Software vulnerability exploitation shield
First Claim
1. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:
- monitoring, by the target computer, incoming network traffic identified as being destined for the target computer solely at a transport layer of the target computer;
receiving, by the target computer, a security update, wherein the security update is generated by an external security service using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises;
one or more security commands that define one or more security policies,exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code,one or more rules associated with the exploit evidence, anda threat rating for the exploit evidence;
updating, by the target computer, a library associated with a security component with the security update;
receiving, by the target computer, a message identified as destined for the target computer at the transport layer as part of the network traffic;
comparing, by the target computer, at least a portion of data included in the message with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands; and
in response to the message matching at least a portion of the exploit evidence or violating one or more security policies defined by the one or more of the security commands;
performing, by the target computer, one or more actions on the message according to the rules so that malicious code in the message is not transferred to the application layer of the target computer,notifying, by the target computer, a user of the malicious code, andevaluating the message to determine if the message is harmful; and
in response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following;
canceling, by the target computer, the exploit evidence,deleting, by the target computer, the exploit evidence from the library, andtemporarily pausing, by the target computer, the comparing of the data with the exploit evidence.
15 Assignments
0 Petitions
Accused Products
Abstract
This paper describes a mechanism for minimizing the exploitation of vulnerabilities on software installed on a computing system. At a transport layer (e.g., transmission communication protocol (TCP) sockets layer), network traffic is monitored using a security component installed on a target computer. When a message destined for the computing system is received, data included in the message is compared with exploit evidence used to identify malicious code. The exploit evidence is provided to the security component by security service that gathers information about the malicious code. Based on the comparison of data in the message with the exploit evidence, rules are identified that instruct the security component to take an appropriate action on the message received.
41 Citations
14 Claims
-
1. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:
-
monitoring, by the target computer, incoming network traffic identified as being destined for the target computer solely at a transport layer of the target computer; receiving, by the target computer, a security update, wherein the security update is generated by an external security service using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises; one or more security commands that define one or more security policies, exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code, one or more rules associated with the exploit evidence, and a threat rating for the exploit evidence; updating, by the target computer, a library associated with a security component with the security update; receiving, by the target computer, a message identified as destined for the target computer at the transport layer as part of the network traffic; comparing, by the target computer, at least a portion of data included in the message with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands; and in response to the message matching at least a portion of the exploit evidence or violating one or more security policies defined by the one or more of the security commands; performing, by the target computer, one or more actions on the message according to the rules so that malicious code in the message is not transferred to the application layer of the target computer, notifying, by the target computer, a user of the malicious code, and evaluating the message to determine if the message is harmful; and in response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following; canceling, by the target computer, the exploit evidence, deleting, by the target computer, the exploit evidence from the library, and temporarily pausing, by the target computer, the comparing of the data with the exploit evidence. - View Dependent Claims (3, 4, 5, 6, 7, 8)
-
-
2. A method of minimizing exploitation of vulnerabilities in software installed on a target computer, the method comprising:
-
receiving, by a security component of the target computer, a security update, wherein the security update is generated by a security service located externally from the target computer using information gathered while automatically searching one or more Internet sources using one or more probes to collect one or more examples of malicious code, to learn a source, and to learn other information about each of the one or more examples of malicious code, wherein the external security service plants and maintains at least one probe installed with a browser on the target computer, wherein the at least one probe automatically visits web sites in search of the examples of malicious code, and wherein the security update comprises; one or more security commands that define one or more security policies, exploit evidence used to identify malicious code, wherein the exploit evidence comprises at least one of information about the malicious code, a signature of the malicious code, an internet protocol address associated with the malicious code, a unique resource locator of a website known to provide the malicious code, and a list of known electronic addresses associated with the malicious code, one or more rules that instruct the security component how to use the exploit evidence, and a threat rating for the exploit evidence; updating, by the target computer, a library with the security update; monitoring, by the target computer, solely at a transport layer of the target computer, incoming network traffic identified as being destined for the target computer using the security component, wherein the incoming network traffic comprises a message destined for an application layer of the target computer performing the monitoring, wherein the incoming network traffic is intended to instruct a software application installed on the target computer to execute or install the malicious code; comparing, by the target computer, at least a portion of data included in the message received with the exploit evidence to determine whether the message matches the exploit evidence or violates one or more of the security policies defined by one or more of the security commands; based on the comparison with the exploit evidence; identifying, by the target computer, the at least a portion of data as corresponding to the malicious code, taking an action on the message, by the target computer, wherein the action is specified in the rules, blocking, by the target computer prior to the application layer of the target computer, the portion of data corresponding to the malicious code before any software applications installed on the target computer execute or install instructions contained in the data, and evaluating the message to determine if the message is harmful; and in response to the threat rating falling below a threshold value identifying the message as harmful, performing one or more of the following; canceling, by the target computer, the exploit evidence, deleting, by the target computer, the exploit evidence from the library, and temporarily pausing, by the target computer, the comparing of the data with the exploit evidence. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification