Using behavior blocking mobility tokens to facilitate distributed worm detection

US 7,690,034 B1
Filed: 09/10/2004
Issued: 03/30/2010
Est. Priority Date: 09/10/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:

detecting at a source computer a process on the source computer writing a file to a folder at a target computer;

determining at the source computer a suspicion level associated with the process;

writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer;

subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer, determining by the source computer whether the process comprises malicious code; and

writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Behavior blocking mobility token managers track movement of suspicious files within a network. A behavior blocking mobility token manager on a source computer detects an attempt by a process on the source computer to write a file to a target computer. The behavior blocking mobility token manager determines a suspicion level associated with the process, and writes a behavior blocking mobility token containing at least the suspicion level associated with the process to the target computer. A behavior blocking mobility token manager on the target computer detects that a behavior blocking mobility token is being written to the target computer. The behavior blocking mobility token manager reads the behavior blocking mobility token, and determines a suspicion level of the file associated with the behavior blocking mobility token, responsive to contents of the behavior blocking mobility token.

126 Citations

34 Claims

1. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:
- detecting at a source computer a process on the source computer writing a file to a folder at a target computer;
  
  determining at the source computer a suspicion level associated with the process;
  
  writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer;
  
  subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer, determining by the source computer whether the process comprises malicious code; and
  
  writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein:
    - the first behavior blocking mobility token contains at least one datum concerning the source computer from a group of data consisting of;
      
      an IP address;
      
      a computer name; and
      
      a primary domain controller name.
  - 3. The method of claim 1 wherein:
    - the first behavior blocking mobility token contains at least one datum concerning the process from a group of data consisting of;
      
      a name;
      
      security information;
      
      additional associated suspiciousness information;
      
      an installation time;
      
      an installation source;
      
      data contained in a behavior blocking mobility token associated with the process;
      
      a digital signature;
      
      a version number;
      
      a last modification date; and
      
      a last modification time.
  - 4. The method of claim 1 further comprising:
    - writing at least one instruction directed to the target computer in the first behavior blocking mobility token.
  - 5. The method of claim 1 further comprising:
    - writing at least one rule directed to the target computer in the first behavior blocking mobility token.
  - 6. The method of claim 1 wherein the second behavior blocking mobility token is written to the target computer through a named pipe.

7. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:
- detecting a file being written to a folder at a target computer by a source computer;
  
  detecting that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer;
  
  reading the first behavior blocking mobility token;
  
  determining a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and
  
  subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, detecting a second behavior blocking mobility token being written to the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The method of claim 7 further comprising:
    - reading at least one instruction from the source computer in the first behavior blocking mobility token; and
      
      executing the at least one instruction.
  - 9. The method of claim 7 further comprising:
    - reading at least one rule from the source computer in the first behavior blocking mobility token; and
      
      processing the file associated with the first behavior blocking mobility token responsive to the at least one rule.
  - 10. The method of claim 7 further comprising:
    - processing the file associated with the first behavior blocking mobility token responsive to at least one rule originating at the target computer.
  - 11. The method of claim 7 further comprising:
    - in response to at least the suspicion level, treating the file associated with the first behavior blocking mobility token as being suspicious.
  - 12. The method of claim 7 further comprising:
    - in response to at least the suspicion level, rejecting the file associated with the first behavior blocking mobility token.
  - 13. The method of claim 7 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by malicious code, treating the associated file as malicious code.
  - 14. The method of claim 7 wherein the second behavior mobility token is written to the target computer through a named pipe.
  - 15. The method of claim 7 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by legitimate code, treating the associated file as legitimate code.
  - 16. The method of claim 7 further comprising:
    - responsive to not receiving communication from the source computer for a specified period of time, raising the suspicion level of the associated file.

17. A computer readable storage medium containing an executable computer program product for tracking movement of suspicious files within a network, the computer program product comprising:
- program code for detecting at a source computer a process on the source computer writing a file to a folder at a target computer;
  
  program code for determining at the source computer a suspicion level associated with the process;
  
  program code for writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer;
  
  program code for determining by the source computer whether the process comprises malicious code subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer; and
  
  program code for writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code.
- View Dependent Claims (18, 19)
- - 18. The computer program product of claim 17 further comprising:
    - program code for writing at least one instruction directed to the target computer in the first behavior blocking mobility token.
  - 19. The computer program product of claim 17 further comprising:
    - program code for writing at least one rule directed to the target computer in the first behavior blocking mobility token.

20. A computer readable storage medium containing an executable computer program product for tracking movement of suspicious files within a network, the computer program product comprising:
- program code for detecting a file being written to a folder at a target computer by a source computer;
  
  program code for detecting that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer;
  
  program code for reading the first behavior blocking mobility token;
  
  program code for determining a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and
  
  program code for detecting a second behavior blocking mobility token being written to the target computer subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The computer program product of claim 20 further comprising:
    - program code for reading at least one instruction from the source computer in the first behavior blocking mobility token; and
      
      program code for executing the at least one instruction.
  - 22. The computer program product of claim 20 further comprising:
    - program code for reading at least one rule from the source computer in the first behavior blocking mobility token; and
      
      program code for processing the file associated with the first behavior blocking mobility token responsive to the at least one rule.
  - 23. The computer program product of claim 20 further comprising:
    - program code for processing the file associated with the behavior blocking mobility token responsive to at least one rule originating at the target computer.
  - 24. The computer program product of claim 20 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by malicious code, treating the associated file as malicious code.
  - 25. The computer program product of claim 20 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by legitimate code, program code for treating the associated file as legitimate code.

26. A computer system having a computer-readable storage medium having executable computer program instructions embodied therein for tracking movement of suspicious files within a network, the computer system computer program instructions comprising:
- a software portion configured to detect at a source computer a process on the source computer writing a file to a folder at a target computer;
  
  a software portion configured to determine at the source computer a suspicion level associated with the process;
  
  a software portion configured to write by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer;
  
  a software portion configured to determine by the source computer whether the process comprises malicious code subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer; and
  
  a software portion configured to write by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code.
- View Dependent Claims (27, 28)
- - 27. The computer system of claim 26 further comprising:
    - a software portion configured to write at least one instruction directed to the target computer in the first behavior blocking mobility token.
  - 28. The computer system of claim 26 further comprising:
    - a software portion configured to write at least one rule directed to the target computer in the first behavior blocking mobility token.

29. A computer system having a computer-readable storage medium having executable computer program instructions embodied therein for tracking movement of suspicious files within a network, the computer program instructions comprising:
- a software portion configured to detect a file being written to a folder at a target computer by a source computer;
  
  a software portion configured to detect that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer;
  
  a software portion configured to read the first behavior blocking mobility token;
  
  a software portion configured to determine a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and
  
  a software portion configured to detect a second behavior blocking mobility token being written to the target computer subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computer system of claim 29 further comprising:
    - a software portion configured to read at least one instruction from the source computer in the first behavior blocking mobility token; and
      
      a software portion configured to execute the at least one instruction.
  - 31. The computer system of claim 29 further comprising:
    - a software portion configured to read at least one rule from the source computer in the first behavior blocking mobility token; and
      
      a software portion configured to process the file associated with the first behavior blocking mobility token responsive to the at least one rule.
  - 32. The computer system of claim 29 further comprising:
    - a software portion configured to process the file associated with the first behavior blocking mobility token responsive to at least one rule originating at the target computer.
  - 33. The computer system of claim 29 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by malicious code, a software portion configured to treat the associated file as malicious code.
  - 34. The computer system of claim 29 further comprising:
    - responsive to the second behavior mobility token indicating that the file was written to the target computer by legitimate code, a software portion configured to treat the associated file as legitimate code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sallam, Ahmed
Primary Examiner(s)
COLIN, CARL G

Application Number

US10/938,047
Time in Patent Office

2,027 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Using behavior blocking mobility tokens to facilitate distributed worm detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Using behavior blocking mobility tokens to facilitate distributed worm detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links