sent by spyware of the indicated activity to its destination.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, the present invention is directed to a method for detecting spyware activity, the method comprises the steps of: monitoring outgoing communication data sent from a user'"'"'s computer; searching for predefined keywords within the communication data; indicating spyware activity in the user'"'"'s computer by presence of at least one of the predefined keywords within the communication data, the keywords are selected from a group comprising: a signature of the spyware, personal information of the user, an addressee to where the communication data is sent. The method may further comprise: upon detecting a spyware activity in the user'"'"'s computer, blocking communication from the computer. The method may further comprise removing the spyware. The blocking can be carried out at the user'"'"'s computer, at the gateway to which the user'"'"'s computer is connected, etc.

Citations

18 Claims

1. A method for detecting spyware activity in a system including a user'"'"'s computer connected to gateway server via a local area network (LAN), the method comprising:
- monitoring, by the gateway server connected to the user'"'"'s computer via the LAN, outgoing communication data sent from the user'"'"'s computer to the Internet via the gateway server;
  
  searching, by the gateway server for at least one bait keyword within said communication data; and
  
  indicating, by the gateway server, spyware activity in the user'"'"'s computer by presence of at least one of said bait keyword within said communication data; and
  
  in response to said indicated spyware activity, automatically blocking, by the gateway server, said outgoing communication data by preventing a forwarding of said outgoing data sent by spyware of the indicated activity to its destination.
- View Dependent Claims (2, 3, 4)
- - 2. A method according to claim 1, further comprising the step of removing said spyware from said user'"'"'s computer.
  - 3. The system of claim 1 wherein the keyword searching includes searching for at least one predefined keyword.
  - 4. The method of claim 1 wherein:
    - i) the keyword searching by the gateway server includes searching for a presence of at least one internal IP address; and
      
      ii) the blocking is done in accordance with the detecting, by the gateway server, of the presence of the at least one internal IP address.

5. A system for detecting spyware activity, the system comprising:
- means for monitoring outgoing communication data sent from a user'"'"'s computer to the Internet via a gateway server, said monitoring means being located at said gateway server;
  
  means for searching at least one bait keyword within said communication data;
  
  means for indicating spyware activity in said user'"'"'s computer by presence of at least one of said bait keyword within said communication data, andat least one of;
  
  i) blocking means for blocking communication from said computer upon detecting a spyware activity in said user'"'"'s computer by preventing forwarding of said communication data to a destination thereof andii) removing means for removing said spyware upon detecting said spyware activity in said user'"'"'s computer.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. A system according to claim 5, wherein said means for blocking is operative to prevent forwarding data sent from said spyware to a destination thereof.
  - 7. The system of claim 5 wherein the system comprises the blocking means.
  - 8. The system of claim 5 wherein the system comprises the removing means.
  - 9. The system of claim 5 wherein said means for searching is configured to search for at least one predefined keyword.
  - 10. The system of claim 5 wherein said means for searching is configured to search for at least one internal IP address.

11. A method for detecting spyware activity in a system including a user'"'"'s computer connected to a gateway sewer via a local area network (LAN), the method comprising:
- monitoring, by the gateway server, ongoing communication data sent from the user'"'"'s computer to the Internet via the gateway server;
  
  searching, by the gateway server for at least one bait keyword within said communication data; and
  
  in response to a presence of at least one said bait keyword within said communication data as determined by said searching, automatically removing spyware by the gateway server from the user'"'"'s computer.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein the keyword searching includes searching for at least one predefined keyword.
  - 13. The method of claim 11 wherein:
    - i) the keyword searching by the gateway server includes searching for a presence of at least one internal IP address; and
      
      ii) the spyware removing is done in accordance with the detecting, by the gateway server, of the presence of the at least one internal IP address.
  - 14. A method according to claim 11, wherein said removing said spyware is carried out by the steps of:
    - identifying the spyware;
      
      deleting the processes of said spyware; and
      
      removing registry entries used by said spyware.
  - 15. A method according to claim 14, wherein said removing of said spyware further comprises:
    - removing the files of said spyware fromthe user'"'"'s computer.

16. A method for detecting spyware activity in a system including a user'"'"'s computer connected to gateway server via a local area network (LAN), the method comprising:
- monitoring, by the gateway server connected to the user'"'"'s computer via the LAN, outgoing communication data sent from the user'"'"'s computer to the Internet via the gateway server;
  
  searching, by the gateway server for at least one keyword, other than a resource identifier, within a packet header identifier field of said communication data; and
  
  indicating, by the gateway server, spyware activity in the user'"'"'s computer by presence of at least one of said keyword within said packet header identifier field of said communication data; and
  
  in response to said indicated spyware activity, automatically blocking, by the gateway server, said outgoing communication data by preventing a forwarding of said outgoing data sent by spyware of the indicated activity to its destination.

17. A system for detecting spyware activity, the system comprising:
- means for monitoring outgoing communication data sent from a user s computer to the Internet via a gateway server, said monitoring means being located at said gateway server;
  
  means for searching at least one keyword, other than a resource identifier, within a packet header identifier field of said communication data;
  
  means for indicating spyware activity in said user'"'"'s computer by presence of at least one of said keyword within saidpacket header identifier field of said communication data, and at least one of;
  
  i) blocking means for blocking communication from said computer upon detecting a spyware activity in said user'"'"'s computer by preventing forwarding of said communication data to a destination thereof andii) removing means for removing said spyware upon detecting said spyware activity in said user'"'"'s computer.

18. A method for detecting spyware activity in a system including a user'"'"'s computer connected to a gateway server via a local area network (LAN), the method comprising:
- monitoring, by the gateway server, ongoing communication data sent from the user'"'"'s computer to the Internet via the gateway server;
  
  searching, by the gateway server for at least one keyword, other than a resource identifier, within a packet header identifier field of said communication data; and
  
  in response to a presence of at least one said keyword within said packet header identifier field of said communication data as determined by said searching, automatically removing spyware by the gateway server from the user'"'"'s computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SafeNet Data Security (Israel) Ltd. (Thales SA)
Original Assignee
Aladdin Knowledge Systems Limited (Thales SA)
Inventors
Gruper, Shimon, Margalit, Yanki, Margalit, Dany
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/150,172
Publication Number

US 20060282890A1
Time in Patent Office

1,653 Days
Field of Search

726/23, 726/24, 726/25, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Method and system for detecting blocking and removing spyware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting blocking and removing spyware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links