Methods and apparatus providing security to computer systems and networks
First Claim
1. A method comprising:
- operating a plurality of security interceptors that monitor operation of different respective processing activities of a computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities;
recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device;
identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and
operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A system provides security to a computerized device by detecting a sequence of related processing operations within the computerized device and recording the sequence of related processing operations in a security history. The system identifies a security violation when a processing operation performed in the computerized device produces an undesired processing outcome that violates a security policy and subsequently detecting attempted performance of at least one processing operation that attempts to produce the undesired processing outcome that violates the security policy and in response, denies operation of the processing operation(s) within the computerized device to avoid violation of the security policy.
-
Citations
35 Claims
-
1. A method comprising:
-
operating a plurality of security interceptors that monitor operation of different respective processing activities of a computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities; recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device; identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized device, comprising:
- a memory;
a processor; a communications interface coupled to a network; an interconnection mechanism coupling the memory, the processor and the communications interface; where the memory is encoded with a security agent, that when executed on the processor, causes the processor to perform; operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities; recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device; identifying an undesired processing operation and in response, causing comparison of the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy. - View Dependent Claims (18, 19)
- a memory;
-
20. A computer readable medium including computer program logic instruction encoded thereon, that when executed on a processor in a computerized device, prevent performance of processing operations that produce processing outcomes that violate a security policy in the computerized device, by causing the computerized device to perform the operations of:
-
operating a plurality of security interceptors that monitor operation of different respective processing activities of the computerized device to detect a sequence of related processing operations within the computerized device for those respective processing activities; recording, in a security history, the sequence of related processing operations for each processing activities in the computerized device; identifying an undesired processing operation and in response, comparing the security history to at least one formerly collected security history to identify a common sequence of related processing operations that occurred in each security history before occurrence of the undesired processing operation, and in response, marking the common sequence of related processing operations as being a disallowed sequence of related processing operations in a security policy; and
operating the plurality of security interceptors to subsequently detect attempted performance of the disallowed sequence of related processing operations, and in response, denying operation of the disallowed sequence of related processing operations by at least one of the processing activities within the computerized device to avoid violation of the security policy. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification