Automated immune response for a computer
First Claim
1. A system operably connectable to a computer, the system comprising:
- a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
an immune response logic stored on a computer-readable recording medium, configured to identify that a request to connect to a remote host has been made, identify the remote host to which the request applies, identify a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting the behavior, identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process,the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems, methodologies, media, and other embodiments associated with making an automated immune response on a computer that may be infected with a malicious software like a virus are described. One exemplary system embodiment includes a behavior logic that faciltates identifying that a computer is exibiting a behavior that indicates that the computer may be infected by a malicious software. The exemplary system embodiment may also include an immune response logic that is configured to facilitate identifying a process and/or program related to the behavior. The immune response logic may be configured to automatically make an immune response with respect to the process and/or program.
-
Citations
28 Claims
-
1. A system operably connectable to a computer, the system comprising:
-
a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and an immune response logic stored on a computer-readable recording medium, configured to identify that a request to connect to a remote host has been made, identify the remote host to which the request applies, identify a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting the behavior, identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system operably connectable to a computer, the system comprising:
-
a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and an immune response logic stored on a computer-readable recording medium, configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process, the immune response logic being configured to identify that the computer is exhibiting the behavior by identifying that a request to connect to a remote host has been made, by identifying the remote host to which the request applies, and by identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer, the immune response logic also being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program, the immune response logic also being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes, the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer, the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
-
-
12. A computer-readable recording medium storing processor executable instructions operable to perform a computer-executable method, the computer-executable method comprising:
-
identifying that a request to connect to a remote host has been made; identifying the remote host to which the request applies; identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer; comparing the rate to a non-infected behavior of the computer; and selectively automatically taking a counter-infection action based, at least in part, on determining that the operating behavior deviates by more than a pre-determined, configurable amount from the non-infected behavior, the counter-infection action being directed towards at least one executable that is at least partly responsible for the operating behavior deviating by more than the pre-determined, configurable amount. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
means for identifying that a request to connect to a remote host has been made from a computer; means for identifying the remote host to which the request applies; means for identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer may be infected with a virus; means for identifying an executable running on the computer that may be affected by the virus; means for identifying a non-executing program residing on the computer, the executable being derived from the non-executing program; and means for automatically manipulating the executable and the non-executing program based, at least in part, on determining that the computer may be infected by a virus, wherein at least one of the means for determining that the computer may be infected with the virus without analyzing the virus signature, means for identifying the executable running on the computer that may be affected by the virus, means for identifying the non-executing program residing on the computer, and the means for automatically manipulating the executable and the non-executing program includes a processor.
-
-
19. A method comprising:
-
identifying that a request to connect to a remote host has been made from a computer; identifying the remote host to which the request applies; identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by malicious software; identifying a process that is related to the behavior and that is executing on the computer; and automatically making an immune response with respect to the process, wherein making the immune response and identifying the process are performed substantially in parallel. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification