Methods and apparatus providing automatic signature generation and enforcement
First Claim
Patent Images
1. A method comprising:
- inserting at least one notifying identifier in a computer system, the at least one notifying identifier providing execution information associated with the computer system;
receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data payloads on the computer system; and
identifying a collection of sub strings from some of the plurality of data payloads on the at least one computer system;
assigning a probability to each of the sub strings within the collection of sub strings; and
associating the probability to a likelihood that a data payload associated with each of the sub strings is one of the group consisting of a good data payload and a bad data payload;
receiving notification that a policy violation has been triggered for at least one attack on the computer system;
in response to the notification, deterministically identifying, from the execution information provided by the at least one notifying identifier, a data payload that is associated with the at least one attack;
in response to deterministically identifying, from the execution information provided by the at least one notifying identifier, the data payload that is associated with the at least one attack, generating a signature that matches at least a first portion of the data payload;
refining the signature utilizing the traffic flow on the computer system to create an optimal signature by removing elements of the signature that are matched to good data payloads;
utilizing the optimal signature to filter out data processed by the computer system by preventing processing of a second data payload within the computer system;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.
-
Citations
19 Claims
-
1. A method comprising:
-
inserting at least one notifying identifier in a computer system, the at least one notifying identifier providing execution information associated with the computer system; receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data payloads on the computer system; and identifying a collection of sub strings from some of the plurality of data payloads on the at least one computer system; assigning a probability to each of the sub strings within the collection of sub strings; and associating the probability to a likelihood that a data payload associated with each of the sub strings is one of the group consisting of a good data payload and a bad data payload; receiving notification that a policy violation has been triggered for at least one attack on the computer system; in response to the notification, deterministically identifying, from the execution information provided by the at least one notifying identifier, a data payload that is associated with the at least one attack; in response to deterministically identifying, from the execution information provided by the at least one notifying identifier, the data payload that is associated with the at least one attack, generating a signature that matches at least a first portion of the data payload; refining the signature utilizing the traffic flow on the computer system to create an optimal signature by removing elements of the signature that are matched to good data payloads; utilizing the optimal signature to filter out data processed by the computer system by preventing processing of a second data payload within the computer system; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computerized device comprising:
- a memory;
a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; wherein the memory is encoded with a signature generating application that when executed on the processor is capable of providing computer security on the computerized device by performing the operations of; inserting at least one notifying identifier in a computer system, the at least one notifying identifier providing execution information associated with the computer system; receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data payloads on the computer system; and identifying a collection of sub strings from some of the plurality of data payloads on the at least one computer system; assigning a probability to each of the sub strings within the collection of sub strings; and associating the probability to a likelihood that a data payload associated with each of the sub strings is one of the group consisting of a good data payload and a bad data payload; receiving notification that a policy violation has been triggered for at least one attack on the computer system; in response to the notification, deterministically identifying, from the execution information provided by the at least one notifying identifier, a data payload that is associated with the at least one attack; in response to deterministically identifying, from the execution information provided by the at least one notifying identifier, the data payload that is associated with the at least one attack, generating a signature that matches at least a first portion of the data payload; refining the signature utilizing the traffic flow on the computer system to create an optimal signature by removing elements of the signature that are matched to good data payloads; utilizing the optimal signature to filter out data processed by the computer system by preventing processing of a second data payload within the computer system. - View Dependent Claims (10, 11)
- a memory;
-
12. A non-transitory computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
-
instructions for inserting at least one notifying identifier in a computer system, the at least one notifying identifier providing execution information associated with the computer system; instructions for receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data payloads on the computer system; instructions for identifying a collection of sub strings from some of the plurality of data payloads on the at least one computer system; instructions for assigning a probability to each of the sub strings within the collection of sub strings; and instructions for associating the probability to a likelihood that a data payload associated with each of the sub strings is one of the group consisting of a good data payload and a bad data payload; instructions for receiving notification that a policy violation has been triggered for at least one attack on the computer system; instructions for, in response to the notification, deterministically identifying, from the execution information provided by the at least one notifying identifier, a data payload that is associated with the at least one attack; instructions for, in response to deterministically identifying, from the execution information provided by the at least one notifying identifier, a data payload that is associated with the at least one attack, generating a signature that matches at least a first portion of the data payload; instructions for refining the signature utilizing the traffic flow on the computer system to create an optimal signature by removing elements of the signature that are matched to good data payloads; instructions for utilizing the optimal signature to filter out data processed by the computer system by preventing processing of a second data payload within the computer system. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification