Software vulnerability exploitation shield

US 8,898,787 B2
Filed: 03/26/2007
Issued: 11/25/2014
Est. Priority Date: 03/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:

monitoring, by the target computer, incoming network traffic identified as being destined for the target computer solely at a transport layer of the target computer;

receiving, by the target computer, a security update, wherein the security update is generated by an external security service using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises;

one or more security commands that define one or more security policies,exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code,one or more rules associated with the exploit evidence, anda threat rating for the exploit evidence;

updating, by the target computer, a library associated with a security component with the security update;

receiving, by the target computer, a message identified as destined for the target computer at the transport layer as part of the network traffic;

comparing, by the target computer, at least a portion of data included in the message with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands; and

in response to the message matching at least a portion of the exploit evidence or violating one or more security policies defined by the one or more of the security commands;

performing, by the target computer, one or more actions on the message according to the rules so that malicious code in the message is not transferred to the application layer of the target computer,notifying, by the target computer, a user of the malicious code, andevaluating the message to determine if the message is harmful; and

in response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following;

canceling, by the target computer, the exploit evidence,deleting, by the target computer, the exploit evidence from the library, andtemporarily pausing, by the target computer, the comparing of the data with the exploit evidence.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This paper describes a mechanism for minimizing the exploitation of vulnerabilities on software installed on a computing system. At a transport layer (e.g., transmission communication protocol (TCP) sockets layer), network traffic is monitored using a security component installed on a target computer. When a message destined for the computing system is received, data included in the message is compared with exploit evidence used to identify malicious code. The exploit evidence is provided to the security component by security service that gathers information about the malicious code. Based on the comparison of data in the message with the exploit evidence, rules are identified that instruct the security component to take an appropriate action on the message received.

41 Citations

View as Search Results

14 Claims

1. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:
- monitoring, by the target computer, incoming network traffic identified as being destined for the target computer solely at a transport layer of the target computer;
  
  receiving, by the target computer, a security update, wherein the security update is generated by an external security service using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises;
  
  one or more security commands that define one or more security policies,exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code,one or more rules associated with the exploit evidence, anda threat rating for the exploit evidence;
  
  updating, by the target computer, a library associated with a security component with the security update;
  
  receiving, by the target computer, a message identified as destined for the target computer at the transport layer as part of the network traffic;
  
  comparing, by the target computer, at least a portion of data included in the message with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands; and
  
  in response to the message matching at least a portion of the exploit evidence or violating one or more security policies defined by the one or more of the security commands;
  
  performing, by the target computer, one or more actions on the message according to the rules so that malicious code in the message is not transferred to the application layer of the target computer,notifying, by the target computer, a user of the malicious code, andevaluating the message to determine if the message is harmful; and
  
  in response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following;
  
  canceling, by the target computer, the exploit evidence,deleting, by the target computer, the exploit evidence from the library, andtemporarily pausing, by the target computer, the comparing of the data with the exploit evidence.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The method of claim 1, wherein the transport layer comprises a TCP socket of the target computer.
  - 4. The method of claim 3, wherein the comparison identifies the at least a portion of data as corresponding to the malicious code, and the one or more rules instruct the target computer to modify the message in order to disable any harmful features of the malicious code.
  - 5. The method of claim 3, wherein the comparison identifies the at least a portion of data as corresponding to the malicious code, and the one or more rules instruct the target computer to allow other benign messages to pass to the computing device, while blocking the message received.
  - 6. The method of claim 3, wherein the comparison identifies the at least a portion of data as corresponding to the malicious code, and the one or more rules instruct the target computer to inform the user of the computing device about the correspondence of the message using a user interface and allowing the user to either accept or reject the message.
  - 7. The method of claim 1, wherein the electronic address list includes IP addresses or URLs for websites and wherein an IP address or a URL for a source of the message is compared to the list of known electronic addresses associated with malicious code.
  - 8. The method of claim 1, wherein the signature comprises unique data structures that represent the malicious code.

2. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:
- receiving, by a security component of the target computer, a security update, wherein the security update is generated by a security service located externally from the target computer using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises;
  
  one or more security commands that define one or more security policies,exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code,one or more rules that instruct the security component how to use the exploit evidence, anda threat rating for the exploit evidence;
  
  updating, by the target computer, a library with the security update;
  
  monitoring, by the target computer, solely at a transport layer of the target computer, incoming network traffic identified as being destined for the target computer using the security component, wherein the incoming network traffic comprises a message destined for an application layer of the target computer performing the monitoring, wherein the incoming network traffic is intended to instruct a software application installed on the target computer to execute or install the malicious code;
  
  comparing, by the target computer, at least a portion of data included in the message received with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands;
  
  based on the comparison with the exploit evidence;
  
  identifying, by the target computer, the at least a portion of data as corresponding to the malicious code,taking an action on the message, by the target computer, wherein the action is specified in the rules,blocking, by the target computer prior to the application layer of the target computer, the portion of data corresponding to the malicious code before any software applications installed on the target computer execute or install instructions contained in the data, andevaluating the message to determine if the message is harmful;
  
  andin response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following;
  
  canceling, by the target computer, the exploit evidence,deleting, by the target computer, the exploit evidence from the library, andtemporarily pausing, by the target computer, the comparing of the data with the exploit evidence.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 2, wherein the signature of the malicious code comprises unique data structures that represent the malicious code.
  - 10. The method of claim 2, wherein the Internet sources comprise on or more of the following:
    - news sources;
      
      discussion sources; and
      
      technical reports.
  - 11. The method of claim 2, wherein the transport layer comprises a TCP socket of the target computer.
  - 12. The method of claim 2, wherein the comparison identifies the at least a portion of data as corresponding to malicious code, and the one or more rules instruct the target computer to modify the message in order to disable any harmful features of the malicious code.
  - 13. The method of claim 2, wherein:
    - the one or more security commands indicate that the exploit evidence should expire based on one or more events; and
      
      upon occurrence of the one or more events, taking action, by the target computer, on the exploit evidence as defined by the rules.
  - 14. The method of claim 13, wherein the event comprises determining that a risk window has passed, wherein the action is one or more of the following:
    - canceling the comparing of the exploit evidence,deleting the exploit evidence from the security component, andtemporarily pausing the comparing of the data with the exploit evidence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software SRO (Gen Digital Inc.)
Original Assignee
AVG Netherlands B.V. (Gen Digital Inc.)
Inventors
Thompson, Roger John, Mosher, Gregory Andrew
Primary Examiner(s)
WANG, HARRIS C

Application Number

US11/691,094
Publication Number

US 20070226797A1
Time in Patent Office

2,801 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/166   at the transport layer

Software vulnerability exploitation shield

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Software vulnerability exploitation shield

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others