Classification of software on networked systems

US 8,307,437 B2
Filed: 11/11/2010
Issued: 11/06/2012
Est. Priority Date: 07/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving information from a sensor, wherein the information relates to a software classified by the sensor as unauthorized to execute on a computing system of the sensor;

evaluating one or more pieces of data that includes the information, wherein the evaluating includes collating the one or more pieces of data;

determining if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to a directive specifying an action based on the subset;

identifying the target type;

generating the directive for the identified target type; and

communicating the directive to one or more targets of the identified target type.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.

Citations

20 Claims

1. A method, comprising:
- receiving information from a sensor, wherein the information relates to a software classified by the sensor as unauthorized to execute on a computing system of the sensor;
  
  evaluating one or more pieces of data that includes the information, wherein the evaluating includes collating the one or more pieces of data;
  
  determining if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to a directive specifying an action based on the subset;
  
  identifying the target type;
  
  generating the directive for the identified target type; and
  
  communicating the directive to one or more targets of the identified target type.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the information comprises at least one of:
    - network packets which encoded the unauthorized software;
      
      source and destination IP addresses and ports indicating a network connection of the network packets which encoded the unauthorized software;
      
      a packet payload signature and/or a packet header signature; and
      
      a checksum of the unauthorized software.
  - 3. The method of claim 1, wherein the directive includes the identifier of the unauthorized software to be compared to a corresponding identifier of other software on at least one of the one or more targets, wherein if the identifier of the unauthorized software matches the corresponding identifier of the other software then an action indicated by the directive is performed.
  - 4. The method of claim 1, wherein the one or more targets comprise a network-node, wherein the directive comprises instructions to restrict network traffic.
  - 5. The method of claim 1, wherein the one or more targets comprise a computer, wherein the directive comprises information identifying software to be blocked from execution on the computer.
  - 6. The method of claim 1, wherein the one or more targets comprise a manager, wherein the directive comprises information for adjusting a behavior of a network-node coupled to the manager, such that the network-node restricts network traffic.
  - 7. The method of claim 1, wherein the one or more targets comprise a manager, wherein the directive comprises information for adjusting a behavior of a computer coupled to the manager, such that the computer identifies software to be blocked from execution.

8. A method, comprising:
- receiving a directive from an actuator, wherein the directive comprises a result of an analysis of an attempted execution by a software on a computing system of a sensor, wherein the software was classified by the sensor as unauthorized to execute on the computing system of the sensor, wherein the analysis comprises;
  
  evaluating one or more pieces of data that includes information related to the attempted execution, wherein the evaluating comprises collating the one or more pieces of data;
  
  determining if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to the directive, wherein the directive specifies an action based on the subset;
  
  identifying the target type;
  
  generating the directive for the identified target type; and
  
  performing an action on one or more targets of the identified target type based on the directive.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the directive includes the identifier of the unauthorized software to be compared to a corresponding identifier of other software on the target, wherein the action is performed if the identifier of the unauthorized software matches the corresponding identifier of the other software.
  - 10. The method of claim 8, wherein the action comprises restricting network traffic.
  - 11. The method of claim 8, wherein the action comprises blocking subsequent attempted executions of the unauthorized software.

12. An apparatus, comprising:
- at least one actuator coupled to a network system, wherein the at least one actuator;
  
  receives information from a sensor, wherein the information relates to a software unauthorized to execute on a computer system of the sensor;
  
  evaluates one or more pieces of data that includes the information, including by collating the one or more pieces of data;
  
  determines if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to a directive, wherein the directive specifies an action based on the subset;
  
  identifying the target type;
  
  generating the directive for the identified target type; and
  
  distributes the directive to one or more targets of the identified target type.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, wherein the directive includes the identifier of the unauthorized software to be compared to a corresponding identifier of other software on at least one of the one or more targets, wherein if the identifier of the unauthorized software matches the corresponding identifier of the other software then an action indicated by the directive is performed.
  - 14. The apparatus of claim 12, wherein the one or more targets comprise a network-node, wherein the directive comprises instructions to restrict network traffic.
  - 15. The apparatus of claim 12, wherein the one or more targets comprise a computer, wherein the directive comprises information identifying software to be blocked from execution.
  - 16. The apparatus of claim 12, wherein the one or more targets comprise a manager, wherein the directive comprises information for adjusting a behavior of a network-node coupled to the manager, such that the network-node restricts network traffic.
  - 17. The apparatus of claim 12, wherein the one or more targets comprise a manager, wherein the directive comprises information for adjusting a behavior of a computer coupled to the manager, such that the computer identifies software to be blocked from execution.

18. Logic encoded in a computer that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving information from a sensor on a software, wherein the software was classified by the sensor as unauthorized to execute on a computing system of the sensor, wherein the information is related to an attempted execution of the software on the computing system;
  
  evaluating one or more pieces of data that includes the information, wherein the evaluating comprises collating the one or more pieces of data;
  
  determining if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to the directive, wherein a directive specifies an action based on the subset;
  
  identifying the target type;
  
  generating the directive for the identified target type; and
  
  communicating the directive to one or more targets of the identified target type.
- View Dependent Claims (20)
- - 20. The logic of claim 18, wherein the information comprises at least one of:
    - network packets which encoded the unauthorized software;
      
      source and destination IP addresses and ports indicating a network connection of the network packets which encoded the unauthorized software;
      
      a packet payload signature and/or a packet header signature; and
      
      a checksum of the unauthorized software.

19. Logic encoded in a computer that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving a directive from an actuator, wherein the directive comprises a result of an analysis of an attempted execution by a software on a computing system of a sensor, wherein the software was classified as unauthorized to execute on the computing system of the sensor, wherein the analysis comprises;
  
  evaluating one or more pieces of data that includes information related to the attempted execution, wherein the evaluating comprises collating the one or more pieces of data;
  
  determining if any subset of the data can represent an identifier of the unauthorized software, wherein the subset is recognizable by a target type comprising a functionality of a target to update a response according to the directive, wherein the directive specifies an action based on the subset;
  
  identifying the target type;
  
  generating the directive for the identified target type; and
  
  performing an action on a target of the identified target type based on the directive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sebes, E. John, Bhargava, Rishi
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US12/944,567
Publication Number

US 20110119760A1
Time in Patent Office

726 Days
Field of Search

726 22- 24, 713/176, 713/188, 713/182, 717/172, 370/352, 370/360, 370/401, 29/250.1
US Class Current

726/22
CPC Class Codes

G06F 21/51 at application loading time...

Classification of software on networked systems

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of software on networked systems

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links