Using behavior blocking mobility tokens to facilitate distributed worm detection
First Claim
1. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:
- detecting at a source computer a process on the source computer writing a file to a folder at a target computer;
determining at the source computer a suspicion level associated with the process;
writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer;
subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer, determining by the source computer whether the process comprises malicious code; and
writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code.
5 Assignments
0 Petitions
Accused Products
Abstract
Behavior blocking mobility token managers track movement of suspicious files within a network. A behavior blocking mobility token manager on a source computer detects an attempt by a process on the source computer to write a file to a target computer. The behavior blocking mobility token manager determines a suspicion level associated with the process, and writes a behavior blocking mobility token containing at least the suspicion level associated with the process to the target computer. A behavior blocking mobility token manager on the target computer detects that a behavior blocking mobility token is being written to the target computer. The behavior blocking mobility token manager reads the behavior blocking mobility token, and determines a suspicion level of the file associated with the behavior blocking mobility token, responsive to contents of the behavior blocking mobility token.
126 Citations
34 Claims
-
1. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:
-
detecting at a source computer a process on the source computer writing a file to a folder at a target computer; determining at the source computer a suspicion level associated with the process; writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer; subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer, determining by the source computer whether the process comprises malicious code; and writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for tracking movement of suspicious files within a network, the method comprising the steps of:
-
detecting a file being written to a folder at a target computer by a source computer; detecting that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer; reading the first behavior blocking mobility token; determining a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, detecting a second behavior blocking mobility token being written to the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer readable storage medium containing an executable computer program product for tracking movement of suspicious files within a network, the computer program product comprising:
-
program code for detecting at a source computer a process on the source computer writing a file to a folder at a target computer; program code for determining at the source computer a suspicion level associated with the process; program code for writing by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer; program code for determining by the source computer whether the process comprises malicious code subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer; and program code for writing by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code. - View Dependent Claims (18, 19)
-
-
20. A computer readable storage medium containing an executable computer program product for tracking movement of suspicious files within a network, the computer program product comprising:
-
program code for detecting a file being written to a folder at a target computer by a source computer; program code for detecting that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer; program code for reading the first behavior blocking mobility token; program code for determining a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and program code for detecting a second behavior blocking mobility token being written to the target computer subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A computer system having a computer-readable storage medium having executable computer program instructions embodied therein for tracking movement of suspicious files within a network, the computer system computer program instructions comprising:
-
a software portion configured to detect at a source computer a process on the source computer writing a file to a folder at a target computer; a software portion configured to determine at the source computer a suspicion level associated with the process; a software portion configured to write by the source computer a first behavior blocking mobility token containing at least the suspicion level associated with the process to the same folder at the target computer; a software portion configured to determine by the source computer whether the process comprises malicious code subsequent to writing the file and the first behavior blocking mobility token to the same folder at the target computer; and a software portion configured to write by the source computer a second behavior blocking mobility token to the target computer, the second behavior blocking mobility token informing the target computer whether the process that wrote the file comprises malicious code. - View Dependent Claims (27, 28)
-
-
29. A computer system having a computer-readable storage medium having executable computer program instructions embodied therein for tracking movement of suspicious files within a network, the computer program instructions comprising:
-
a software portion configured to detect a file being written to a folder at a target computer by a source computer; a software portion configured to detect that a first behavior blocking mobility token associated with the file is being written to the same folder at the target computer by the source computer; a software portion configured to read the first behavior blocking mobility token; a software portion configured to determine a suspicion level of the file associated with the first behavior blocking mobility token, responsive to contents of the behavior blocking mobility token; and a software portion configured to detect a second behavior blocking mobility token being written to the target computer subsequent to detecting the file and the first behavior blocking mobility token being written to the same folder at the target computer, the second behavior blocking mobility token indicating whether the file was written to the target computer by malicious code on the source computer, wherein the source computer determines whether the file was written to the target computer by malicious code and writes the second behavior blocking mobility token to the target computer. - View Dependent Claims (30, 31, 32, 33, 34)
-
Specification