System and method for network level protection against malicious software

US 8,938,800 B2
Filed: 07/28/2010
Issued: 01/20/2015
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;

determining respective trust statuses for each of the two or more software program files;

determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;

creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and

pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

350 Citations

30 Claims

1. A method comprising:
- receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determining respective trust statuses for each of the two or more software program files;
  
  determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and
  
  pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network protection device is configured to intercept the network traffic associated with the process and apply the restriction rule to the network traffic.
  - 3. The method of claim 2, wherein the network traffic intercepted by the network protection device includes outbound electronic packets from the first computing device, the electronic packets having a destination address corresponding to a second computing device.
  - 4. The method of claim 2, wherein the network traffic intercepted by the network protection device includes inbound electronic packets received from a second computing device and having a destination address corresponding to the first computing device.
  - 5. The method of claim 1, wherein the determining the respective trust statuses includes:
    - searching a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not identified in the whitelist.
  - 6. The method of claim 1, wherein the process is initiated by the executable file on the first computing device.
  - 7. The method of claim 1, further comprising:
    - determining whether all of the trust statuses defined as untrusted are overridden by one or more network access policies to allow the network traffic.
  - 8. The method of claim 1, wherein the network protection device intercepts electronic packets of the network traffic associated with the software program file and applies the restriction rule to the electronic packets, wherein the restriction rule is created using a network access policy selected from a group of network access policies, the group consisting of:
    - blocking all inbound electronic packets to the first computing device and all outbound electronic packets from the first computing device;
      
      blocking all inbound electronic packets to the first computing device;
      
      blocking all outbound electronic packets from the first computing device;
      
      blocking all outbound electronic packets from the first computing device to a specified network subnet;
      
      blocking all outbound electronic packets from the first computing device to the Internet and allowing all outbound electronic packets from the first computing device to a specified subnet;
      
      blocking all outbound electronic packets from the first computing device to domain name system (DNS) servers;
      
      blocking all outbound electronic packets from the first computing device using simple mail transfer protocol (SMTP);
      
      blocking all outbound electronic packets from the first computing device to an Internet Relay Chat (IRC) server;
      
      blocking all outbound electronic packets having a source address, a source port, a destination address, and a destination port matching a source address, a source port, a destination address, and a destination port of the network access attempt; and
      
      blocking all inbound electronic packets having a source address, a source port, a destination address, and a destination port matching a source address, a source port, a destination address, and a destination port of the network access attempt.

9. One or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determining respective trust statuses for each of the two or more software program files;
  
  determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  creating a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and
  
  pushing the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device.
- View Dependent Claims (10, 11, 12)
- - 10. The one or more non-transitory tangible media of claim 9, wherein the network protection device is configured to intercept the network traffic associated with the process and apply the restriction rule to the network traffic.
  - 11. The one or more non-transitory tangible media of claim 9, the one or more processors being operable to perform further operations comprising:
    - searching a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not identified in the whitelist.
  - 12. The one or more non-transitory tangible media of claim 9, the one or more processors being operable to perform further operations comprising:
    - determining whether all of the trust statuses defined as untrusted are overridden by one or more network access policies to allow the network traffic.

13. An apparatus, comprising:
- a protection module;
  
  a memory element configured to store instructions associated with the protection module; and
  
  one or more processors operable to execute the instructions that when executed, cause the one or more processors to;
  
  receive, at the apparatus separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determine respective trust statuses for each of the two or more software program files;
  
  determine, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  create a restriction rule to block the network traffic on a network protection device if the network traffic is not to be permitted; and
  
  push the restriction rule to the network protection device, wherein the network traffic is not to be permitted if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the restriction rule is pushed to the network protection device.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13, wherein the network protection device is configured to intercept network traffic associated with the software program file and apply the restriction rule to the network traffic.
  - 15. The apparatus of claim 13, wherein, when executed, the instructions cause the one or more processors to:
    - search a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not included in the whitelist.

16. A method, comprising:
- receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determining respective trust statuses for each of the two or more software program files;
  
  determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  creating a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and
  
  pushing the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the network protection device is configured to intercept the network traffic associated with the process and log the event data related to the network traffic.
  - 18. The method of claim 17, further comprising:
    - receiving the event data logged by the network protection device;
      
      using selected data from the event data to search a process traffic mapping database for the executable file associated with the network traffic; and
      
      updating a logged events memory element to include an entry identifying the executable file.
  - 19. The method of claim 18, wherein the selected data used to search the process traffic mapping database includes a source address and port number and a destination address and port number.
  - 20. The method of claim 18 wherein the selected data used to search the process traffic mapping database includes a rule identifier corresponding to the logging rule.
  - 21. The method of claim 16, wherein the determining the respective trust statuses includes:
    - searching a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not identified in the whitelist.
  - 22. The method of claim 16, wherein the process is initiated by the executable file on the computing device.

23. One or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform the operations comprising:
- receiving, at a computing device separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determining respective trust statuses for each of the two or more software program files;
  
  determining, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  creating a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and
  
  pushing the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device.
- View Dependent Claims (24, 25, 26)
- - 24. The one or more non-transitory tangible media of claim 23, wherein the network protection device is configured to intercept the network traffic associated with the process and log the event data related to the network traffic.
  - 25. The one or more non-transitory tangible media of claim 24, the one or more processors operable to perform further operations comprising:
    - receiving the event data logged by the network protection device;
      
      using selected data from the event data to search a process traffic mapping database for the executable file associated with the network traffic; and
      
      updating a logged events memory element to include an entry identifying the executable file.
  - 26. The one or more non-transitory tangible media of claim 23, the one or more processors operable to perform further operations comprising:
    - searching a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not identified in the whitelist.

27. An apparatus, comprising:
- a protection module;
  
  a memory element configured to store instructions associated with the protection module; and
  
  one or more processors operable to execute the instructions that when executed, cause the one or more processors to;
  
  receive, at the apparatus separate from a first computing device, event information related to a network access attempt initiated by a process executing on the first computing device, wherein the network access attempt is intercepted and held on the first computing device, wherein a process traffic mapping element of the first computing device is queried to determine two or more software program files of a plurality of software program files mapped to the process in the process traffic mapping element of the first computing device, wherein the event information includes information identifying each of the two or more software program files, and wherein at least one software program file of the two or more software program files is an executable file and at least one other software program file of the two or more software program files is a library module loaded by the process;
  
  determine respective trust statuses for each of the two or more software program files;
  
  determine, based on the respective trust statuses of the two or more software program files, whether network traffic associated with the process is to be permitted;
  
  create a logging rule to log, by a network protection device, event data related to the network traffic if the network traffic is not to be permitted; and
  
  push the logging rule to the network protection device, wherein the event data related to the network traffic is to be logged if any one or more of the trust statuses is untrusted, wherein the network access attempt is to be released by the first computing device after the logging rule is pushed to the network protection device.
- View Dependent Claims (28, 29, 30)
- - 28. The apparatus of claim 27, wherein the network protection device is configured to intercept the network traffic associated with the process and log the event data related to the network traffic.
  - 29. The apparatus of claim 28, wherein, when executed, the instructions cause the one or more processors to:
    - receive the event data logged by the network protection device;
      
      use selected data from the event data to search a process traffic mapping database for the executable file associated with the network traffic; and
      
      update a logged events memory element to include an entry identifying the executable file.
  - 30. The apparatus of claim 27, wherein, when executed, the instructions cause the one or more processors to:
    - search a whitelist identifying trustworthy software program files to determine the respective trust statuses of the executable file and the library module, wherein a particular trust status is defined as untrusted when a corresponding software program file is not identified in the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Reese, David P. Jr.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Johnson, Carlton

Application Number

US12/844,964
Publication Number

US 20120030750A1
Time in Patent Office

1,637 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

System and method for network level protection against malicious software

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

350 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

System and method for network level protection against malicious software

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

350 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others