Automated immune response for a computer

US 7,877,803 B2
Filed: 06/27/2005
Issued: 01/25/2011
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A system operably connectable to a computer, the system comprising:

a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and

an immune response logic stored on a computer-readable recording medium, configured to identify that a request to connect to a remote host has been made, identify the remote host to which the request applies, identify a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting the behavior, identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process,the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methodologies, media, and other embodiments associated with making an automated immune response on a computer that may be infected with a malicious software like a virus are described. One exemplary system embodiment includes a behavior logic that faciltates identifying that a computer is exibiting a behavior that indicates that the computer may be infected by a malicious software. The exemplary system embodiment may also include an immune response logic that is configured to facilitate identifying a process and/or program related to the behavior. The immune response logic may be configured to automatically make an immune response with respect to the process and/or program.

288 Citations

28 Claims

1. A system operably connectable to a computer, the system comprising:
- a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
  
  an immune response logic stored on a computer-readable recording medium, configured to identify that a request to connect to a remote host has been made, identify the remote host to which the request applies, identify a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting the behavior, identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process,the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
  - 3. The system of claim 1, where identifying the process that is related to the behavior includes identifying an executing process that initiated the request to connect.
  - 4. The system of claim 3, where identifying the executing process includes determining a relationship between an executable and a local communications socket port to which the executable attempts to bind.
  - 5. The system of claim 3, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process.
  - 6. The system of claim 3, the immune response logic being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program.
  - 7. The system of claim 6, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program.
  - 8. The system of claim 6, the immune response logic being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes.
  - 9. The system of claim 1, including a probability logic stored on a computer-readable recording medium, configured to assign a weighted probability to the process that has made the connection request to the remote host, the weighted probability describing a likelihood that the process is associated with a malicious software, the probability logic also being configured to establish a rank for the process relative to other processes with respect to a likelihood that the process is associated with a malicious software.
  - 10. The system of claim 9, the immune response logic being configured to automatically make an immune response based, at least in part, on the weighted probability and the rank for the process, to identify a program from which the process is descended and to take a program immune response action with respect to the program, and to identify one or more second processes that are descendants of the program and to make an immune response with respect to the second processes.

11. A system operably connectable to a computer, the system comprising:
- a behavior logic stored on a computer-readable recording medium, configured to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by a malicious software; and
  
  an immune response logic stored on a computer-readable recording medium, configured to identify a process that is related to the behavior and that is executing on the computer, the immune response logic also being configured to automatically make an immune response with respect to the process, the immune response being one of, generating a process purging signal, quarantining the executing process, deleting the executing process, modifying the executing process, adjusting a scheduling priority for the executing process, and de-activating the executing process, the immune response logic being configured to identify that the computer is exhibiting the behavior by identifying that a request to connect to a remote host has been made, by identifying the remote host to which the request applies, and by identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer, the immune response logic also being configured to identify a program from which the executing process is descended and to make a program immune response with respect to the program, the program immune response being one of, generating a program purging signal, quarantining the program, deleting the program, renaming the program, modifying the program, changing a permission for the program, and moving the program, the immune response logic also being configured to identify one or more second processes descended from the program and to automatically make an immune response with respect to the one or more second processes,the behavior logic and the immune response logic being configured to operate substantially in parallel with each other and with an operating system executing on the computer,the behavior logic being configured to selectively delay the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a pre-defined, configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.

12. A computer-readable recording medium storing processor executable instructions operable to perform a computer-executable method, the computer-executable method comprising:
- identifying that a request to connect to a remote host has been made;
  
  identifying the remote host to which the request applies;
  
  identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer;
  
  comparing the rate to a non-infected behavior of the computer; and
  
  selectively automatically taking a counter-infection action based, at least in part, on determining that the operating behavior deviates by more than a pre-determined, configurable amount from the non-infected behavior, the counter-infection action being directed towards at least one executable that is at least partly responsible for the operating behavior deviating by more than the pre-determined, configurable amount.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, the operating behavior being related to a number of connection requests being made to remote hosts by executables running on the computer and an identity of the remote hosts for which the connection requests are intended.
  - 14. The method of claim 13, the counter-infection action comprising:
    - identifying an executable responsible for making a connection request; and
      
      automatically performing one or more of, terminating the executable, delaying the executable, destroying the executable, modifying the executable, changing a scheduling priority for the executable, and quarantining the executable.
  - 15. The method of claim 14, the counter-infection action comprising:
    - identifying a non-executing program from which the executable is descended; and
      
      automatically performing one or more of, destroying the non-executing program, modifying the non-executing program, relocating the non-executing program, renaming the non-executing program, changing an operating attribute of the non-executing program, and preventing additional executables from being descended from the non-executing program.
  - 16. The method of claim 15, where the counter-infection action to be taken is determined by a configuration option accessible to a user.
  - 17. The method of claim 14, where a process and a program file can be designated by a user to be exempt from experiencing a counter-infection action.

18. A system, comprising:
- means for identifying that a request to connect to a remote host has been made from a computer;
  
  means for identifying the remote host to which the request applies;
  
  means for identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer may be infected with a virus;
  
  means for identifying an executable running on the computer that may be affected by the virus;
  
  means for identifying a non-executing program residing on the computer, the executable being derived from the non-executing program; and
  
  means for automatically manipulating the executable and the non-executing program based, at least in part, on determining that the computer may be infected by a virus, wherein at least one of the means for determining that the computer may be infected with the virus without analyzing the virus signature, means for identifying the executable running on the computer that may be affected by the virus, means for identifying the non-executing program residing on the computer, and the means for automatically manipulating the executable and the non-executing program includes a processor.

19. A method comprising:
- identifying that a request to connect to a remote host has been made from a computer;
  
  identifying the remote host to which the request applies;
  
  identifying a rate at which attempts to connect to remote hosts are being made by processes executing on the computer to identify that the computer is exhibiting a behavior that indicates that the computer may be infected by malicious software;
  
  identifying a process that is related to the behavior and that is executing on the computer; and
  
  automatically making an immune response with respect to the process, wherein making the immune response and identifying the process are performed substantially in parallel.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19, further comprising selectively delaying the request to connect to the remote host based, at least in part, on whether the remote host is a member of a set of remote hosts with which the computer has communicated within a configurable period of time and to selectively increase a time period by which the request to connect is delayed based, at least in part, on the rate at which attempts to connect to remote hosts are being made by processes executing on the computer.
  - 21. The method of claim 19, wherein identifying the process that is related to the behavior includes identifying an executing process that initiated the request to connect.
  - 22. The method of claim 21, wherein identifying the executing process includes determining a relationship between an executable and a local communications socket port to which the executable attempts to bind.
  - 23. The method of claim 21, wherein the immune response is to at least one of, generate a process purging signal, quarantine the executing process, delete the executing process, modify the executing process, adjust a scheduling priority for the executing process, and de-activate the executing process.
  - 24. The method of claim 21, further comprising identifying a program from which the executing process is descended and making a program immune response with respect to the program.
  - 25. The method of claim 24, wherein the program immune response is to at least one of, generate a program purging signal, quarantine the program, delete the program, renaming the program, modify the program, change a permission for the program, and move the program.
  - 26. The system of claim 24, further comprising identifying one or more second processes descended from the program and automatically making an immune response with respect to the one or more second processes.
  - 27. The system of claim 19, further comprising assigning a weighted probability to the process that has made the connection request to the remote host, the weighted probability describing a likelihood that the process is associated with malicious software and establishing a rank for the process relative to other processes with respect to a likelihood that the process is associated with malicious software.
  - 28. The system of claim 27, further comprising:
    - automatically making the immune response based, at least in part, on the weighted probability and the rank for the process;
      
      identifying a program from which the process is descended;
      
      taking a program immune response action with respect to the program;
      
      identifying one or more second processes that are descendants of the program; and
      
      making an immune response with respect to the second processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Cureington, James Anthony, Enstone, Mark Richard
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/167,346
Publication Number

US 20060294590A1
Time in Patent Office

2,038 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1425   Traffic logging, e.g. anoma...

Automated immune response for a computer

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

288 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automated immune response for a computer

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links