Computer security process monitor

US 8,949,987 B2
Filed: 01/06/2010
Issued: 02/03/2015
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining a database including indicia of valid execution parameters associated with one or more computer processes executable by a computing platform, the valid execution parameters being independent of a user executing the one or more computer processes;

obtaining from the computing platform execution statistics associated with execution of the one or more computer processes on the computing platform by using a pre-existing utility of the computing platform, the step of obtaining execution statistics including obtaining system process information and network interface information associated with the execution of the one or more computer process; and

comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions;

wherein the system process information includes one or more of;

process name, memory usage, number of threads, and CPU utilization associated with the execution of the one or more computer processes, and the network interface information includes obtaining one or more of;

IP port information and indicia of IP protocol associated with the execution of the one or more computer processes.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer security process monitor detects security intrusions of a networked computing platform by monitoring execution statistics associated with one or more computer processes executed by the platform in relation to expected (or “valid”) execution parameters. The execution statistics in one example include system process statistics (e.g., process name, peak memory usage, maximum number of threads, peak CPU utilization) and network interface statistics (e.g., IP ports, protocols) associated with the one or more computer processes; and the valid execution parameters define acceptable values or states corresponding to the execution statistics.

Citations

16 Claims

1. A method comprising:
- maintaining a database including indicia of valid execution parameters associated with one or more computer processes executable by a computing platform, the valid execution parameters being independent of a user executing the one or more computer processes;
  
  obtaining from the computing platform execution statistics associated with execution of the one or more computer processes on the computing platform by using a pre-existing utility of the computing platform, the step of obtaining execution statistics including obtaining system process information and network interface information associated with the execution of the one or more computer process; and
  
  comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions;
  
  wherein the system process information includes one or more of;
  
  process name, memory usage, number of threads, and CPU utilization associated with the execution of the one or more computer processes, and the network interface information includes obtaining one or more of;
  
  IP port information and indicia of IP protocol associated with the execution of the one or more computer processes.
- View Dependent Claims (2, 3, 8, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the step of comparing comprises:
    - detecting an invalid process executed by the computing platform, the invalid process defining a process identifiable from the execution statistics that is not registered in a list of valid processes in the database.
  - 3. The method of claim 1, wherein the step of comparing comprises:
    - detecting an invalid parameter executed by the computing platform, the invalid parameter defining a parameter identifiable from the execution statistics that is not consistent with the valid execution parameters.
  - 8. The method of claim 1 wherein the execution statistics correspond to the valid execution parameters.
  - 10. The method of claim 1 wherein at least one of the valid execution parameters is represented as a range of values.
  - 11. The method of claim 1 wherein at least one of the valid execution parameters is represented as a percentage.
  - 12. The method of claim 1 wherein the valid execution parameters includes text and numerical values.
  - 13. The method of claim 1 wherein the pre-existing utility is a basic utility of the computing platform.
  - 14. The method of claim 1 wherein the abnormalities are based on a difference of the execution statistics from the valid execution parameters.

4. A computing platform comprising:
- a computer processor;
  
  a system process monitor operable to obtain from the computing platform system process information associated with one or more computer processes executed on the computing platform by using a pre-existing utility of the computing platform;
  
  a network interface monitor operable to obtain network interface information associated with the one or more computer processes by using the pre-existing utility of the computing platform;
  
  a database including indicia of valid execution parameters associated with the one or more computer processes, the valid execution parameters being independent of information about a user executing the one or more computer processes; and
  
  a security process monitor operably coupled to the system process monitor, network interface monitor and database, that is operable to compare the system process information and the network interface information to the valid execution parameters to detect abnormalities therebetween that are indicative of possible security intrusions,wherein the system process information includes one or more of;
  
  process name, memory usage, number of threads, and CPU utilization associated with the one or more computer processes, and the network interface information includes obtaining one or more of;
  
  IP port information and indicia of IP protocol associated with the one or more computer processes.
- View Dependent Claims (5, 9, 15)
- - 5. The computing platform of claim 4 comprising an embedded platform of an IMS network.
  - 9. The computing platform of claim 4 wherein the system process information and the network interface information correspond to the valid execution parameters.
  - 15. The computing platform of claim 4 wherein the pre-existing utility is a basic utility of the computing platform.

6. A computer security process monitor comprising:
- circuitry for obtaining from a computing platform execution statistics associated with one or more computer processes executed on a computing platform by using a pre-existing utility of the computing platform, the execution statistics including system process information and network interface information associated with the one or more computer processes;
  
  circuitry for obtaining indicia of valid execution parameters associated with the one or more computer processes, the valid execution parameters being independent of statistics about a user executing the one or more computer processes; and
  
  circuitry for comparing the execution statistics to the valid execution parameters to detect abnormalities between the valid execution parameters and the execution statistics that are indicative of possible security intrusions,wherein the system process information includes one or more of;
  
  process name, memory usage, number of threads, and CPU utilization associated with the one or more computer processes, and the network interface information includes obtaining one or more of;
  
  IP port information and indicia of IP protocol associated with the one or more computer processes.
- View Dependent Claims (7, 16)
- - 7. The computer security process monitor of claim 6 wherein the execution statistics correspond to the valid execution parameters.
  - 16. The computer security process monitor of claim 6 wherein the pre-existing utility is a basic utility of the computing platform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Ruggerio, Raymond L.
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US12/652,851
Publication Number

US 20110167491A1
Time in Patent Office

1,854 Days
Field of Search

726/23, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/552 involving long-term monitor...

Computer security process monitor

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security process monitor

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links