Methods and apparatus providing security to computer systems and networks

US 7,979,889 B2
Filed: 01/07/2005
Issued: 07/12/2011
Est. Priority Date: 01/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

operating a plurality of security interceptors that monitor operation of different respective processing activities of a computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities;

recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device;

identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and

operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides security to a computerized device by detecting a sequence of related processing operations within the computerized device and recording the sequence of related processing operations in a security history. The system identifies a security violation when a processing operation performed in the computerized device produces an undesired processing outcome that violates a security policy and subsequently detecting attempted performance of at least one processing operation that attempts to produce the undesired processing outcome that violates the security policy and in response, denies operation of the processing operation(s) within the computerized device to avoid violation of the security policy.

Citations

35 Claims

1. A method comprising:
- operating a plurality of security interceptors that monitor operation of different respective processing activities of a computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities;
  
  recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device;
  
  identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and
  
  operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - detecting from one or more of the plurality of security interceptors, the sequence of related processing operations;
      
      where detecting a sequence of related processing operations within the computerized device comprises;
      
      generating event data upon detection of processing operations associated with those respective processing activities; and
      
      where recording the sequence of related processing operations in a security history comprises;
      
      storing the event data within the security history, the event data indicating a processing operation and an identity of a security interceptor that detected the processing operation.
  - 3. The method of claim 2,where denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy comprises:
    - instructing at least one security interceptor that detected the marked at least one processing operation to disallow execution of the at least one marked processing operation within the computerized device.
  - 4. The method of claim 3, where comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation comprises:
    - comparing event data records in the security history to event data records of at least one other security history to identify the common sequence of related processing operations in the event data records of the compared security histories that indicate an undesired processing operation.
  - 5. The method of claim 4, wherein identifying the undesired processing operation comprises:
    - executing the undesired processing operation resulting in an undesired processing outcome within the computer system;
      
      recovering from the undesired processing outcome within the computer system; and
      
      storing an indication of the undesired processing outcome in association with the security history;
      
      in response to recovering from the undesired processing outcome, analyzing the security history to identify the undesired processing operation.
  - 6. The method of claim 5, where comparing event data records in the security history to event data records of at least one other security history to identify the common sequence of related processing operations in the event data records of the compared security histories that indicate an undesired processing operation comprises:
    - identifying, as the at least one other security history, different security histories that include a same stored indication of the undesired processing outcome; and
      
      comparing each different security history that includes the same stored indication of the undesired processing outcome to identify event data records in each different security history that identify common processing instructions that were executed by a computer system that generated the security history prior to the occurrence of the undesired processing outcome in order to identify a pattern of processing instructions between the different security histories that produces the undesired processing outcome.
  - 7. The method of claim 6, where the different security histories are produced over time by a single security agent operating in the computer system and where the operations of detecting a sequence of related processing operations, recording the sequence of related processing operations in a security history, identifying an undesired processing operation, and denying operation of the sequence of the disallowed sequence of related processing operations are performed locally by the security agent operating on the computer system without requiring updates from a remote computer system.
  - 8. The method of claim 6, comprising:
    - transferring the security history to a management center computer system coupled via a network to the computerized device;
      
      where the operations involved with identifying an undesired processing operation are performed remotely by the management center computer system; and
      
      where the method comprises;
      
      receiving an updated security policy from the management center computer system, the updated security policy including a newly identified pattern of processing instructions that, if executed by the computer system, would violate the security policy; and
      
      where subsequently detecting attempted performance of the disallowed sequence of related processing operations comprises;
      
      detecting attempted performance of the newly identified pattern of processing instructions.
  - 9. The method of claim 8, where subsequently detecting attempted performance of the disallowed sequence of related processing operations comprises:
    - comparing event data records in the security history to identify processing instructions in event data records that are known to produce undesired processing outcomes as defined in the security policy.
  - 10. The method of claim 1, where the sequence of related processing operations recorded in the security history identify processing operations from executing of a sequence of related calls to software entities within a computer system that result in violation of the security policy for a first time;
    - andwhere the operation of subsequently detecting attempted performance of the disallowed sequence of processing operations comprises;
      
      detecting attempted performance of the sequence of related calls to software entities within a computer system that, if performance were completed, would result in violation of the security policy a second time; and
      
      where denying operation of the disallowed sequence of related processing operations comprises;
      
      disallowing performance of the sequence of related calls the second time without requiring modification of the security policy by a management center application outside of the computerized device during a time elapsed from identification of violation of the security policy the first time up to the attempted violation of the security policy by the sequence of related processing operations the second time.
  - 11. The method of claim 10, where executing a sequence of related calls to software processes within a computer system that violate the security policy a first time comprises:
    - executing a series of related system calls that cause an undesired processing outcome within the computer system, the undesired processing outcome being defined in the security policy; and
      
      where identifying a security violation in response to a processing operation executing in the computerized device producing a undesired processing outcome that violates a security policy comprises;
      
      recovering from the undesired processing outcome within the computer system;
      
      analyzing the security history in response to recovering from the undesired processing outcome to identify the sequence of related processing operations that resulted in the undesired processing outcome within the computer system; and
      
      upon determining that if the identified sequence of related processing operations are not part of normal processing operations, marking the sequence of related processing operations and associated processing outcomes within the security history as being a sequence of processing operations that violates the security policy.
  - 12. The method of claim 11, where the operations of detecting processing outcomes and recording the processing outcomes are repeated N number of times, where N is an integer greater than 1;
    - andwhere recording the processing outcomes and the sequence of related processing operations in a security history comprises;
      
      producing N respective security histories, one for each repeated iteration of the operations of detecting processing outcomes and recording the processing outcomes, and wherein a plurality of the N security histories indicate attempted execution of the sequence of processing operations that violates the security policy; and
      
      where analyzing the security history in response to recovering from the undesired processing outcome to identify the sequence of related processing operations that resulted in the undesired processing outcome within the computer system comprises;
      
      correlating those security histories of the N security histories that indicate attempted operation of the sequence of processing operations marked as in violation of the security policy to identify a root common cause of processing operations within each security history that led up to the attempted operation of the sequence of processing operations that violates the security policy; and
      
      adapting the security policy to include the root common cause of processing operations as producing an undesired processing outcome.
  - 13. The method of claim 12, where subsequently detecting attempted performance of a similar sequence of related processing operations that attempt to produce at least one undesired processing outcome that violates the security policy comprises:
    - operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect an attempt to perform the root common cause of processing operations identified within each security history that produces an undesired processing outcome,where denying operation of at least a portion of the sequence of related processing operations within the computerized device to avoid violation of the security policy comprises;
      
      disallowing operation of the root common cause of processing operations to avoid violation of the security policy.
  - 14. The method of claim 1, where operating the plurality of security interceptors comprises:
    - operating at least one network interceptor to monitor processing operations associated with communications of a communications session within the computerized device;
      
      operating at least one operating system interceptor to monitor processing operations associated with execution of an operating system within the computerized device; and
      
      operating at least one user space interceptor to monitor processing operations associated with execution of at least one application within the computerized device.
  - 15. The method of claim 14, where each of the network interceptor, operating system interceptor and user space interceptor performs:
    - receiving an instruction to produce an event record upon detection of an attempt to execute a monitored processing operation identified in the security policy;
      
      reporting the event record to an event correlation engine upon detection of an attempt to execute the monitored processing operation; and
      
      prior to execution of the monitored processing operation, receiving an authorization response from the event correlation engine that indicates if execution of the monitored processing operation is to be allowed, and if not, disallowing execution of the monitored processing operation to avoid violation of the security policy.
  - 16. The method of claim 1, where identifying an undesired processing operation comprises:
    - detecting at least one processing operation that matches a sequence of instructions related to an undesired processing outcome produced as a result of at least one of;
      
      a virus attack, a worm attack, a Trojan horse attack, a Denial-of-service attack, a Buffer overflows operation, execution of Malformed application data, and execution of Malicious mobile code.

17. A computerized device, comprising:
- a memory;
  
  a processor;
  
  a communications interface coupled to a network;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  where the memory is encoded with a security agent, that when executed on the processor, causes the processor to perform;
  
  operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities;
  
  recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device;
  
  identifying an undesired processing operation and in response, causing comparison of the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and
  
  operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy.
- View Dependent Claims (18, 19)
- - 18. The computerized device of claim 17, wherein the security agent further causes the processor to perform operations of:
    - detecting from one or more of the plurality of security interceptors, the sequence of related processing operations;
      
      where detecting a sequence of related processing operations within the computerized device comprises;
      
      generating event data upon detection of processing operations associated with those respective processing activities; and
      
      where recording the sequence of related processing operations in a security history comprises;
      
      storing the event data within the security history, the event data indicating a processing operation and an identity of a security interceptor that detected the processing operation.
  - 19. The computerized device of claim 18, where denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy comprises:
    - instructing at least one security interceptor that detected the marked at least one processing operation to disallow execution of the at least one marked processing operation within the computerized device.

20. A computer readable medium including computer program logic instruction encoded thereon, that when executed on a processor in a computerized device, prevent performance of processing operations that produce processing outcomes that violate a security policy in the computerized device, by causing the computerized device to perform the operations of:
- operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities;
  
  recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device;
  
  identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and
  
  operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 21. The computer readable medium of claim 20, further comprising instructions that cause the computerized device to perform operations of:
    - detecting from one or more of the plurality of security interceptors, the sequence of related processing operations;
      
      where detecting a sequence of related processing operations within the computerized device comprises;
      
      generating event data upon detection of processing operations associated with those respective processing activities; and
      
      where recording the sequence of related processing operations in a security history comprises;
      
      storing the event data within the security history, the event data indicating a processing operation and an identity of a security interceptor that detected the processing operation.
  - 22. The computer readable medium of claim 21, where denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy comprises:
    - instructing at least one security interceptor that detected the marked at least one processing operation to disallow execution of the at least one marked processing operation within the computerized device.
  - 23. The computer readable medium of claim 22, where comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation comprises:
    - comparing event data records in the security history to event data records of at least one other security history to identify the common sequence of related processing operations in the event data records of the compared security histories that indicate an undesired processing operation.
  - 24. The computer readable medium of claim 23, wherein identifying the undesired processing operation comprises:
    - executing the undesired processing operation resulting in an undesired processing outcome within the computer system;
      
      recovering from the undesired processing outcome within the computer system; and
      
      storing an indication of the undesired processing outcome in association with the security history;
      
      in response to recovering from the undesired processing outcome, analyzing the security history to identify the undesired processing operation.
  - 25. The computer readable medium of claim 24, where comparing event data records in the security history to event data records of at least one other security history to identify the common sequence of related processing operations in the event data records of the compared security histories that indicate an undesired processing operation comprises:
    - identifying, as the at least one other security history, different security histories that include a same stored indication of the undesired processing outcome; and
      
      comparing each different security history that includes the same stored indication of the undesired processing outcome to identify event data records in each different security history that identify common processing instructions that were executed by a computer system that generated the security history prior to the occurrence of the undesired processing outcome in order to identify a pattern of processing instructions between the different security histories that produces the undesired processing outcome.
  - 26. The computer readable medium of claim 25, where the different security histories are produced over time by a single security agent operating in the computer system and where the operations of detecting a sequence of related processing operations, recording the sequence of related processing operations in a security history, identifying an undesired processing operation, and denying operation of the sequence of the disallowed sequence of related processing operations are performed locally by the security agent operating on the computer system without requiring updates from a remote computer system.
  - 27. The computer readable medium of claim 26, further comprising instructions that cause the computerized device to perform operations of:
    - transferring the security history to a management center computer system coupled via a network to the computerized device;
      
      where the operations involved with identifying an undesired processing operation are performed remotely by the management center computer system; and
      
      receiving an updated security policy from the management center computer system, the updated security policy including a newly identified pattern of processing instructions that, if executed by the computer system, would violate the security policy; and
      
      where subsequently detecting attempted performance of the disallowed sequence of related processing operations comprises;
      
      detecting attempted performance of the newly identified pattern of processing instructions.
  - 28. The computer readable medium of claim 27, where subsequently detecting attempted performance of the disallowed sequence of related processing operations comprises:
    - comparing event data records in the security history to identify processing instructions in event data records that are known to produce undesired processing outcomes as defined in the security policy.
  - 29. The computer readable medium of claim 20, where the sequence of related processing operations recorded in the security history identify processing operations from executing of a sequence of related calls to software entities within a computer system that result in violation of the security policy for a first time;
    - andwhere the operation of subsequently detecting attempted performance of the disallowed sequence of processing operations comprises;
      
      detecting attempted performance of the sequence of related calls to software entities within a computer system that, if performance were completed, would result in violation of the security policy a second time; and
      
      where denying operation of the disallowed sequence of related processing operations comprises;
      
      disallowing performance of the sequence of related calls the second time without requiring modification of the security policy by a management center application outside of the computerized device during a time elapsed from identification of violation of the security policy the first time up to the attempted violation of the security policy by the sequence of related processing operations the second time.
  - 30. The computer readable medium of claim 29, where executing a sequence of related calls to software processes within a computer system that violate the security policy a first time comprises:
    - executing a series of related system calls that cause an undesired processing outcome within the computer system, the undesired processing outcome being defined in the security policy; and
      
      where identifying a security violation in response to a processing operation executing in the computerized device producing a undesired processing outcome that violates a security policy comprises;
      
      recovering from the undesired processing outcome within the computer system;
      
      analyzing the security history in response to recovering from the undesired processing outcome to identify the sequence of related processing operations that resulted in the undesired processing outcome within the computer system; and
      
      upon determining that if the identified sequence of related processing operations are not part of normal processing operations, marking the sequence of related processing operations and associated processing outcomes within the security history as being a sequence of processing operations that violates the security policy.
  - 31. The computer readable medium of claim 30, where the operations of detecting processing outcomes and recording the processing outcomes are repeated N number of times, where N is an integer greater than 1;
    - andwhere recording the processing outcomes and the sequence of related processing operations in a security history comprises;
      
      producing N respective security histories, one for each repeated iteration of the operations of detecting processing outcomes and recording the processing outcomes, and wherein a plurality of the N security histories indicate attempted execution of the sequence of processing operations that violates the security policy; and
      
      where analyzing the security history in response to recovering from the undesired processing outcome to identify the sequence of related processing operations that resulted in the undesired processing outcome within the computer system comprises;
      
      correlating those security histories of the N security histories that indicate attempted operation of the sequence of processing operations marked as in violation of the security policy to identify a root common cause of processing operations within each security history that led up to the attempted operation of the sequence of processing operations that violates the security policy; and
      
      adapting the security policy to include the root common cause of processing operations as producing an undesired processing outcome.
  - 32. The computer readable medium of claim 31, where subsequently detecting attempted performance of a similar sequence of related processing operations that attempt to produce at least one undesired processing outcome that violates the security policy comprises:
    - operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect an attempt to perform the root common cause of processing operations identified within each security history that produces an undesired processing outcome,where denying operation of at least a portion of the sequence of related processing operations within the computerized device to avoid violation of the security policy comprises;
      
      disallowing operation of the root common cause of processing operations to avoid violation of the security policy.
  - 33. The computer readable medium of claim 20, where operating the plurality of security interceptors comprises:
    - operating at least one network interceptor to monitor processing operations associated with communications of a communications session within the computerized device;
      
      operating at least one operating system interceptor to monitor processing operations associated with execution of an operating system within the computerized device; and
      
      operating at least one user space interceptor to monitor processing operations associated with execution of at least one application within the computerized device.
  - 34. The computer readable medium of claim 33, where each of the network interceptor, operating system interceptor and user space interceptor performs:
    - receiving an instruction to produce an event record upon detection of an attempt to execute a monitored processing operation identified in the security policy;
      
      reporting the event record to an event correlation engine upon detection of an attempt to execute the monitored processing operation; and
      
      prior to execution of the monitored processing operation, receiving an authorization response from the event correlation engine that indicates if execution of the monitored processing operation is to be allowed, and if not, disallowing execution of the monitored processing operation to avoid violation of the security policy.
  - 35. The computer readable medium of claim 20, where identifying an undesired processing operation comprises:
    - detecting at least one processing operation that matches a sequence of instructions related to an undesired processing outcome produced as a result of at least one of;
      
      a virus attack, a worm attack, a Trojan horse attack, a Denial-of-service attack, a Buffer overflows operation, execution of Malformed application data, and execution of Malicious mobile code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gladstone, Philip J. S., Kraemer, Jeffrey A.
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
SONG, HEE K

Application Number

US11/031,212
Publication Number

US 20060156380A1
Time in Patent Office

2,377 Days
Field of Search

726/1, 726/2, 726/3, 726/11, 726/13, 726 22- 27, 713150-181, 713187-188, 713/200, 713/201, 705/51, 705/57, 705/59, 707/9
US Class Current

726/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2151   Time stamp

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Methods and apparatus providing security to computer systems and networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing security to computer systems and networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links