Classification of software on networked systems
First Claim
1. A method, comprising:
- intercepting an execution attempt by software on a computing system;
classifying the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system;
gathering information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and
sending the information to one or more actuators for analysis and generation of a directive for the one or more targets.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.
-
Citations
14 Claims
-
1. A method, comprising:
-
intercepting an execution attempt by software on a computing system; classifying the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system; gathering information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and sending the information to one or more actuators for analysis and generation of a directive for the one or more targets. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. At least one computer readable medium comprising program instructions that when executed by a processor:
-
intercept an execution attempt by software on a computing system; classify the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system; gather information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and send the information to one or more actuators for analysis and generation of a directive for the one or more targets. - View Dependent Claims (8, 9, 10)
-
-
11. An apparatus, comprising:
-
a computing system; at least one sensor coupled to the computing system, the sensor configured to; intercept an execution attempt by software on the computing system; classify the software as authorized or unauthorized to execute on the computing system based on a set of identifiers that represents a set of software authorized to execute on the computing system; gather information about the software if the software is classified as unauthorized to execute on the computing system by correlating network packets with the software, wherein the network packets are correlated with the software by a time of the execution attempt or by matching a checksum of at least a portion of the software with a checksum of a pattern in the network packets, and the information gathered through the correlating step enables one or more targets to identify or block instances of the software; and send the information to one or more actuators for analysis and generation of a directive for the one or more targets. - View Dependent Claims (12, 13, 14)
-
Specification