Behavior blocking utilizing positive behavior system and method

US 8,220,055 B1
Filed: 02/06/2004
Issued: 07/10/2012
Est. Priority Date: 02/06/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

decreasing a suspicion of a negative action by an application if said application has previously performed a positive action comprising setting an increment value of a suspicion level counter for said negative action to a first value, wherein said positive action is use of a user interface element by said application to have a user interaction with a user,wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value greater than said first value; and

incrementing said suspicion level counter by said increment value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes decreasing a suspicion of a negative action by an application if the application has previously performed a positive action. The positive action is an action that is never or rarely taken by malicious code. In one example, the positive action is use of a user interface element by the application to have a user interaction with a user of the computer system. By taking into consideration the positive action by the application, the occurrence of false positives is minimized.

273 Citations

21 Claims

1. A method comprising:
- decreasing a suspicion of a negative action by an application if said application has previously performed a positive action comprising setting an increment value of a suspicion level counter for said negative action to a first value, wherein said positive action is use of a user interface element by said application to have a user interaction with a user,wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value greater than said first value; and
  
  incrementing said suspicion level counter by said increment value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein said positive action comprises interacting with said user of a computer system.
  - 3. The method of claim 1 wherein said positive action is an action that is never performed by malicious code.
  - 4. The method of claim 1 wherein said positive action is an action that is rarely performed by malicious code.
  - 5. The method of claim 1 wherein said user interaction comprises an interaction with said user in setting up said application.
  - 6. The method of claim 1 wherein said user interaction comprises an interaction with said user in using said application.
  - 7. The method of claim 1 wherein said user interaction comprises said user selecting recipient(s) of an e-mail message.
  - 8. The method of claim 1 wherein said user interaction comprises said user selecting information to be sent with an e-mail message.
  - 9. The method of claim 1 wherein said user interface element is an element used by said user in interacting with said application.
  - 10. The method of claim 1 wherein said user interface element is selected from the group consisting of a check box, a radio box, a list box, a combo box, a text box, a dialog box, and a message box.
  - 11. The method of claim 1 wherein said negative action is suggestive of malicious code.
  - 12. The method of claim 1 wherein said negative action is selected from the group consisting of an attack on security software, sending of an executable attachment, copying of said application across a network, and sending of an executable attachment as an instant message.

13. A method comprising:
- determining that an action by an application is a negative action;
  
  determining if said application has had a previous positive action prior to said negative action, wherein said positive action is use of a user interface element by said application to have a user interaction with a user,wherein if a determination is made that said application has had said previous positive action prior to said negative action, said method further comprising setting an increment value of a suspicion level counter for said negative action to a first value,wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value, wherein said first value is less than said second value; and
  
  incrementing said suspicion level counter by said increment value.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13 further comprising determining if said suspicion level counter exceeds a suspicion level threshold.
  - 15. The method of claim 14 wherein upon a determination that said suspicion level counter exceeds said suspicion level threshold, said method further comprising taking protective action to protect a computer system.
  - 16. The method of claim 14 wherein upon a determination that said suspicion level counter exceeds said suspicion level threshold, said method further comprising providing a notification.
  - 17. The method of claim 14 further comprising stalling said action, wherein upon a determination that said suspicion level counter does not exceed said suspicion level threshold, said method further comprising releasing said action.
  - 18. The method of claim 13 further comprising decrementing said suspicion level counter for said positive action.
  - 19. The method of claim 13 further comprising hooking said application.
  - 20. The method of claim 13 further comprising hooking said action.

21. A computer readable storage medium comprising instructions for a behavior blocking application, said behavior blocking application when executed determines that an action by an application is a negative action;
- said behavior blocking application further for determining if said application has had a previous positive action prior to said negative action, wherein said positive action is use of a user interface element by said application to have a user interaction with a user,wherein if a determination is made that said application has had said previous positive action prior to said negative action, said behavior blocking application further for setting an increment value of a suspicion level counter for said negative action to a first value,wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said behavior blocking application further for setting said increment value of said suspicion level counter for said negative action to a second value, wherein said first value is less than said second value; and
  
  said behavior blocking application further for incrementing said suspicion level counter by said increment value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kennedy, Mark K.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Moran, Randal

Application Number

US10/774,177
Time in Patent Office

3,077 Days
Field of Search

726 22- 25
US Class Current

726/25
CPC Class Codes

G06F 21/50 Monitoring users, programs ...

Behavior blocking utilizing positive behavior system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

273 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Behavior blocking utilizing positive behavior system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

273 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links