Threat protection network
First Claim
1. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
- at least one client computer connected to a network;
a server that stores threat definition data and is connected to the network;
an expert system in communication with the server;
at least one test computer connected to the expert system;
wherein the client computer is configured to identify a suspicious file on the client computer;
wherein the client computer is configured to automatically notify the server of the suspicious file;
wherein the server is configured to send the suspicious file to the expert system;
wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and
wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file by preventing any data from being sent to the network during the analysis of the behavior of the suspicious file on the at least one test computer.
4 Assignments
0 Petitions
Accused Products
Abstract
Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.
-
Citations
22 Claims
-
1. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
-
at least one client computer connected to a network; a server that stores threat definition data and is connected to the network; an expert system in communication with the server; at least one test computer connected to the expert system; wherein the client computer is configured to identify a suspicious file on the client computer; wherein the client computer is configured to automatically notify the server of the suspicious file; wherein the server is configured to send the suspicious file to the expert system; wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file by preventing any data from being sent to the network during the analysis of the behavior of the suspicious file on the at least one test computer. - View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 14, 15, 16)
-
-
6. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
-
at least one client computer connected to a network; a server that stores threat definition data and is connected to the network; an expert system in communication with the server; at least one test computer connected to the expert system; wherein the client computer is configured to identify a suspicious file on the client computer; wherein the client computer is configured to automatically notify the server of the suspicious file; wherein the server is configured to send the suspicious file to the expert system; wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file; wherein the server is configured to update the threat definition data based upon determinations made by the expert system; wherein the server and client computers form a secure distribution network; and wherein the updated threat definition data is distributed to client computers via the secure distribution network.
-
-
13. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
-
at least one client computer connected to a network; a server that stores threat definition data and is connected to the network; an expert system in communication with the server; and at least one test computer connected to the expert system; wherein the client computer is configured to identify a suspicious file on the client computer; wherein the client computer is configured to automatically notify the server of the suspicious file; wherein the server is configured to send the suspicious file to the expert system; wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file; and wherein the expert system is configured to refer the suspicious file to an operator in circumstances where the expert system is incapable of conclusively determining the nature of the suspicious file.
-
-
17. A threat identification system configured to evaluate suspicious files discovered on a remote computer system, comprising:
-
an expert system installed on a host computer; and at least one test computer connected to the host computer; wherein the expert system is configured to receive a suspicious file from a server via a network; wherein the expert system is configured to expose the at least one test computer to the suspicious file; wherein the expert system is configured to analyze the behavior of the suspicious file on the at least one test computer; wherein the expert system is configured to determine a score based upon the analyzed behavior and a set of predetermined criteria; and wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification