Threat protection network

US 7,836,506 B2
Filed: 09/22/2005
Issued: 11/16/2010
Est. Priority Date: 09/22/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:

at least one client computer connected to a network;

a server that stores threat definition data and is connected to the network;

an expert system in communication with the server;

at least one test computer connected to the expert system;

wherein the client computer is configured to identify a suspicious file on the client computer;

wherein the client computer is configured to automatically notify the server of the suspicious file;

wherein the server is configured to send the suspicious file to the expert system;

wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and

wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file by preventing any data from being sent to the network during the analysis of the behavior of the suspicious file on the at least one test computer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.

110 Citations

View as Search Results

22 Claims

1. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
- at least one client computer connected to a network;
  
  a server that stores threat definition data and is connected to the network;
  
  an expert system in communication with the server;
  
  at least one test computer connected to the expert system;
  
  wherein the client computer is configured to identify a suspicious file on the client computer;
  
  wherein the client computer is configured to automatically notify the server of the suspicious file;
  
  wherein the server is configured to send the suspicious file to the expert system;
  
  wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and
  
  wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file by preventing any data from being sent to the network during the analysis of the behavior of the suspicious file on the at least one test computer.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 14, 15, 16)
- - 2. The threat protection network of claim 1, wherein the client is configured to generate a signature for the suspicious file.
  - 3. The threat protection network of claim 2, wherein the signature includes two or more check sums generated using the suspicious file.
  - 4. The threat protection network of claim 1, wherein the server is configured to update the threat definition data based upon determinations made by the expert system.
  - 5. The threat protection network of claim 4, wherein the server is configured to notify clients that updated threat definition data is available.
  - 7. The threat protection network of claim 1, wherein the server is configured to:
    - receive a signature of the suspicious file from the client computer;
      
      compare the signature with threat definition data comprising signatures of known threat files;
      
      compare the signature with data comprising signatures of suspicious files reported from other client computers; and
      
      if the signature is not found in the signatures of suspicious files reported from other client computers;
      
      request a copy of the suspicious file; and
      
      receive the suspicious file.
  - 8. The threat protection network of claim 1:
    - wherein the at least one test computer includes multiple test computers;
      
      wherein at least two of the test computers use different operating systems.
  - 9. The threat protection network of claim 8, wherein at least two of the test computers use different versions of the same operating system.
  - 10. The threat protection network of claim 1, wherein the expert system is configured to assign a score to a potential threat.
  - 11. The threat protection network of claim 10, wherein a score above a first threshold is indicative of an actual threat.
  - 12. The threat protection network of claim 1, wherein the determination of whether the suspicious file is an actual threat by the expert system is automatic.
  - 14. The computer of claim 2, wherein:
    - the identified file includes a header; and
      
      the signature includes a checksum generated using at least one bit from the file header.
  - 15. The computer of claim 2, wherein:
    - the identified file includes a header and a body; and
      
      the signature includes a checksum generated using at least one bit from a location within the file body.
  - 16. The computer of claim 2, wherein:
    - the client computer is configured to compare the signature to;
      
      a first set of previously generated signatures to determine whether the source is safe; and
      
      a second set of previously generated signatures to determine whether the source is a threat; and
      
      the client computer is configured to obtain updated threat definition data via a secure distribution network.

6. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
- at least one client computer connected to a network;
  
  a server that stores threat definition data and is connected to the network;
  
  an expert system in communication with the server;
  
  at least one test computer connected to the expert system;
  
  wherein the client computer is configured to identify a suspicious file on the client computer;
  
  wherein the client computer is configured to automatically notify the server of the suspicious file;
  
  wherein the server is configured to send the suspicious file to the expert system;
  
  wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer;
  
  wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file;
  
  wherein the server is configured to update the threat definition data based upon determinations made by the expert system;
  
  wherein the server and client computers form a secure distribution network; and
  
  wherein the updated threat definition data is distributed to client computers via the secure distribution network.

13. A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
- at least one client computer connected to a network;
  
  a server that stores threat definition data and is connected to the network;
  
  an expert system in communication with the server; and
  
  at least one test computer connected to the expert system;
  
  wherein the client computer is configured to identify a suspicious file on the client computer;
  
  wherein the client computer is configured to automatically notify the server of the suspicious file;
  
  wherein the server is configured to send the suspicious file to the expert system;
  
  wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer;
  
  wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file; and
  
  wherein the expert system is configured to refer the suspicious file to an operator in circumstances where the expert system is incapable of conclusively determining the nature of the suspicious file.

17. A threat identification system configured to evaluate suspicious files discovered on a remote computer system, comprising:
- an expert system installed on a host computer; and
  
  at least one test computer connected to the host computer;
  
  wherein the expert system is configured to receive a suspicious file from a server via a network;
  
  wherein the expert system is configured to expose the at least one test computer to the suspicious file;
  
  wherein the expert system is configured to analyze the behavior of the suspicious file on the at least one test computer;
  
  wherein the expert system is configured to determine a score based upon the analyzed behavior and a set of predetermined criteria; and
  
  wherein the expert system is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The threat identification system of claim 17, wherein the expert system determines whether the suspicious file is an actual threat based upon the score.
  - 19. The threat identification system of claim 17, wherein the expert system is configured to determine that:
    - a score above a first threshold constitutes a threat; and
      
      a score below a second threshold constitutes no threat.
  - 20. The threat identification system of claim 19, wherein the first threshold and second threshold have the same value.
  - 21. The threat identification system of claim 17, wherein at least two of the test computers use different operating systems.
  - 22. The threat identification system of claim 17, wherein at least two of the test computers use different versions of the same operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberDefender Corp.
Original Assignee
CyberDefender Corp.
Inventors
Liu, Bing
Primary Examiner(s)
ZIA, SYED

Application Number

US11/234,531
Publication Number

US 20060075504A1
Time in Patent Office

1,881 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 11/2294   by remote test

G06F 21/1077   Recurrent authorisation

G06F 21/568   eliminating virus, restorin...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 67/104   Peer-to-peer [P2P] networks

H04L 67/1057   involving pre-assessment of...

H04L 67/1063   Discovery through centralis...

H04L 67/1072   Discovery involving ranked ...

H04L 67/108   characterised by resources ...

H04L 69/329   in the application layer [O...

Threat protection network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Threat protection network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links