System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object

US 8,291,494 B1
Filed: 07/08/2008
Issued: 10/16/2012
Est. Priority Date: 07/08/2008
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:

monitoring an operation performed by an object using an intrusion system;

labeling the object with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object, the attribute including a uniform resource locator (URL) that is embedded into the object, and wherein the detection of the predetermined behavior includes matching a behavior associated with the object to a compound rule;

extracting a plurality of rules from the compound rule; and

extracting additional rules from the plurality of rules in iterations until each rule extracted has no further dependencies and a reaction to the object is resolved without storing an event associated with the object in a cache.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for detecting unwanted activity associated with an object, based on an attribute associated with the object. In use, an object is labeled with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object. Additionally, unwanted activity associated with the object is detected, utilizing the attribute.

13 Citations

View as Search Results

15 Claims

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- monitoring an operation performed by an object using an intrusion system;
  
  labeling the object with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object, the attribute including a uniform resource locator (URL) that is embedded into the object, and wherein the detection of the predetermined behavior includes matching a behavior associated with the object to a compound rule;
  
  extracting a plurality of rules from the compound rule; and
  
  extracting additional rules from the plurality of rules in iterations until each rule extracted has no further dependencies and a reaction to the object is resolved without storing an event associated with the object in a cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer program product of claim 1, wherein the labeling includes flagging the object with the attribute.
  - 3. The computer program product of claim 1, wherein the object includes an executable program.
  - 4. The computer program product of claim 1, wherein the attribute includes a string value.
  - 5. The computer program product of claim 1, further comprising:
    - identifying a particular event associated with the object.
  - 6. The computer program product of claim 5, further comprising:
    - determining whether the particular event includes the predetermined behavior.
  - 7. The computer program product of claim 5, wherein parameters associated with the particular event are extracted.
  - 8. The computer program product of claim 7, wherein the parameters are stored.
  - 9. The computer program product of claim 1, wherein the object is associated with unwanted activity.
  - 10. The computer program product of claim 9, wherein the unwanted activity is detected by analyzing the attribute and a plurality of additional attributes with which the object is labeled.
  - 11. The computer product of claim 9, wherein the unwanted activity is detected by determining a value of the attribute.
  - 12. The computer program product of claim 11, wherein the value of the attribute indicates that at least a portion of the unwanted activity associated with the object has occurred.

13. A method, comprising:
- monitoring an operation performed by an object using an intrusion system;
  
  labeling the object with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object, the attribute including a uniform resource locator (URL) that is embedded into the object, and wherein the detection of the predetermined behavior includes matching a behavior associated with the object to a compound rule;
  
  extracting a plurality of rules from the compound rule in; and
  
  extracting additional rules from the plurality of rules in iterations until each rule extracted has no further dependencies and a reaction to the object is resolved without storing an event associated with the object in a cache.

14. A system, comprising:
- a processor coupled to a memory, the system being configured for;
  
  monitoring an operation performed by an object using an intrusion system;
  
  labeling the object with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object, the attribute including a uniform resource locator (URL) that is embedded into the object, and wherein the detection of the predetermined behavior includes matching a behavior associated with the object to a compound rule;
  
  extracting a plurality of rules from the compound rule; and
  
  extracting additional rules from the plurality of rules in iterations until each rule extracted has no further dependencies and a reaction to the object is resolved without storing an event associated with the object in a cache.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the processor remains in communication with the memory and a network adapter via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said, Spurlock, Joel R.
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US12/169,420
Time in Patent Office

1,561 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/554   involving event detection a...

G06F 2221/2145   Inheriting rights or proper...

System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others