System and method for preventing detection of a selected process running on a computer

US 7,827,605 B2
Filed: 10/27/2008
Issued: 11/02/2010
Est. Priority Date: 07/14/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for concealing from a user a monitoring process running on a computer, comprising:

receiving from a user a request to access a process file concerning a process running on a computer;

determining, using a processor of the computer, whether the process file relates to a monitoring process, wherein if a process file is related to the monitoring process the process file is associated with a process information pseudo file system and contains process information about the monitoring process usable to identify the existence of the monitoring process;

in the event that the process file does not relate to the monitoring process, providing the user with access to the process file; and

providing a log to a remote console using packets containing a hashed message authentication code via a connectionless protocol;

wherein in the event a packet is transmitted without the hashed message authentication code a message is received from the remote console indicating that a port used to transmit the packet is not in use.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for preventing detection of a monitoring process running on a computer. A request to access a process file concerning a process running on the computer is received from a user. It is determined whether the process file requested by the user relates to the selected process. If the requested process file does not relate to the selected process, the user is provided with access to the file.

168 Citations

19 Claims

1. A method for concealing from a user a monitoring process running on a computer, comprising:
- receiving from a user a request to access a process file concerning a process running on a computer;
  
  determining, using a processor of the computer, whether the process file relates to a monitoring process, wherein if a process file is related to the monitoring process the process file is associated with a process information pseudo file system and contains process information about the monitoring process usable to identify the existence of the monitoring process;
  
  in the event that the process file does not relate to the monitoring process, providing the user with access to the process file; and
  
  providing a log to a remote console using packets containing a hashed message authentication code via a connectionless protocol;
  
  wherein in the event a packet is transmitted without the hashed message authentication code a message is received from the remote console indicating that a port used to transmit the packet is not in use.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising denying access to the process file if the process file does relate to the monitoring process.
  - 3. The method of claim 1 further comprising providing to the user an indication that the process file does not exist if the process file does relate to the monitoring process.
  - 4. The method of claim 1 wherein an operating system of the computer is Solaris 7 and wherein the step of receiving comprises receiving all requests to access files within a /proc file system.
  - 5. The method of claim 1 wherein the monitoring process relates to monitoring an activity of the user with respect to the computer.
  - 6. The method of claim 1 further comprising using the monitoring process to monitor an interaction of the user with a deception environment.
  - 7. The method of claim 1 further comprising replacing one or more operating system functions in a system entry table with a new program configured to perform the step of receiving from the user a request to access a process file concerning a process running on the computer.
  - 8. The method of claim 1 further comprising replacing one or more operating system functions in a system entry table with a new program configured to provide in response to the request, in the event it is determined that the process file relates to the monitoring process, an indication that the process file does not exist.

9. A system for concealing from a user a monitoring process running on a computer, comprising:
- a computer configured to monitor an interaction of a user with a deception environment, receive from the user a request to access a process file concerning a process running on the computer, determine whether the process file relates to a monitoring process, in the event that the process file does not relate to the monitoring process, provide the user with access to the process file, and provide a log to a remote console over a port using packets containing a hashed message authentication code via a connectionless protocol;
  
  wherein in the event a packet is transmitted without the hashed message authentication code a message is received from the remote console indicating that a port used to transmit the packet is not in use; and
  
  wherein a determination of whether the process file is related to the monitoring process is based at least in part on whether the process file contains process information about the monitoring process usable to identify the existence of the monitoring process.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9 wherein the computer is further configured to deny access to the process file if the process file does relate to the monitoring process.
  - 11. The system of claim 9 wherein the computer is further configured to provide to the user an indication that the process file does not exist if the process file does relate to the monitoring process.
  - 12. The system of claim 9 wherein an operating system of the computer is Solaris 7 and the computer is configured to filter all requests to access process files within a /proc file system, including by allowing access to one or more process files not associated with the monitoring process and to deny access to one or more process files associated with the monitoring process.
  - 13. The system of claim 9 wherein the monitoring process is used to monitor an interaction of the user with a deception environment.

14. A computer program product for concealing from a user a selected process running on a computer, the computer program product being embodied in a computer readable storage medium comprising computer instructions for:
- monitoring an interaction of a user with a deception environment;
  
  receiving from the user a request to access a process file concerning a process running on the computer;
  
  determining whether the process file relates to a monitoring process, wherein if the process file is related to the monitoring process the process file is associated with a process information pseudo file system and contains process information about the monitoring process usable to identify the existence of the monitoring process;
  
  in the event that the process file does not relate to the monitoring process, providing the user with access to the process file; and
  
  providing a log to a remote console over a port using packets containing a hashed message authentication code via a connectionless protocol;
  
  wherein in the event a packet is transmitted without the hashed message authentication code a message is received from the remote console indicating that a port used to transmit the packet is not in use.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product of claim 14 further comprising computer instructions for denying access to the process file if the process file does relate to the monitoring process.
  - 16. The computer program product of claim 14 further comprising computer instructions for providing to the user an indication that the process file does not exist if the process file does relate to the monitoring process.
  - 17. The computer program product of claim 14 wherein an operating system of the computer is Solaris 7 and the step of receiving comprises receiving all requests to access files within a /proc file system.
  - 18. The computer program product of claim 14 further comprising computer instructions for replacing one or more operating system functions in a system entry table with a new program configured to perform the step of receiving from the user a request to access a process file concerning a process running on the computer.
  - 19. The computer program product of claim 14 further comprising computer instructions for replacing one or more operating system functions in a system entry table with a new program configured to provide in response to the request, in the event it is determined that the process file relates to the monitoring process, an indication that the process file does not exist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lyle, Michael P., Ross, Robert F., Maricondo, James R.
Primary Examiner(s)
Colin; Carl

Application Number

US12/290,215
Publication Number

US 20090064331A1
Time in Patent Office

736 Days
Field of Search

726 22- 26, 726/16
US Class Current

726/16
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/55   Detecting local intrusion o...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

System and method for preventing detection of a selected process running on a computer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing detection of a selected process running on a computer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links