Methods and apparatus providing computer and network security for polymorphic attacks

US 8,413,245 B2
Filed: 05/01/2006
Issued: 04/02/2013
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, at each of a plurality of control points, one or more processing activities associated with each of a plurality of components of a computer system, each control point of the plurality of control points corresponding to one or more components of the plurality of components, each component having a corresponding interface;

detecting an attack on the computer system;

in response to the detecting, determining that the attack is a polymorphic attack;

in response to the determining, identifying a particular interface on the computer system that is failing as a result of the polymorphic attack;

determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack;

in response to determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack, adjusting access only to the particular interface at a particular control point established on the interface and not the entire computer system, wherein the particular control point is one of the plurality of control points;

wherein the method is performed by one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.

Citations

20 Claims

1. A method comprising:
- monitoring, at each of a plurality of control points, one or more processing activities associated with each of a plurality of components of a computer system, each control point of the plurality of control points corresponding to one or more components of the plurality of components, each component having a corresponding interface;
  
  detecting an attack on the computer system;
  
  in response to the detecting, determining that the attack is a polymorphic attack;
  
  in response to the determining, identifying a particular interface on the computer system that is failing as a result of the polymorphic attack;
  
  determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack;
  
  in response to determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack, adjusting access only to the particular interface at a particular control point established on the interface and not the entire computer system, wherein the particular control point is one of the plurality of control points;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the one or more processing activities include at least one of file access, directory access, network access, network traffic payload control, registry access, COM object access control, accessing system calls, invoking applications, handling exceptions, detecting buffer overflows, CPU utilization, or memory utilization.
  - 3. The method of claim 1, further comprising determining that the attack causes a failure of at least one of the plurality of components of the computer system.
  - 4. The method of claim 1, further comprising determining that the attack contains exploit code executable on the computer system.
  - 5. The method of claim 1, further comprising determining that the attack causes a violation of a security policy.
  - 6. The method of claim 1, further comprising:
    - generating a signature for the attack;
      
      determining the generated signature is not effective for identifying future attacks;
      
      based on determining the generated signature is not effective, identifying the attack as polymorphic.
  - 7. The method of claim 1, further comprising disabling the interface.
  - 8. The method of claim 1, further comprising selectively disabling the interface.
  - 9. The method of claim 8, further comprising disabling the interface based on the source of the attack.
  - 10. The method of claim 1, further comprising disabling the interface for a period of time.

11. A non-transitory computer-readable storage medium encoded with computer program logic that, when executed by a computerized device, causes the device to perform:
- monitoring, at each of a plurality of control points, one or more processing activities associated with each of a plurality of components of a computer system, each control point of the plurality of control points corresponding to one or more components of the plurality of components, each component having a corresponding interface;
  
  detecting an attack on the computer system;
  
  in response to the detecting, determining that the attack is a polymorphic attack;
  
  in response to the determining, identifying a particular interface on the computer system that is failing as a result of the polymorphic attack;
  
  determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack;
  
  in response to determining that generation of a new signature will not be effective to prevent execution of the polymorphic attack, adjusting access only to the particular interface at a particular control point established on the interface and not the entire computer system, wherein the particular control point is one of the plurality of control points.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the one or more processing activities include at least one of file access, directory access, network access, network traffic payload control, registry access, COM object access control, accessing system calls, invoking applications, handling exceptions, detecting buffer overflows, CPU utilization, or memory utilization.
  - 13. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform determining that the attack causes a failure of at least one of the plurality of components of the computer system.
  - 14. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform determining that the attack contains exploit code executable on the computer system.
  - 15. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform determining that the attack causes a violation of a security policy.
  - 16. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform:
    - generating a signature for the attack;
      
      determining the generated signature is not effective for identifying future attacks;
      
      based on determining the generated signature is not effective, identifying the attack as polymorphic.
  - 17. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform disabling the interface.
  - 18. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform selectively disabling the interface.
  - 19. The non-transitory computer-readable storage medium of claim 18, further encoded with computer program logic that causes the device to perform disabling the interface based on the source of the attack.
  - 20. The non-transitory computer-readable storage medium of claim 11, further encoded with computer program logic that causes the device to perform disabling the interface for a period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kraemer, Jeffrey A., Zawadowskiy, Andrew
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US11/414,910
Publication Number

US 20070143848A1
Time in Patent Office

2,528 Days
Field of Search

726 22- 25, 705 51- 54, 713189-194, 717174-178
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

Methods and apparatus providing computer and network security for polymorphic attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing computer and network security for polymorphic attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links