Host intrusion prevention system using software and user behavior analysis

US 8,607,340 B2
Filed: 03/31/2010
Issued: 12/10/2013
Est. Priority Date: 07/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:

A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavior genes is stored for reference in a database;

B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database;

C) performing step B) a number of times to collect a first plurality of code operation indications;

D) comparing a combination of the first indication of user behavior and the first plurality of code operation indications to a first predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer;

E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present;

E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes;

E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes;

E3) performing step E2 a second number of times to collect a second plurality of code operation indications;

E4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and

F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.

Citations

19 Claims

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavior genes is stored for reference in a database;
  
  B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database;
  
  C) performing step B) a number of times to collect a first plurality of code operation indications;
  
  D) comparing a combination of the first indication of user behavior and the first plurality of code operation indications to a first predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer;
  
  E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present;
  
  E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes;
  
  E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes;
  
  E3) performing step E2 a second number of times to collect a second plurality of code operation indications;
  
  E4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
  
  F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, creating an audit record.
  - 3. The computer program product of claim 2, wherein creating the audit record includes updating a log file.
  - 4. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, forcing the usage session to occur within a restricted operating environment.
  - 5. The computer program product of claim 4, wherein the restricted operating environment is a sandbox.
  - 6. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, at least one of preventing a process that would cause a computer system failure, preventing a process that would cause a device failure, preventing a process that would cause a network states failure, reverting a computer software state back to a prior state that is known to be acceptable, device status change, and a change in the status of a peripheral.
  - 7. The computer program product of claim 1, wherein the step of causing an action based on the prediction includes, at least in part, isolating, via quarantine, the computer on which the user interaction occurs and limiting network access to or from the computer.
  - 8. The computer program product of claim 1, wherein the user interaction with a computer includes at least one of executing a link, executing an Internet link, executing an Intranet link, downloading content item from a server, forwarding an URL, forwarding an email, opening an application, closing an application, updating an application, patching an application, bookmarking website, placing a VoIP call, adding an item to shopping cart, entering financial data, making a purchase, using a webcam, creation of an application macro, creation of an application shortcut, a novel keystroke combination, accessing computer remotely, submitting password, a change in the status of a peripheral device or software application, a network route changes, a firewall enable, a firewall disable, a change in a firewall status, a DNS change, a bridging of two previously unconnected networks.
  - 9. The computer program product of claim 1, wherein the user interaction with a computer includes an inactivity indicator.
  - 10. The computer program product of claim 9, wherein the inactivity indicator is activation of at least one of a screen saver and a hibernation process.
  - 11. The computer program product of claim 1, wherein the user interaction with a computer includes a temporal indicator.
  - 12. The computer program product of claim 11, wherein the temporal indicator is at least one of a time amount spent on a page, a time amount spent in an application, and a time amount spent between a first user action and a second user action.
  - 13. The computer program product of claim 1, wherein the user interaction with a computer includes a change in a network behavior.
  - 14. The computer program product of claim 13, wherein the change in the network behavior is at least one of a VPN enable, a VPN disable, a VPN start, and a VPN end.
  - 15. The computer program product of claim 1, wherein the user interaction with a computer occurs at least in part on at least one of a keyboard, a mouse, a display device, a biometric reader, a camera, a storage device, a scanning device, a printer, a telecommunication component.
  - 16. The computer program product of claim 1, wherein the indication of a code operation is an automatic code behavior.
  - 17. The computer program product of claim 16, wherein the automatic code behavior is at least one of a system startup, a login, a scheduled job process, a system service, and a remotely executed example.

18. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavioral genes is stored for reference in a database;
  
  B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database;
  
  C) performing step A) a number of times to collect a first plurality of user behavior indications;
  
  D) comparing a combination of the first indication of the first code operation and the first plurality of user behavior indications to a first predetermined collection of code operation-user behavior indications, referred to as a phenotype, which comprises a grouping of specific code and behavioral genes that are typically present in a type of malicious usage session with a computer;
  
  E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present;
  
  E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes;
  
  E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes;
  
  E3) performing step E1 a second number of times to collect a second plurality of user behavior indications;
  
  E4) comparing a second combination of the second plurality of user behavior indications and the second code operation indication to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
  
  F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.

19. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavioral genes is stored for reference in a database;
  
  B) storing the first indication of the user behavior with a computer code process relating to the user interaction with the computer during the usage session;
  
  C) monitoring the computer code process relating to the user interaction with the computer during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database;
  
  D) performing step C) a number of times to collect a first plurality of code operation indications;
  
  E) comparing a combination of the first indication of the user behavior and the first plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer;
  
  F) based on a detection of a collection of known malicious behaviors in step E), performing the following steps to obtain an increased level of confidence that a known family of malware is present;
  
  F1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes;
  
  F2) monitoring the computer code process during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the of code genes;
  
  F3) performing step F2 a second number of times to collect a second plurality of code operation indications;
  
  F4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
  
  G) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Wright, Clifford C.
Primary Examiner(s)
Patel, Nirav B

Application Number

US12/750,840
Publication Number

US 20110023115A1
Time in Patent Office

1,350 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

Host intrusion prevention system using software and user behavior analysis

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Host intrusion prevention system using software and user behavior analysis

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links