Detecting and countering malicious code in enterprise networks
First Claim
1. A system for detecting and countering malicious code in an enterprise network, comprising:
- a server; and
a plurality of local machines connected to the server through the enterprise network, each local machine comprising a pattern recognition processor, the pattern recognition processor monitoring local operations to detect irregular local behavior patterns, and generating an alert after an irregularity in local behavior pattern is detected,wherein the server monitors for and analyzes irregular behavior alerts from the plurality of local machines, and, if similar alerts are received from at least a threshold number of local machines over a corresponding period of time, the server selects one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicates to the local machines the selected countermeasure operations to be performed by the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by utility name.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for detecting and countering malicious code in an enterprise network are provided. A pattern recognition processor monitors local operations on a plurality of local machines connected through an enterprise network, to detect irregular local behavior patterns. An alert may be generated after an irregularity in behavior pattern on a local machine is detected. Irregular behavior alerts from a plurality of local machines are analyzed. If similar alerts are received from at least a threshold number of local machines over a corresponding period of time, one or more countermeasure operations are selected based on the analysis of the irregular behavior alerts. The selected countermeasure operations are communicated to the local machines and performed by the local machines.
-
Citations
24 Claims
-
1. A system for detecting and countering malicious code in an enterprise network, comprising:
-
a server; and a plurality of local machines connected to the server through the enterprise network, each local machine comprising a pattern recognition processor, the pattern recognition processor monitoring local operations to detect irregular local behavior patterns, and generating an alert after an irregularity in local behavior pattern is detected, wherein the server monitors for and analyzes irregular behavior alerts from the plurality of local machines, and, if similar alerts are received from at least a threshold number of local machines over a corresponding period of time, the server selects one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicates to the local machines the selected countermeasure operations to be performed by the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by utility name. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
2. A method of detecting and countering malicious code in an enterprise network system having a server and a plurality of local machines, comprising:
-
monitoring local operations at each local machine to detect irregular local behavior patterns, and, if an irregularity in the local behavior pattern is detected at the local machine, generating an irregular behavior alert from the local machine to the server; analyzing at the server irregular behavior alerts received from the local machines; determining whether a threshold number of similar irregular behavior alerts has been exceeded over a predefined period of time beginning with the reception of a first of the similar alerts; and in response to the determining, selecting one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicating the selected countermeasure operations to the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by utility name. - View Dependent Claims (3, 4, 5, 6, 7)
-
-
8. A system for detecting and countering malicious code in an enterprise network, comprising:
-
a server; and a plurality of local machines connected to the server through the enterprise network, each local machine comprising a pattern recognition processor, the pattern recognition processor monitoring local operations to detect irregular local behavior patterns, and generating an irregular behavior alert after an irregularity in local behavior pattern is detected, wherein the server is operable to; monitors for and analyze irregular behavior alerts received from the plurality of local machines; determine whether a threshold number of similar irregular behavior alerts has been exceeded over a predefined period of time beginning with the reception of a first of the similar alerts; and in response to the determining, selecting one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicating to the local machines the selected countermeasure operations to be performed by the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by library name and function call. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to:
-
monitor local operations at each local machine to detect irregular local behavior patterns, and, if an irregularity in the local behavior pattern is detected at the local machine, generating an irregular behavior alert from the local machine to the server; analyze at the server irregular behavior alerts received from the local machines; determine whether a threshold number of similar irregular behavior alerts has been exceeded over a predefined period of time beginning with the reception of a first of the similar alerts; and in response to the determining, select one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicating the selected countermeasure operations to the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by utility name.
-
-
24. A system comprising:
-
a processor; and a program storage device readable by the system, tangibly embodying a program of instructions executable by the machine to; monitor local operations at each local machine to detect irregular local behavior patterns, and, if an irregularity in the local behavior pattern is detected at the local machine, generating an irregular behavior alert from the local machine to the server; analyze at the server irregular behavior alerts received from the local machines; determine whether a threshold number of similar irregular behavior alerts has been exceeded over a predefined period of time beginning with the reception of a first of the similar alerts; and in response to the determining, select one or more countermeasure operations based on the analysis of the irregular behavior alerts and communicating the selected countermeasure operations to the local machines, wherein a countermeasure operation communicated by the server to the local machines is identified by utility name.
-
Specification