Content tracking in a network security system

US 7,895,651 B2
Filed: 07/29/2005
Issued: 02/22/2011
Est. Priority Date: 07/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:

maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first reported by one of the hosts to the server, and state data indicating whether and with what conditions certain file operations can be performed by hosts on the file;

maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents;

detecting on the host possible changes to file content or name, and updating host and/or server meta-information;

the server providing to the hosts changes in the server meta-information;

for each host, maintaining a separate name cache with a file name and state data; and

wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted or unknown software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system maintains file meta-information in the hosts and in the server. A host detects file operations which can cause changes to file content or file name, and updates the host and/or server meta-information as a result. Changes in server meta-information are made available to hosts.

648 Citations

45 Claims

1. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:
- maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first reported by one of the hosts to the server, and state data indicating whether and with what conditions certain file operations can be performed by hosts on the file;
  
  maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents;
  
  detecting on the host possible changes to file content or name, and updating host and/or server meta-information;
  
  the server providing to the hosts changes in the server meta-information;
  
  for each host, maintaining a separate name cache with a file name and state data; and
  
  wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein the signature of the contents includes the results of one or more cryptographic hashes of the contents of the file.
  - 3. The method of claim 2, further comprising, for embedded active content in a file, extracting the content from the file, performing a cryptographic hash of the content, and saving the hash of the active content.
  - 4. The method of claim 3, wherein, prior to performing a cryptographic hash, the active content is provided in a valid formatted file to produce a reduced file.
  - 5. The method of claim 4, wherein the active content includes a macro, and the valid formatted file includes a word processing document.
  - 6. The method of claim 3, wherein the host associates the active content with the file from which the active content was extracted.
  - 7. The method of claim 1, further comprising, for each host, maintaining a separate name cache with a file name and state data.
  - 8. The method of claim 1, wherein, if the host cache does not have data to determine whether the file operation is allowed, the host queries the server and uploads the file or signature of the contents of the file to the server.
  - 9. The method of claim 8, wherein the server, in response to an uploaded file or signature of the contents of the file, causes one or more analyses to be performed, including anti-virus or anti-spyware scanning.
  - 10. The method of claim 9, wherein the file operation is allowed to proceed before the analyses are complete.
  - 11. The method of claim 9, wherein, if the analyses indicate that certain file operations should not be allowed, the server causing the hosts to update their meta-information to indicate that the certain file operations are not allowed for that file for subsequent attempts.
  - 12. The method of claim 9, wherein, if the analyses indicate that certain file operations should be allowed, the server causing the hosts to update their meta-information to indicate that the certain file operations are allowed for that file for subsequent attempts.
  - 13. The method of claim 9, wherein, if it is undetermined whether certain file operations should be allowed, the hosts update their meta-information to indicate that certain file operations are allowed for that file for subsequent attempts only under certain conditions.
  - 14. The method of claim 1, wherein, in response to a host receiving a request for a file operation on a file, the host accesses the host cache to determine the state, and if there is a cache miss, the host delays the file operation while the system performs further analyses.
  - 15. The method of claim 14, wherein the file operations include execution, file read, and file write.
  - 16. The method of claim 1, wherein the further analyses include one or more of the following:
    - anti-virus scanning, spyware scanning, comparing to a list of known files or contents, and comparing to results provided by other servers.
  - 17. The method of claim 1, wherein the state data includes whether a file operation is banned based on the content of the file, banned based on the path and name of the file, approved, approved locally by the host, or allowed or banned pending further analysis.
  - 18. The method of claim 1, wherein the server further maintains data indicating when the file or the hash of the file contents was first seen by the server.
  - 19. The method of claim 1, wherein the server further maintains data indicating, the last time the file was modified.
  - 20. The method of claim 1, wherein the state data includes data indicating that a file operation is banned for some hosts and allowed for others.
  - 21. The method of claim 1, wherein the server maintains a count of how many hosts have a copy of a file.
  - 22. The method of claim 21, wherein the server uses the count of how many hosts have a copy of a file, compares the count to a threshold, and bans hosts from a file operation after the count has exceeded the threshold.
  - 23. The method of claim 22, wherein the server maintains data indicating analysis results and recommended states.
  - 24. The method of claim 1, wherein the meta-information saved in the host further includes a file path name, a date first seen, and a last modified date.
  - 25. The method of claim 1, wherein all files on host storage are analyzed as if a change occurred on each file, the analysis being triggered automatically to synchronize host states with server states.
  - 26. The method of claim 1, wherein the meta-information for each file on the server includes data regarding the name of the file.
  - 27. The method of claim 1, wherein the server provides changes in meta-information to the hosts by posting changes in the meta-information in a manner accessible to the hosts, and the hosts accessing the posted changes and modifying the meta-information on the hosts.

28. A method for use in a system with a server and associated host computers (hosts), the method comprising:
- maintaining on a server, for a plurality of files, a set of meta-information including, for each unique file content signature, a signature of the contents of the file, state data indicating whether and with what conditions certain file operations can be performed by hosts on the file, and a time when the file or the signature was first seen;
  
  maintaining on the hosts, for a plurality of files, a set of meta-information including, for each file the state data, the signature of the file contents and the file pathname;
  
  a host detecting possible changes to file content or name, and updating server meta-information; and
  
  the server providing to the hosts changes in the server meta-information;
  
  for each host, maintaining a separate name cache with a file name and state data; and
  
  in response to server providing to the hosts changes in the server meta-information, the host accesses name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, wherein the file is uploaded to the server if the server does not already have meta-information for the file.
  - 30. The method of claim 29, wherein the server performs one or more hashes of the contents of the file and compares the one or more hashes to the hashes performed by the host.
  - 31. The method of claim 28, wherein the host accesses a first cache that stores information based on the file name and a second cache that stores information based on a hash of the file contents.

32. A method for use in a system with a server and associated host computers (hosts), the method comprising:
- maintaining on a server for a plurality of files a set of meta-information including, for each unique file content signature, state data indicating whether and with what conditions certain operations associated with the file are banned, allowed, or not yet fully determined;
  
  maintaining on the hosts for a plurality of files a set of meta-information including, for each file, the state data;
  
  detecting on the host possible changes to file content or name, and updating host and/or server meta-information;
  
  the server providing to the hosts changes in the server meta-information;
  
  in response to there being no entry for the file in the server or state not yet fully determined, the server performing analyses of the file; and
  
  for each host, maintaining a separate name cache with a file name and state data; and
  
  wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
- View Dependent Claims (33, 34, 35)
- - 33. The method of claim 32, wherein the server causes one or more of anti-virus or anti-spyware scanning.
  - 34. The method of claim 33, wherein the server later determines whether file operations should be banned or allowed for a particular file, the server causing this change in state to be propagated to the hosts.
  - 35. The method of claim 34, wherein the server propagates by posting the changes in meta-information, such that the hosts access and retrieve the changes.

36. A system comprising:
- a server;
  
  a plurality of host computers (hosts) associated with the server;
  
  the server having a server memory for maintaining a plurality of files a set of meta-information including, for each file, data regarding the name of the file, a signature of the contents of the file, and state data indicating whether and with what conditions certain operations associated with the file are banned, allowed, or not yet determined;
  
  each of the hosts having a local memory for maintaining for a plurality of files a set of meta-information including, for each file, the state data and the signature;
  
  detecting on the host possible changes to file content or name, and updating host and/or server meta-information;
  
  the server causing changes in the server meta-information to be provided to the hosts;
  
  for each host, maintaining a separate name cache with a file name and state data; and
  
  wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
- - 37. The method of claim 36, wherein the server provides changes by posting the changes in a manner accessible to the hosts, and allowing the hosts to access the posted changes so that the hosts modify the meta-information on the hosts.
  - 38. The system of claim 36, wherein the signature of the contents includes the results of one or more cryptographic hashes of the contents of the file.
  - 39. The system of claim 36, wherein each host has a separate name cache with a file name and state data.
  - 40. The system of claim 36, wherein, in response to a host receiving a request for a file operation on a file, the host accesses the host cache to determine the state, and if there is a cache miss, the host delaying the file operation while the system performs further analyses.
  - 41. The system of claim 36, wherein the server further maintains data indicating when the file or file content hash was first seen by the server.
  - 42. The system of claim 36, wherein the server further maintains data indicating the last time the file was modified.
  - 43. The system of claim 36, wherein the server maintains a count of how many hosts have a copy of a file.
  - 44. The system of claim 36, wherein the meta-information saved in the host further includes a file path name, a date first seen, and a last modified date.

45. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:
- maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first identified, and state data indicating whether and with what conditions certain file operations can be performed on the file; and
  
  maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents;
  
  the server detecting possible changes to file content or name in the system, and updating server meta-information;
  
  the server providing to the hosts changes in the server meta-information;
  
  for each host, maintaining a separate name cache with a file name and state data; and
  
  wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Bit 7, Inc. (Bb7 LLC)
Inventors
Brennan, Todd
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US11/193,292
Publication Number

US 20070028303A1
Time in Patent Office

2,034 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Content tracking in a network security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

648 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Content tracking in a network security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

648 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links