Computer security process monitor
First Claim
Patent Images
1. A method comprising:
- maintaining a database including indicia of valid execution parameters associated with one or more computer processes executable by a computing platform, the valid execution parameters being independent of a user executing the one or more computer processes;
obtaining from the computing platform execution statistics associated with execution of the one or more computer processes on the computing platform by using a pre-existing utility of the computing platform, the step of obtaining execution statistics including obtaining system process information and network interface information associated with the execution of the one or more computer process; and
comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions;
wherein the system process information includes one or more of;
process name, memory usage, number of threads, and CPU utilization associated with the execution of the one or more computer processes, and the network interface information includes obtaining one or more of;
IP port information and indicia of IP protocol associated with the execution of the one or more computer processes.
4 Assignments
0 Petitions
Accused Products
Abstract
A computer security process monitor detects security intrusions of a networked computing platform by monitoring execution statistics associated with one or more computer processes executed by the platform in relation to expected (or “valid”) execution parameters. The execution statistics in one example include system process statistics (e.g., process name, peak memory usage, maximum number of threads, peak CPU utilization) and network interface statistics (e.g., IP ports, protocols) associated with the one or more computer processes; and the valid execution parameters define acceptable values or states corresponding to the execution statistics.
-
Citations
16 Claims
-
1. A method comprising:
-
maintaining a database including indicia of valid execution parameters associated with one or more computer processes executable by a computing platform, the valid execution parameters being independent of a user executing the one or more computer processes; obtaining from the computing platform execution statistics associated with execution of the one or more computer processes on the computing platform by using a pre-existing utility of the computing platform, the step of obtaining execution statistics including obtaining system process information and network interface information associated with the execution of the one or more computer process; and comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions; wherein the system process information includes one or more of;
process name, memory usage, number of threads, and CPU utilization associated with the execution of the one or more computer processes, and the network interface information includes obtaining one or more of;
IP port information and indicia of IP protocol associated with the execution of the one or more computer processes. - View Dependent Claims (2, 3, 8, 10, 11, 12, 13, 14)
-
-
4. A computing platform comprising:
-
a computer processor; a system process monitor operable to obtain from the computing platform system process information associated with one or more computer processes executed on the computing platform by using a pre-existing utility of the computing platform; a network interface monitor operable to obtain network interface information associated with the one or more computer processes by using the pre-existing utility of the computing platform; a database including indicia of valid execution parameters associated with the one or more computer processes, the valid execution parameters being independent of information about a user executing the one or more computer processes; and a security process monitor operably coupled to the system process monitor, network interface monitor and database, that is operable to compare the system process information and the network interface information to the valid execution parameters to detect abnormalities therebetween that are indicative of possible security intrusions, wherein the system process information includes one or more of;
process name, memory usage, number of threads, and CPU utilization associated with the one or more computer processes, and the network interface information includes obtaining one or more of;
IP port information and indicia of IP protocol associated with the one or more computer processes. - View Dependent Claims (5, 9, 15)
-
-
6. A computer security process monitor comprising:
-
circuitry for obtaining from a computing platform execution statistics associated with one or more computer processes executed on a computing platform by using a pre-existing utility of the computing platform, the execution statistics including system process information and network interface information associated with the one or more computer processes; circuitry for obtaining indicia of valid execution parameters associated with the one or more computer processes, the valid execution parameters being independent of statistics about a user executing the one or more computer processes; and circuitry for comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions, wherein the system process information includes one or more of;
process name, memory usage, number of threads, and CPU utilization associated with the one or more computer processes, and the network interface information includes obtaining one or more of;
IP port information and indicia of IP protocol associated with the one or more computer processes. - View Dependent Claims (7, 16)
-
Specification