System and method for network level protection against malicious software
First Claim
1. A method comprising:
- receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
determining respective trust statuses for each of the two or more software program files;
determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and
pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device.
10 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.
350 Citations
30 Claims
-
1. A method comprising:
-
receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determining respective trust statuses for each of the two or more software program files; determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determining respective trust statuses for each of the two or more software program files; determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus, comprising:
-
a protection module; a memory element configured to store instructions associated with the protection module; and one or more processors operable to execute the instructions that when executed, cause the one or more processors to; receive, at the apparatus separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determine respective trust statuses for each of the two or more software program files; determine, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; create a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and push the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device. - View Dependent Claims (14, 15)
-
-
16. A method, comprising:
-
receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determining respective trust statuses for each of the two or more software program files; determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; creating a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and pushing the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. One or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform the operations comprising:
-
receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determining respective trust statuses for each of the two or more software program files; determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; creating a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and pushing the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device. - View Dependent Claims (24, 25, 26)
-
-
27. An apparatus, comprising:
-
a protection module; a memory element configured to store instructions associated with the protection module; and one or more processors operable to execute the instructions that when executed, cause the one or more processors to; receive, at the apparatus separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process; determine respective trust statuses for each of the two or more software program files; determine, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted; create a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and push the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device. - View Dependent Claims (28, 29, 30)
-
Specification