Risk profiling

US 7,895,448 B1
Filed: 02/18/2004
Issued: 02/22/2011
Est. Priority Date: 02/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing computer security, comprising:

determining, using at least one computer processor, whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;

whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;

associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria;

determining whether a current process associated with the executable meets one or more second predetermined criteria;

associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and

performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold;

wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for providing computer security is provided. Providing computer security comprises providing an executable associated with a static state, determining whether the executable meets a predetermined criterion, and associating a risk level with the criterion if it is determined that the executable meets the predetermined criterion. Determining whether the executable meets a predetermined criterion does not compare the executable with a virus signature.

Citations

26 Claims

1. A method for providing computer security, comprising:
- determining, using at least one computer processor, whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
  
  whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;
  
  associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria;
  
  determining whether a current process associated with the executable meets one or more second predetermined criteria;
  
  associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and
  
  performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold;
  
  wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method for providing computer security as recited in claim 1, wherein the first risk level indicates a level of potential risk that will be brought by operating the executable.
  - 3. The method for providing computer security as recited in claim 1, wherein the first risk level indicates how much risk the executable presents.
  - 4. The method for providing computer security as recited in claim 1, wherein the predetermined criterion includes a configuration criterion.
  - 5. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable is installed via a standard procedure.
  - 6. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has sufficient access control.
  - 7. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable is modified.
  - 8. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable is signed.
  - 9. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has a modified date different from created date.
  - 10. The method for providing computer security as recited in claim 1, wherein the predetermined criterion includes a capability criterion.
  - 11. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has networking capability.
  - 12. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has privilege manipulation capability.
  - 13. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has remote process capability.
  - 14. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has process launching capability.
  - 15. The method for providing computer security as recited in claim 1, wherein the predetermined criterion is used to determine whether the executable has secure coding violation.
  - 16. The method for providing computer security as recited in claim 1, further comprising associating with the executable a risk type indicating a type of risk to which the executable is vulnerable.
  - 17. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence.
  - 18. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence, wherein the historical evidence includes a record of activities.
  - 19. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence, wherein the historical evidence includes a log file.
  - 20. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence, wherein the historical evidence includes a system optimization file.
  - 21. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence, wherein the historical evidence includes a crash dump file.
  - 22. The method for providing computer security as recited in claim 1, further comprising analyzing historical evidence, wherein the historical evidence includes a prefetch file.
  - 23. The method for providing computer security as recited in claim 1, further comprising performing a dynamic risk analysis.
  - 24. The method for providing computer security as recited in claim 1, further comprising determining whether the predetermined responsive action is required.

25. A system for providing computer security, comprising:
- a processor configured to;
  
  determine whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
  
  whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;
  
  associate a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria;
  
  determine whether a current process associated with the executable meets one or more second predetermined criteria;
  
  associate a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and
  
  perform a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold;
  
  wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature; and
  
  a memory, coupled with the processor, configured to provide the processor with instructions.

26. A computer program product for providing computer security, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- determining whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
  
  whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;
  
  associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria;
  
  determining whether a current process associated with the executable meets one or more second predetermined criteria;
  
  associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and
  
  performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold;
  
  wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US10/782,396
Time in Patent Office

2,561 Days
Field of Search

713/193, 713/189, 713/188, 713/187, 713/24, 713/25, 713/26, 726/22, 726/25, 726/24, 726/26, 726/187, 726/188
US Class Current

713/188
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Risk profiling

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Risk profiling

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links