Centralized timed analysis in a network security system

US 8,272,058 B2
Filed: 07/29/2005
Issued: 09/18/2012
Est. Priority Date: 07/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for use with a server and a group of associated hosts, comprising:

storing in the server meta-information file states relating to files seen on the hosts, the meta-information including a signature of the content of the files;

storing in the server for each signature, an initial time that the file is first seen on the host, including for at least some files, a time when the file is first received, and further storing a file state indicating whether or not certain file operations can be performed, and if file operations are allowed to be performed, with what conditions certain file operations can be performed by hosts on the file, wherein the states include banned, allowed, and pending, wherein a pending state allows file operations subject to security restrictions and further monitoring;

at defined periods related to the initial time, performing at least one security analysis of the file, or of the signature of the file contents; and

altering the file state based on the security analysis and providing updated information related to the altered file state to the hosts.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system stores meta-information for files relating to security and at defined times after a file or a file hash is first received, performs security related analyses from a central server. Analysis results are stored on the server, and the server can automatically change file meta-information. Changes in file meta-information are provided to hosts.

650 Citations

47 Claims

1. A method for use with a server and a group of associated hosts, comprising:
- storing in the server meta-information file states relating to files seen on the hosts, the meta-information including a signature of the content of the files;
  
  storing in the server for each signature, an initial time that the file is first seen on the host, including for at least some files, a time when the file is first received, and further storing a file state indicating whether or not certain file operations can be performed, and if file operations are allowed to be performed, with what conditions certain file operations can be performed by hosts on the file, wherein the states include banned, allowed, and pending, wherein a pending state allows file operations subject to security restrictions and further monitoring;
  
  at defined periods related to the initial time, performing at least one security analysis of the file, or of the signature of the file contents; and
  
  altering the file state based on the security analysis and providing updated information related to the altered file state to the hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The method of claim 1, wherein the security analysis includes performing one of an anti-virus scan and an anti-spyware scan.
  - 3. The method of claim 1, wherein the signature includes one or more cryptographic hashes of the contents, and the server stores a single copy of each file having a unique hash.
  - 4. The method of claim 1, further comprising a local approve state, wherein file operations are approved for a particular host and banned for other hosts.
  - 5. The method of claim 1, wherein the defined periods related to the initial time are all files having a date the file or the signature was first seen by the hosts and/or the server within a defined range.
  - 6. The method of claim 1, wherein the further monitoring includes logging or providing a report.
  - 7. The method of claim 1, further comprising storing for each meta-information record on the server, additional records associated with each analysis.
  - 8. The method of claim 7, wherein the additional records include data relating to the server or host performing the analysis, an analysis time, and an analysis result.
  - 9. The method of claim 8, wherein the additional records further include a recommended state, and an analysis result information string.
  - 10. The method of claim 1, further comprising generating syslog messages and/or statistics updates and/or alarms in response to the analyses.
  - 11. The method of claim 1, wherein the analyses cause one or more of content forwarding, meta-information forwarding, analysis forwarding, and a change in security rules.
  - 12. The method of claim 1, wherein the acts of claim 1 are performed as an outsourced service to another party'"'"'s host computers.
  - 13. The method of claim 12, wherein the server automatically notifies other network devices of changes to lists of files with certain actions that are set as banned or approved.
  - 14. The method of claim 12, wherein the service transfers recent meta-information to other servers and network devices based on age and analysis results.
  - 15. The method of claim 1, wherein the security analysis includes comparing recent analysis results with other servers'"'"' recent analysis results.
  - 16. The method of claim 1, wherein the security analysis includes user-defined content analysis.
  - 17. The method of claim 1, wherein the server has a set of multiple analyses performed at multiple times based on the initial time.
  - 18. The method of claim 17, wherein one of the multiple times is less than a day after the initial time, and another of the multiple times is more than a day after the initial time.
  - 19. The method of claim 17, wherein one of the multiple times is less than a day after the initial time, and another of the multiple times is more than a week after the initial time.
  - 20. The method of claim 1, wherein the initial time is related to the time when the file or the hash of the file content is first received by a host.
  - 21. The method of claim 1, wherein the initial time is related to the time when the file or the hash of the file content is first received by the server.
  - 22. The method of claim 1, wherein the server propagates to the hosts a set of policies, the server also providing information indicating which of the policies are to be implemented by the hosts and under which conditions.
  - 23. The method of claim 1, further comprising the host receiving a first file, extracting content of interest within the first file, repackaging the content of interest into a file of valid formatted type to produce a reduced file, and applying a hash to the reduced file.
  - 24. The method of claim 1, wherein the process of performing at least one security analysis of the file includes providing the file to another computer system and receiving analysis results therefrom.
  - 25. The method of claim 1, further comprising storing a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, the server propagating meta-information to hosts when there has been a change in the state.
  - 26. The method of claim 25, wherein the server propagates by posting the meta-information such that the meta-information is accessed and obtained by the hosts.
  - 27. The method of claim 1, wherein the server performs a hash of the contents and compares the hash to a hash performed by at least one of the hosts.
  - 28. The method of claim 27, wherein the server performs a plurality of hashes.
  - 29. The method of claim 1, wherein a host queries the server to determine if the server has meta-information for a particular file before uploading the signature and/or the file contents to the server.
  - 30. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a white list of approved files.
  - 31. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a black list of banned files.
  - 32. The method of claim 1, wherein the server queries a remote network device to determine if a signature or name corresponds to a pending list of new or unclassified files.
  - 33. The method of claim 1, wherein the server stores information which associates a file and signature with groups of other files and signatures.
  - 34. The method of claim 1, wherein the server stores information which associates a file and signature with statistics about information stored on other servers.
  - 35. The method of claim 1, wherein the signature includes one or more cryptographic hashes of the contents, and the server queries a remote network device to look up hashes against known product classification databases to identify related products and other files which correspond to the products associated with the file hash.
  - 36. The method of claim 1, wherein the server performs one or more of content querying, meta-information querying, analysis result querying, and security rule querying with the server querying another device on the network.

37. A computer system comprising:
- a server including a memory for storing security-related meta-information relating to files seen on hosts associated with the server, including for each file, a state indicating whether file operations can be performed, and if file operations can be performed with what conditions certain file operations can be performed on the file by the hosts, wherein the states include banning, pending, and allowing, such that a pending state allows file operations subject to security restrictions and further monitoring;
  
  the server, at defined periods, causing at least one security analysis to be performed of the files, the defined periods based on the initial times when the files or signatures of the files have been received by the hosts and/or the server; and
  
  in response to at least some analyses, altering the file state and providing updated information related to the altered state to the hosts.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 38. The system of claim 37, further comprising a group of hosts associated with the server.
  - 39. The system of claim 38, wherein the server stores a state indicating whether and with what conditions certain file operations can be performed by the hosts on the file, wherein the performing process includes checking one or more lists of files for which file operations have been approved or banned.
  - 40. The system of claim 38, wherein the service transfers recent meta-information to other servers and network devices based on age and analysis results.
  - 41. The system of claim 38, wherein the server propagates to the hosts a set of policies, the server also providing information indicating which of the policies are to be implemented by the hosts and under what conditions.
  - 42. The system of claim 38, wherein the server stores states for files indicating whether and with what conditions certain file operations can be performed by the hosts on the file, the server propagating meta-information to hosts when there has been a change in the state.
  - 43. The system of claim 42, wherein the server propagates by posting the meta-information such that the meta-information is accessed and obtained by the hosts.
  - 44. The system of claim 38, wherein the signature includes one or more cryptographic hashes of the contents, and the server performs a hash of the contents and compares the hash to a hash performed by at least one of the hosts.
  - 45. The system of claim 44, wherein the server performs a plurality of hashes to obtain a signature.
  - 46. The system of claim 37, wherein the server automatically notifies other network devices of changes to lists of actions that are set as banned or approved.
  - 47. The system of claim 37, wherein the initial time is related to the time when the file or the hash of the file contents is first seen in the system by the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Bit 7, Inc. (Bb7 LLC)
Inventors
Brennan, Todd
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US11/193,295
Publication Number

US 20070028304A1
Time in Patent Office

2,608 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Centralized timed analysis in a network security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

650 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized timed analysis in a network security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

650 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links