Protection of computer resources

US 7,832,008 B1
Filed: 10/11/2006
Issued: 11/09/2010
Est. Priority Date: 10/11/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing security to a computer system, the method comprising:

monitoring occurrence of events associated with the computer system;

in response to detecting occurrence of a given event in the computer system, initiating execution of an audit rule associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system;

evaluating whether the corresponding protection policy is currently operating in the computer system; and

in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer system;

wherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, local software code present in a computer system enables real-time detection of whether the computer system is properly protected against malicious attacks from harmful software. For example, software code such as one or more agents executing in the computer system support real-time protection validation based upon detection of the behavior of the computer system (as opposed to mere detection of the presence of resources or applications in the computer system). In response to detecting that the computer system or an application accesses or provides a particular type of resource and should be protected via one or more appropriate protection policies, if the computer system is not already protected, an agent of the computer system can provide immediate remediation (e.g., a security measure) to temporarily protect the computer system until the appropriate protection policy can be activated to protect the computer system against malicious software threats.

255 Citations

21 Claims

1. A method for providing security to a computer system, the method comprising:
- monitoring occurrence of events associated with the computer system;
  
  in response to detecting occurrence of a given event in the computer system, initiating execution of an audit rule associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system;
  
  evaluating whether the corresponding protection policy is currently operating in the computer system; and
  
  in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer system;
  
  wherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as in claim 1, wherein evaluating whether the corresponding protection policy associated with the given event is currently operating in the computer system includes:
    - accessing a repository of information to identify whether the corresponding protection policy, if currently operating to protect the computer system, has initiated execution of a rule that modifies contents of the repository to provide notification that the corresponding protection policy is currently operating to protect the computer system.
  - 3. A method as in claim 1, wherein initiating application of the security measure to protect the computer system includes initiating activation of the corresponding protection policy, if not already activated, to protect the computer system against a set of harmful events known to inhibit proper operation of the computer system.
  - 4. A method as in claim 1 further comprising:
    - initiating execution of a first type of protection policy to protect the computer system against a respective set of computer attacking software known to attack a first type of computer functionality associated with the computer system; and
      
      initiating execution of a second type of protection policy to protect the computer system against a respective set of computer attacking software known to attack a second type of computer functionality associated with the computer system; and
      
      wherein initiating application of the security measure to protect the computer system includes initiating execution of a third type of protection policy to protect the computer system against a respective set of computer attacking software known to attack a third type of computer functionality associated with the computer system.
  - 5. A method as in claim 1, wherein monitoring occurrence of events associated with the computer system includes monitoring respective actions associated with the computer system.
  - 6. A method as in claim 1, wherein monitoring occurrence of events associated with the computer system includes monitoring access to respective resources associated with the computer system.
  - 7. A method as in claim 1, wherein initiating application of a security measure to protect the computer system includes automatically implementing a containment policy to limit further activities related to the given event.
  - 8. A method as in claim 1, wherein initiating application of a security measure to protect the computer system includes automatically implementing a containment policy that, when executed, prevents the computer system from executing potentially malicious software in connection with the given event.
  - 9. A method as in claim 1, wherein initiating application of a security measure to protect the computer system includes initiating transmission of a signal over a respective network connection to notify a central management console that the computer system is not protected against executing potentially malicious software in connection with the given event.
  - 10. A method as in claim 9 further comprising:
    - receiving a response over the network from the central management console to implement the corresponding protection policy at the computer system to protect the computer system against malicious computer software known to corrupt at least certain functionality associated with the computer system.
  - 11. A method as in claim 1, wherein initiating operation of the audit rule i) occurs in response to detecting pre-defined behavior associated with the computer system and ii) results in setting a flag indicating a resource type associated with the given event that should be protected in the computer system.
  - 12. A method as in claim 11 further comprising:
    - after evaluating whether the corresponding protection policy is currently operating in the computer system to protect the resource type associated with the given event, resetting the flag; and
      
      repeating steps of setting the flag, evaluating a current protection policy implemented in the computer system, and resetting the flag for future detected events to ensure real-time protection of resources in the computer system.

13. A method comprising:
- based on a real-time detection of specific behavior in a computer system that should be protected against a possible presence of known computer attacking software, initiate execution of an audit policy rule that, when executed in the computer system, provides notification that a particular type of protection policy of multiple types of protection policies should be currently activated in the computer system to protect the computer system;
  
  accessing a repository of information to identify and evaluate whether the particular protection policy is currently protecting the computer system; and
  
  in response to identifying that the corresponding protection policy should be but is not currently protecting the computer system, automatically implementing a security measure that, when executed, at least temporarily limits further activities associated with the computer system to protect the computer system from the known computer attacking software.
- View Dependent Claims (14, 15)
- - 14. A method as in claim 13 further comprising:
    - initiating transmission of a signal over a respective network connection to notify a central management console that the behavior associated with the computer system warrants that the computer system be protected against the possible presence of the known computer attacking software.
  - 15. A method as in claim 13 further comprising:
    - receiving a response over a network from a protection policy management source to implement the particular type of protection policy in the computer system to protect the computer system against the known computer attacking software.

16. A computer system comprising:
- one or more processors;
  
  a memory unit that stores instructions associated with code executed by the processor; and
  
  an interconnect coupling the one or more processors and the memory unit, enabling the computer system to execute the code;
  
  wherein the code, when executed by the computer system, causes the computer system to perform;
  
  monitoring occurrence of events associated with the computer system;
  
  in response to detecting occurrence of a given event in the computer system, initiating execution of an instruction associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system;
  
  evaluating whether the corresponding protection policy is currently operating in the computer system; and
  
  in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer systemwherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. A computer system as in claim 16, wherein the code, when executed by the computer system, further causes the computer system to perform:
    - identifying a security measure for protecting the computer system if the corresponding protection policy is not currently activated in the computer system to protect the computer system against malware potentially associated with the specific event.
  - 18. A computer system as in claim 16, wherein the code, when executed by the computer system, further causes the computer system to perform:
    - initiating application of a security measure to protect the computer system and initiate transmission of a message over a respective network connection to notify a central management console that the computer system is not protected against executing potentially malicious software in connection with the specific event.
  - 19. A computer system as in claim 18, wherein the code, when executed by the computer system, further causes the computer system to perform:
    - receiving a response over the network from the central management console to implement the corresponding protection policy at the computer system to protect the computer system against malicious computer software known to corrupt at least certain functionality associated with the computer system.
  - 20. A computer system as in claim 16, wherein the code, when executed by the computer system, further causes the computer system to perform:
    - operating security validation protection in real-time based on detection of pre-defined types of behavior and provide immediate remediation based on execution of a remediation policy residing in the computer system.
  - 21. A computer system as in claim 16, wherein the code, when executed by the computer system, further causes the computer system to perform:
    - providing notification of which types of resources in the computer system are currently protected; and
      
      identifying whether the corresponding protection policy is currently operating based on the notification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kraemer, Jeffrey A.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Fields; Courtney D

Application Number

US11/546,650
Time in Patent Office

1,490 Days
Field of Search

726/22, 726/1, 726/23, 726/26, 709/223, 709/224
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Protection of computer resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

255 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of computer resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

255 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links