Capturing data relating to a threat

US 8,805,995 B1
Filed: 05/26/2009
Issued: 08/12/2014
Est. Priority Date: 05/23/2008
Status: Active Grant

First Claim

Patent Images

1. A method of capturing data relating to a threat, wherein the method includes, in a server processing system:

receiving event history data that comprises a sequential chain of one or more events performed by a client processing system, wherein performance of the one or more events in the sequential chain of one or more events leads to a trigger event, and wherein the sequential chain of one or more events is associated with the threat;

upon detecting the trigger event, suspending performance of one or more further events from the threat, wherein a second chain of events comprises the sequential chain of one or more events and the one or more further events, the one or more further events configured to execute subsequent to the trigger event in the second chain of events;

receiving the trigger event that occurred in the client processing system, wherein the server processing system receives the event history data in response to the client processing system detecting the trigger event, the trigger event comprising a level of threat, wherein the level of threat includes a value to indicate a probability of the trigger event posing a threat to the client processing system;

determining whether the level of threat satisfies a predetermined threshold;

upon determining the level of threat satisfies the predetermined threshold, permitting the one or more further events to be performed by the client processing system subsequent to the occurrence of the trigger event in order to capture additional data regarding the threat;

analyzing the events in the sequential chain of one or more events in a reverse order to determine a starting point for the sequential chain of one or more events, wherein analyzing the events in the reverse order comprises analyzing the events in the reverse order that the events were added to the sequential chain of one or more events;

comparing the event history data against past event history data received from a plurality of client processing systems in order to determine if the event history data and the past event history data comprise a series of common events; and

identifying an entity associated with the series of common events.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of capturing data relating to a threat in a server processing system is described. Event history data that comprises a sequential chain of one or more events performed by a client processing system is received. Performance of the one or more events in the chain leads to a trigger event. The trigger event that occurred in the client processing system is also received. The server processing system receives the event history data in response to the client processing system detecting the trigger event. The events in the chain are analyzed in a reverse order to determine a starting point for the chain of events. The event history data is compared against past event history data received from a plurality of client processing systems in order to determine if the event history data and the past event history data comprise a series of common events. An entity associated with the series of common events is identified.

159 Citations

20 Claims

1. A method of capturing data relating to a threat, wherein the method includes, in a server processing system:
- receiving event history data that comprises a sequential chain of one or more events performed by a client processing system, wherein performance of the one or more events in the sequential chain of one or more events leads to a trigger event, and wherein the sequential chain of one or more events is associated with the threat;
  
  upon detecting the trigger event, suspending performance of one or more further events from the threat, wherein a second chain of events comprises the sequential chain of one or more events and the one or more further events, the one or more further events configured to execute subsequent to the trigger event in the second chain of events;
  
  receiving the trigger event that occurred in the client processing system, wherein the server processing system receives the event history data in response to the client processing system detecting the trigger event, the trigger event comprising a level of threat, wherein the level of threat includes a value to indicate a probability of the trigger event posing a threat to the client processing system;
  
  determining whether the level of threat satisfies a predetermined threshold;
  
  upon determining the level of threat satisfies the predetermined threshold, permitting the one or more further events to be performed by the client processing system subsequent to the occurrence of the trigger event in order to capture additional data regarding the threat;
  
  analyzing the events in the sequential chain of one or more events in a reverse order to determine a starting point for the sequential chain of one or more events, wherein analyzing the events in the reverse order comprises analyzing the events in the reverse order that the events were added to the sequential chain of one or more events;
  
  comparing the event history data against past event history data received from a plurality of client processing systems in order to determine if the event history data and the past event history data comprise a series of common events; and
  
  identifying an entity associated with the series of common events.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the method includes, in the server processing system:
    - determining, using the series of common events, a series of disseminating processing systems associated with issuing the series of common events for disseminating a threat;
      
      transferring data indicative of a blacklist to the plurality of client processing systems to restrict events being executed by the plurality of client processing systems which originate from the series of disseminating processing systems.
  - 3. The method of claim 1, wherein the method includes, in the server processing system:
    - comparing one or more events recorded in the event history data against one or more events recorded in the past history data to identify an uncommon event associated with event history data, wherein the identification of the uncommon event is indicative of an unknown exploit for compromising one of the client processing systems with the threat; and
      
      transferring hook data to the plurality of processing systems, wherein the hook data, when executed by the plurality of processing systems, intercepts a request to perform the uncommon event and detects the request to perform the uncommon event as a trigger event.
  - 4. The method of claim 1, wherein the method includes, in the server processing system, filtering the event history data based upon the trigger event detected by the client processing system in order to disregard events recorded which were performed by the client processing system which were independent of the trigger event.
  - 5. The method of claim 1, wherein the starting point of the sequential chain of one or more events is determined when a present event is not logically connected to a previous event.
  - 6. The method of claim 1, further comprising comparing the order of events of the event history data against the order of events of the past event history data received from a plurality of client processing systems to determine if a series of common events exists.
  - 7. The method of claim 1, wherein the entity associated with the series of common events is an Internet Protocol (IP) address.

8. A server processing system configured to capture data relating to a threat, wherein the server processing system comprises:
- a processor;
  
  memory in electronic communication with the processor; and
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  receive event history data that comprises a sequential chain of one or more events performed by a client processing system, wherein performance of the one or more events in the sequential chain of one or more events leads to a trigger event, and wherein the sequential chain of one or more events is associated with a threat;
  
  upon detecting the trigger event, suspend performance of one or more further events from the threat, wherein a second chain of events comprises the sequential chain of one or more events and the one or more further events, the one or more further events configured to execute subsequent to the trigger event in the second chain of events;
  
  receive the trigger event that occurred in the client processing system, wherein the server processing system receives the event history data in response to the client processing system detecting the trigger event, the trigger event comprising a level of threat, wherein the level of threat includes a value to indicate a probability of the trigger event posing a threat to the client processing system;
  
  determine whether the level of threat satisfies a predetermined threshold;
  
  upon determining the level of threat satisfies the predetermined threshold, permit the one or more further events to be performed by the client processing system subsequent to the occurrence of the trigger event in order to capture additional data regarding the threat;
  
  analyze the events in the sequential chain of one or more events in a reverse order to determine a starting point for the sequential chain of one or more events, wherein analyzing the events in the reverse order comprises analyzing the events in the reverse order that the events were added to the sequential chain of one or more events;
  
  compare the event history data against past event history data received from a plurality of client processing systems in order to determine if the event history data and the past event history data comprise a series of common events; and
  
  identify an entity associated with the series of common events.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The server processing system according to claim 8, wherein the instructions are further executable by the processor to:
    - determine, using the series of common events, a series of disseminating processing systems associated with issuing the series of common events for disseminating a threat;
      
      transferring data indicative of a blacklist to the plurality of client processing systems to restrict events being executed by the plurality of client processing systems which originate from the series of disseminating processing systems.
  - 10. The server processing system of claim 8, wherein the instructions are further executable by the processor to:
    - compare one or more events recorded in the event history data against one or more events recorded in the past history data to identify an uncommon event associated with event history data, wherein the identification of the uncommon event is indicative of an unknown exploit for compromising one of the client processing systems with the threat; and
      
      transfer hook data to the plurality of processing systems, wherein the hook data, when executed by the plurality of processing systems, intercepts a request to perform the uncommon event and detects the request to perform the uncommon event as a trigger event.
  - 11. The server processing system of claim 8, wherein the instructions are further executable by the processor to filter the event history data based upon the trigger event detected by the client processing system in order to disregard events recorded which were performed by the client processing system which were independent of the trigger event.
  - 12. The server processing system of claim 8, wherein the starting point of the sequential chain of one or more events is determined when a present event is not logically connected to a previous event.
  - 13. The server processing system of claim 8, wherein the instructions are further executable by the processor to compare the order of events of the event history data against the order of events of the past event history data received from a plurality of client processing systems to determine if a series of common events exists.
  - 14. The server processing system of claim 8, wherein the entity associated with the series of common events is an Internet Protocol (IP) address.

15. A method of capturing data relating to a threat, wherein the method includes, in a client processing system:
- recording event history data that comprises a sequential chain of one or more events performed by a client processing system, wherein performance of the one or more events in the sequential chain of one or more events leads to a trigger event, and wherein the sequential chain of one or more events is associated with a threat;
  
  upon detecting the trigger event, suspending performance of one or more further events from the threat, wherein a second chain of events comprises the sequential chain of one or more events and the one or more further events, the one or more further events configured to execute subsequent to the trigger event in the second chain of events;
  
  detecting the trigger event in the client processing system, the trigger event comprising a level of threat, wherein the level of threat includes a value to indicate a probability of the trigger event posing a threat to the client processing system;
  
  determining whether the level of threat satisfies a predetermined threshold;
  
  upon determining the level of threat satisfies the predetermined threshold, performing the one or more further events subsequent to the occurrence of the trigger event based on the level of criticality in order to capture additional data regarding the threat;
  
  analyzing the events in the sequential chain in a reverse order to determine a starting point for the sequential chain of one or more events, wherein analyzing the events in the reverse order comprises analyzing the events in the reverse order that the events were added to the sequential chain of one or more events; and
  
  in response to detecting the trigger event, transferring the event history data from the starting point of the chain of events to a server processing system, wherein the server processing system compares the event history data against past event history data received from a plurality of client processing systems in order to determine if the event history data and the past event history data comprise a series of common events, and identifies an entity associated with the series of common events.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method according to claim 15, wherein the method includes, in the client processing system, receiving data indicative of a blacklist from the server processing system in order to restrict events being executed by the client processing system which originate from a series of disseminating processing systems which disseminate a threat.
  - 17. The method according to claim 15, wherein the method includes, in the client processing system, receiving hook data from the server processing system, wherein execution of the hook data by the client processing system configures the client processing system to intercept a request to perform an uncommon event identified by the server processing system as an unknown exploit, wherein the client processing system detects the request to perform the uncommon event as a trigger event using the hook data.
  - 18. The method of claim 15, wherein the starting point of the sequential chain of one or more events is determined when a present event is not logically connected to a previous event.
  - 19. The method of claim 15, wherein the entity associated with the series of common events is an Internet Protocol (IP) address.
  - 20. The method of claim 15, wherein the method includes, in the client processing system, determining whether events subsequent to the trigger event are allowed to be performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Oliver, Ian
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
MCKENZIE, MARCUS A

Application Number

US12/472,086
Time in Patent Office

1,904 Days
Field of Search

709224-226
US Class Current

709/224
CPC Class Codes

G06F 21/552 involving long-term monitor...

Capturing data relating to a threat

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

159 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Capturing data relating to a threat

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links