Protection of computer resources
First Claim
1. A method for providing security to a computer system, the method comprising:
- monitoring occurrence of events associated with the computer system;
in response to detecting occurrence of a given event in the computer system, initiating execution of an audit rule associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system;
evaluating whether the corresponding protection policy is currently operating in the computer system; and
in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer system;
wherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, local software code present in a computer system enables real-time detection of whether the computer system is properly protected against malicious attacks from harmful software. For example, software code such as one or more agents executing in the computer system support real-time protection validation based upon detection of the behavior of the computer system (as opposed to mere detection of the presence of resources or applications in the computer system). In response to detecting that the computer system or an application accesses or provides a particular type of resource and should be protected via one or more appropriate protection policies, if the computer system is not already protected, an agent of the computer system can provide immediate remediation (e.g., a security measure) to temporarily protect the computer system until the appropriate protection policy can be activated to protect the computer system against malicious software threats.
255 Citations
21 Claims
-
1. A method for providing security to a computer system, the method comprising:
-
monitoring occurrence of events associated with the computer system; in response to detecting occurrence of a given event in the computer system, initiating execution of an audit rule associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system; evaluating whether the corresponding protection policy is currently operating in the computer system; and in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer system; wherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
based on a real-time detection of specific behavior in a computer system that should be protected against a possible presence of known computer attacking software, initiate execution of an audit policy rule that, when executed in the computer system, provides notification that a particular type of protection policy of multiple types of protection policies should be currently activated in the computer system to protect the computer system; accessing a repository of information to identify and evaluate whether the particular protection policy is currently protecting the computer system; and in response to identifying that the corresponding protection policy should be but is not currently protecting the computer system, automatically implementing a security measure that, when executed, at least temporarily limits further activities associated with the computer system to protect the computer system from the known computer attacking software. - View Dependent Claims (14, 15)
-
-
16. A computer system comprising:
-
one or more processors; a memory unit that stores instructions associated with code executed by the processor; and an interconnect coupling the one or more processors and the memory unit, enabling the computer system to execute the code; wherein the code, when executed by the computer system, causes the computer system to perform; monitoring occurrence of events associated with the computer system; in response to detecting occurrence of a given event in the computer system, initiating execution of an instruction associated with the given event to provide notification that a corresponding protection policy associated with the given event should be currently operating to protect the computer system; evaluating whether the corresponding protection policy is currently operating in the computer system; and in response to identifying that the corresponding protection policy should be but is not currently operating in the computer system, initiating application of a security measure to protect the computer system wherein the monitoring includes initiating execution of an audit policy and a corresponding set of rules in the computer system that, when executed in the computer system, selectively provide notification of which of multiple types of protection policies should be currently activated in the computer system to protect the computer system against known computer attacking software in response to detecting activities in the computer system that are indicative of the known computer attacking software. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification