Classification of software on networked systems

US 8,763,118 B2
Filed: 09/28/2012
Issued: 06/24/2014
Est. Priority Date: 07/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting an execution attempt by software on a computing system;

classifying the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system;

gathering information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and

sending the information to one or more actuators for analysis and generation of a directive for the one or more targets.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.

328 Citations

14 Claims

1. A method, comprising:
- intercepting an execution attempt by software on a computing system;
  
  classifying the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system;
  
  gathering information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and
  
  sending the information to one or more actuators for analysis and generation of a directive for the one or more targets.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the identifier comprises one or more of a hash of at least a portion of a set of bits representing the software, a checksum of at least a portion of a set of bits representing the software, a message digest of at least a portion of a set of bits representing the software, an operating system file name, an operating system file system internal designator, an operating system attribute, a file system attribute, and meta-data.
  - 3. The method of claim 1, further comprising:
    - generating an identifier for the software; and
      
      determining if the identifier is a member of the set of identifiers,wherein the software is classified as unauthorized to execute on the computer system if the identifier is not a member of the set of identifiers.
  - 4. The method of claim 1, wherein the software is classified after the software has executed on the computing system.
  - 5. The method of claim 1, wherein the information sent to the actuators includes one or more pieces of information from the correlated network packets.
  - 6. The method of claim 5, wherein the one or more pieces of information include one or more of:
    - a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port, a packet payload signature, and a packet header signature.

7. At least one computer readable medium comprising program instructions that when executed by a processor:
- intercept an execution attempt by software on a computing system;
  
  classify the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system;
  
  gather information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and
  
  send the information to one or more actuators for analysis and generation of a directive for the one or more targets.
- View Dependent Claims (8, 9, 10)
- - 8. The at least one computer readable medium of claim 7, comprising further program instructions that when executed by a processor:
    - generate an identifier for the software; and
      
      determine if the identifier is a member of the set of identifiers,wherein the software is classified as unauthorized to execute on the computer system if the identifier is not a member of the set of identifiers.
  - 9. The at least one computer readable medium of claim 7, wherein the information sent to the actuators includes one or more pieces of information from the correlated network packets.
  - 10. The at least one computer readable medium of claim 9, wherein the one or more pieces of information include one or more of:
    - a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port, a packet payload signature, and a packet header signature.

11. An apparatus, comprising:
- a computing system;
  
  at least one sensor coupled to the computing system, the sensor configured to;
  
  intercept an execution attempt by software on the computing system;
  
  classify the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system;
  
  gather information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and
  
  send the information to one or more actuators for analysis and generation of a directive for the one or more targets.
- View Dependent Claims (12, 13, 14)
- - 12. The apparatus of claim 11, wherein the identifier comprises one or more of a hash of at least a portion of a set of bits representing the software, a checksum of at least a portion of a set of bits representing the software, a message digest of at least a portion of a set of bits representing the software, an operating system file name, an operating system file system internal designator, an operating system attribute, a file system attribute, and meta-data.
  - 13. The apparatus of claim 11, wherein the sensor is further configured to:
    - generate an identifier for the software; and
      
      determine if the identifier is a member of the set of identifiers,wherein the software is classified as unauthorized to execute on the computer system if the identifier is not a member of the set of identifiers.
  - 14. The apparatus of claim 11, wherein the information sent to the actuators includes one or more pieces of information from the correlated network packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sebes, E. John, Bhargava, Rishi
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/629,765
Publication Number

US 20130024934A1
Time in Patent Office

634 Days
Field of Search

726 22- 24, 713/176, 713/188, 714/4.21, 714/26, 706/47
US Class Current

726/22
CPC Class Codes

G06F 21/51 at application loading time...

Classification of software on networked systems

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

328 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of software on networked systems

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

328 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links