Classification of unwanted or malicious software through the identification of encrypted data communication
First Claim
Patent Images
1. A method for identifying unauthorized encrypted communications, the method comprising:
- a computer detecting an encrypted communication;
**the computer determining a source and destination of the encrypted communication;
the computer comparing the source of the detected encrypted communication to a predetermined list of applications authorized to send encrypted communications to the computer and the destination of the detected encrypted communication to a predetermined list of destinations authorized for encrypted communications, andif the source of the detected encrypted communication is on the predetermined list of authorized applications and the destination of the detected encrypted communication is on the predetermined list of destinations authorized for encrypted communications, the computer allowing the detected encrypted communication to proceed, andif the source of the detected encrypted communication is not on the predetermined list of authorized applications, the computer determining if the detected encrypted communication was sent from an application that is on a network trusted by the computer, and, if so, the computer adding the application on the trusted network to the predetermined list of applications authorized to send encrypted communications; and
the computer subsequently receiving another encrypted communication from the application on the trusted network, and in response, the computer determining that a source of the other encrypted communication is the application on the trusted network and that the application on the trusted network is on the predetermined list of authorized applications, and, in response, if the destination of the other encrypted communication is on the predetermined list of destinations authorized for encrypted communications the computer allowing the other encrypted communication to proceed.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for identifying malware or unauthorized software communications implemented within a computer infrastructure, the method including detecting an encrypted communication and determining identification data for the encrypted communication. Additionally, the method includes comparing the detected encrypted communication to at least one of a list of applications authorized for encrypted communications using the identification data and a list of authorized destinations of encrypted communications using the identification data. Furthermore, the method includes identifying the detected encrypted communication as an unauthorized encrypted communication in response to a determination that at least one of the detected encrypted communication is from an unauthorized application, which is not on the list of applications authorized for encrypted communications, based on the comparing and the detected encrypted communication is to an unauthorized destination, which is not on the list of authorized destinations.
19 Citations
13 Claims
-
1. A method for identifying unauthorized encrypted communications, the method comprising:
-
a computer detecting an encrypted communication;
**the computer determining a source and destination of the encrypted communication; the computer comparing the source of the detected encrypted communication to a predetermined list of applications authorized to send encrypted communications to the computer and the destination of the detected encrypted communication to a predetermined list of destinations authorized for encrypted communications, and if the source of the detected encrypted communication is on the predetermined list of authorized applications and the destination of the detected encrypted communication is on the predetermined list of destinations authorized for encrypted communications, the computer allowing the detected encrypted communication to proceed, and if the source of the detected encrypted communication is not on the predetermined list of authorized applications, the computer determining if the detected encrypted communication was sent from an application that is on a network trusted by the computer, and, if so, the computer adding the application on the trusted network to the predetermined list of applications authorized to send encrypted communications; and the computer subsequently receiving another encrypted communication from the application on the trusted network, and in response, the computer determining that a source of the other encrypted communication is the application on the trusted network and that the application on the trusted network is on the predetermined list of authorized applications, and, in response, if the destination of the other encrypted communication is on the predetermined list of destinations authorized for encrypted communications the computer allowing the other encrypted communication to proceed. - View Dependent Claims (2, 3, 4, 5, 11, 12, 13)
-
-
6. A computer system for identifying unauthorized encrypted communications, the computer system comprising:
-
a computer-readable tangible storage device, a memory, and a central processing unit; first program instructions to detect an encrypted communication; second program instructions to determine a source and destination of the encrypted communication; third program instructions to compare the source of the encrypted communication to a predetermined list of applications authorized to send encrypted communications and the destination of the detected encrypted communication to a predetermined list of destinations authorized for encrypted communications, and if the source of the detected encrypted communication is on the predetermined list of authorized applications and the destination of the detected encrypted communication is on the predetermined list of destinations authorized for encrypted communications, allow the detected encrypted communication to proceed, and if the source of the detected encrypted communication is not on the predetermined list of authorized applications, determine if the detected encrypted communication was sent from an application that is on a network trusted by the computer system, and if so, add the application on the trusted network to the list of applications authorized to send encrypted communications; and fourth program instructions to subsequently receive another encrypted communication from the application on the trusted network, and in response, determine that a source of the other encrypted communication is the application on the trusted network and that the application on the trusted network is on the predetermined list of authorized applications, and in response, if the destination of the other encrypted communication is on the predetermined list of destinations authorized for encrypted communications allow the other encrypted communication to proceed, wherein the first program instructions, the second program instructions, the third program instructions, and the fourth program instructions are stored in the computer-readable tangible storage device for execution by the central processing unit via the memory. - View Dependent Claims (7, 8, 9)
-
-
10. A computer program product comprising a computer-readable tangible storage device having readable program code embodied in the computer-readable tangible storage device, the computer program product includes at least one component operable to:
-
receive a predetermined list of applications authorized to send encrypted communications; detect an encrypted communication; determine a source of the encrypted communication and a destination for the encrypted communication; compare the source of the detected encrypted communication to the predetermined list of applications authorized to send the encrypted communications and the destination of the detected encrypted communication to a predetermined list of destinations authorized for encrypted communications, and if the source of the detected encrypted communication is on the predetermined list of authorized applications and the destination of the detected encrypted communication is on the predetermined list of destinations authorized for encrypted communications, allow the detected encrypted communication to proceed, and if the source of the detected encrypted communication is not on the predetermined list of authorized applications, determine if the detected encrypted communication was sent from an application that is on a network that is trusted, and if so, add the application on the trusted network to the predetermined list of applications authorized to send encrypted communications; and subsequently receive another encrypted communication from the application on the trusted network, and in response, determine that the source of the other encrypted communication is the application on the trusted network and that the application on the trusted network is on the predetermined list of authorized applications, and in response, if the destination of the other encrypted communication is on the predetermined list of destinations authorized for encrypted communications allow the other encrypted communication to proceed.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsOllmann, Gunter D.
-
Primary Examiner(s)LANIER, BENJAMIN E
-
Application NumberUS12/333,607Publication NumberTime in Patent Office1,754 DaysField of Search726 22- 25, 713/188US Class Current726/22CPC Class CodesG06F 21/552 involving long-term monitor...G06F 21/566 Dynamic detection, i.e. det...G06F 21/606 by securing the transmissio...G06F 2221/2141 Access rights, e.g. capabil...G06F 2221/2149 Restricted operating enviro...H04L 2463/144 Detection or countermeasure...H04L 63/0428 wherein the data content is...H04L 63/101 Access control lists [ACL]H04L 63/145 the attack involving the pr...
