Restricting a processing system being compromised with a threat

US 8,887,278 B2
Filed: 09/13/2007
Issued: 11/11/2014
Est. Priority Date: 09/15/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of restricting a client processing system being compromised by a threat, wherein the method comprises:

receiving, by a processor of a computing device, response data from a remote processing system, according to a request from the client processing system to download data from the remote processing system;

determining whether the response data comprises an executable file;

upon determining that the response data does not comprise an executable file, analyzing the response data to determine whether the response data is indicative of a threat to the client processing system;

generating a wrapper of the analyzed response data, wherein the wrapper is indicative of scan data;

upon determining that the response data does comprise an executable file, using, in one or more emulated operating systems of the computing device, the response data;

monitoring, by the processor, behavior of the use of the data in the one or more emulated operating systems;

analyzing the monitored behavior of the use of the data in the one or more emulated operating systems to determine whether malicious behavior indicative of a threat is detected; and

in response to detecting a threat of the response data, restricting, by the processor, the client processing system being compromised with the threat of the response data, wherein restricting the client processing system comprises;

removing a portion of the response data which is associated with malicious activity; and

replacing the portion removed from the response data with a non-malicious portion.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, computer readable medium of instructions and/or computer program product. The method comprises receiving, in a proxy server, response data from a remote processing system, according to a request from the client processing system to download data from the remote processing system; using, in one or more emulated operating systems of the proxy server, the downloaded data; monitoring behavior of the use of the data in the one or more emulated operating systems; and in response to detecting malicious behavior indicative of a threat, restricting the client processing system being compromised with the threat of the response data.

Citations

17 Claims

1. A computer-implemented method of restricting a client processing system being compromised by a threat, wherein the method comprises:
- receiving, by a processor of a computing device, response data from a remote processing system, according to a request from the client processing system to download data from the remote processing system;
  
  determining whether the response data comprises an executable file;
  
  upon determining that the response data does not comprise an executable file, analyzing the response data to determine whether the response data is indicative of a threat to the client processing system;
  
  generating a wrapper of the analyzed response data, wherein the wrapper is indicative of scan data;
  
  upon determining that the response data does comprise an executable file, using, in one or more emulated operating systems of the computing device, the response data;
  
  monitoring, by the processor, behavior of the use of the data in the one or more emulated operating systems;
  
  analyzing the monitored behavior of the use of the data in the one or more emulated operating systems to determine whether malicious behavior indicative of a threat is detected; and
  
  in response to detecting a threat of the response data, restricting, by the processor, the client processing system being compromised with the threat of the response data, wherein restricting the client processing system comprises;
  
  removing a portion of the response data which is associated with malicious activity; and
  
  replacing the portion removed from the response data with a non-malicious portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein the method comprises:
    - determining, using a cache module, if the request has previously been serviced, wherein the cache module stores analysed response data; and
      
      in the event that the request has previously been serviced, retrieving, using the cache module, analysed response data.
  - 3. The method according to claim 2, wherein the method comprises:
    - storing, using the cache module, analysed response data using a hash value generated based upon the response data; and
      
      retrieving, using the cache module, analysed response data using a hash value generated using received response data.
  - 4. The method according to claim 1, wherein the method comprises removing a portion of the response data which is associated with malicious activity.
  - 5. The method according to claim 4, wherein the method comprises replacing the portion removed from the response data with a non-malicious portion.
  - 6. The method according to claim 4, wherein upon determining that the response data requires modification, the method comprises:
    - generating replacement request data indicative of the data requested;
      
      transferring, to the cache module, the replacement request data;
      
      performing a search of stored analysed response data using the cache module to determine if a substantially similar request has previously been serviced; and
      
      receiving, from the cache module, analysed response data which at least substantially corresponds to the requested data.
  - 7. The method according to claim 1, wherein the wrapper is indicative of scan data, the scan data being indicative of at least one of:
    - a version of a signature database used to analyze the response data;
      
      time and/or data of conducting the analysis;
      
      type analysis module and sub-modules used to analyze the response data;
      
      a version number of the analysis module and the sub-modules;
      
      a size of the response data;
      
      a file location; and
      
      an indication as to whether the response data was code-signed.
  - 8. The method according to claim 1, wherein the step of generating the wrapper comprises configuring the wrapper to intercept use or execution of the data by the client processing system, wherein the wrapper, upon interception of the use or execution of the data, presents the scan data.
  - 9. The method according to claim 1, wherein the method comprises generating the wrapper to present a prompt requesting input regarding whether the data is to be executed or used by the client processing system, quarantined, or deleted.
  - 10. The method according to claim 1, wherein the method comprises:
    - recording one or more events that occur during use of the data by the one or more emulated operating systems; and
      
      analysing the one or more events to determine whether the use of the data exhibits behaviour which is indicative of a threat.
  - 11. The method according to claim 1, wherein the method comprises:
    - selecting, in the proxy server and in accordance with the data downloaded, the one or more emulated operating systems from a plurality of emulated operating systems; and
      
      using the one or more emulated operating systems with the data to monitor the use of the behaviour of the data.
  - 12. The method according to claim 1, wherein in the event that the data downloaded is executable, the step of using the data comprises executing the data.

13. A system to restrict a client processing system being compromised with a threat, wherein the system comprises:
- a processor;
  
  memory in electronic communication with the processor;
  
  the processor configured to receive response data from a remote processing system, according to a request from the client processing system to download data from the remote processing system;
  
  the processor configured to determine whether the response data comprises an executable file;
  
  upon determining that the response data does not comprise an executable file, the processor configured to analyze the response data to determine whether the response data is indicative of a threat to the client processing system;
  
  the processor configured to generate a wrapper of the analyzed response data, wherein the wrapper is indicative of scan data;
  
  upon determining that the response data does comprise an executable file, an emulation module configured to use, in one or more emulated operating systems of the system, the response data;
  
  a monitor module configured to monitor behavior of the use of the data in the one or more emulated operating systems;
  
  the processor configured to analyze the monitored behavior of the use of the data in the one or more emulated operating systems to determine whether malicious behavior indicative of a threat is detected; and
  
  in response to detecting a threat of the response data, a modification module configured to restrict the client processing system being compromised with the threat of the response data, wherein restricting the client processing system comprises the modification module being configured to;
  
  remove a portion of the response data which is associated with malicious activity; and
  
  replace the portion removed from the response data with a non-malicious portion.
- View Dependent Claims (14, 15, 16)
- - 14. The system according to claim 13, wherein the proxy server is configured to be executed at the client processing system.
  - 15. The system according to claim 13, wherein the proxy server is configured to be executed at a second processing system in data communication with the client processing system.
  - 16. The system according to anyone of claims 13, wherein the system comprises an analysis module configured to analyse the response data, wherein the analysis module comprises at least one of:
    - a cryptographic hash module;
      
      a checksum module;
      
      a disassembly module;
      
      a black-list and/or white list module; and
      
      a pattern matching module.

17. A computer program product comprising a non-transitory computer readable medium having a computer program recorded therein or thereon, the computer program enabling restriction of a client processing system being compromised by data downloaded from a remote processing system, wherein the computer program product configures the client processing system or a second processing system in data communication with the client processing system to:
- receive, in a proxy server, response data from a remote processing system, according to a request from the client processing system to download data from the remote processing system;
  
  determine whether the response data comprises an executable file;
  
  upon determining that the response data does not comprise an executable file, analyze the response data to determine whether the response data is indicative of a threat to the client processing system;
  
  generate a wrapper of the analyzed response data, wherein the wrapper is indicative of scan data;
  
  upon determining that the response data does comprise an executable file, use, in one or more emulated operating systems of the proxy server, the response data;
  
  monitor behavior of the use of the data in the one or more emulated operating systems;
  
  analyze the monitored behavior of the use of the data in the one or more emulated operating systems to determine whether malicious behavior indicative of a threat is detected; and
  
  in response to detecting a threat of the response data, restrict the client processing system being compromised with the threat of the response data, wherein restricting the client processing system comprises;
  
  removing a portion of the response data which is associated with malicious activity; and
  
  replacing the portion removed from the response data with a non-malicious portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Repasi, Rolf, Clausen, Simon
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Debnath, Suman

Application Number

US11/854,741
Publication Number

US 20080072324A1
Time in Patent Office

2,616 Days
Field of Search

726 22- 25
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

G06F 2221/2115 Third party

Restricting a processing system being compromised with a threat

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting a processing system being compromised with a threat

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links