Generating and distributing a malware countermeasure

US 8,966,630 B2
Filed: 07/14/2006
Issued: 02/24/2015
Est. Priority Date: 04/27/2006
Status: Active Grant

First Claim

Patent Images

1. A network device comprising:

a memory coupled to a processor;

a processor-executable countermeasure engine operable to generate a plurality of countermeasures useable in at least substantially reducing a harm caused by a malware (hereafter “

malware countermeasure”

), the malware countermeasures generated responsive to an indication of the malware being present on a node of a plurality of networked nodes;

a processor-executable decision module operable to select a generated malware countermeasure for distribution from among at least two of the generated malware countermeasures and to determine if a criterion for distribution of the selected generated malware countermeasure to the plurality of networked nodes is met, the criterion for distribution of the selected generated malware countermeasure is independent of the indication of the malware being present on the node of the plurality of networked nodes; and

a processor-executable distribution module operable to transmit the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include a system, an apparatus, a device, computer-program product, and a method. An embodiment provides a network device. The network device includes a countermeasure engine operable to generate a countermeasure useable in at least substantially reducing a harm caused by a malware (hereafter “malware countermeasure”). The network device also includes a decision module operable to determine if a criterion is met for distribution of the generated malware countermeasure to a plurality of networked nodes. The network device further includes a distribution module operable to transmit the generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met.

77 Citations

33 Claims

1. A network device comprising:
- a memory coupled to a processor;
  
  a processor-executable countermeasure engine operable to generate a plurality of countermeasures useable in at least substantially reducing a harm caused by a malware (hereafter “
  
  malware countermeasure”
  
  ), the malware countermeasures generated responsive to an indication of the malware being present on a node of a plurality of networked nodes;
  
  a processor-executable decision module operable to select a generated malware countermeasure for distribution from among at least two of the generated malware countermeasures and to determine if a criterion for distribution of the selected generated malware countermeasure to the plurality of networked nodes is met, the criterion for distribution of the selected generated malware countermeasure is independent of the indication of the malware being present on the node of the plurality of networked nodes; and
  
  a processor-executable distribution module operable to transmit the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to detect an indication of a malware presence in at least one of the network device, and/or in a node of the plurality networked nodes, and to generate the plurality of malware countermeasures in response to the indicium of a malware presence.
  - 3. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to detect a signature of and/or anomaly corresponding to a malware presence in at least one of the network device, and/or in a node of the plurality of networked nodes, and to generate the plurality of malware countermeasures in response to the detected signature of and/or anomaly.
  - 4. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to identify a malware having a presence in at least one of the network device and/or in a node of the plurality of networked nodes, and to generate the plurality of malware countermeasures in response to the identified malware.
  - 5. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to identify a signature and/or anomaly of a malware having a presence in at least one of the network device and/or in a node of the plurality of networked nodes, and to generate the plurality of malware countermeasures in response to the identified malware.
  - 6. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to generate the plurality of malware countermeasures in response to a signature characteristic of a malware having an indicated presence in at least one of the network device, and/or in a node of the plurality of networked nodes.
  - 7. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to generate the plurality of malware countermeasures in response to an anomaly aspect of a malware having an indicated presence in at least one of the network device, and/or in a node of the plurality of networked nodes.
  - 8. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to generate the plurality of malware countermeasures that includes at least one of;
      
      closing at least one port of the node of the plurality of networked nodes;
      
      at least substantially isolating the node of the plurality of networked nodes from a remaining plurality of the networked nodes;
      
      at least substantially isolating at least one sub-network of nodes of the plurality of networked nodes from the remaining plurality of the networked nodes; and
      
      /orat least substantially isolating a first sub-network of the plurality of networked nodes from a second sub-network of the plurality of networked nodes.
  - 9. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to generate the plurality of malware countermeasures that includes at least one of;
      
      at least substantially reducing a functionality of the node of the plurality of networked nodes;
      
      at least substantially reducing a communication privilege allowed to the node of the plurality of networked nodes; and
      
      /orsending a notice receivable by a device associatable with a person associated with the node of the plurality of networked nodes.
  - 10. The network device of claim 1, wherein the countermeasure engine operable to generate a plurality of malware countermeasures further includes:
    - a countermeasure engine operable to generate at least one of the plurality of malware countermeasures by combining a number of available malware countermeasures.
  - 11. The network device of claim 1, wherein the distribution module operable to transmit the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met further includes:
    - a distribution module operable to transmit the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes using a distribution schema if the criterion is met.
  - 12. The network device of claim 1, wherein a particular node of the plurality of networked nodes further includes:
    - at least one of another network device, a network appliance, a computing device, a desktop computing device, a laptop computing device, a mobile computing device, a host, a server, and/or a network card of a computing device.
  - 13. The network device of claim 1, wherein a particular node of the plurality of networked nodes further includes:
    - at least one of a switch, a bridge, a router, an edge router, a gateway, a hub, and/or a repeater.
  - 14. The network device of claim 1, further comprising:
    - an information store operable to save at least one generated malware countermeasure.
  - 15. The network device of claim 1, further comprising:
    - a communication module operable to cause transmission of a packet to at least one node of the plurality of networked nodes.

16. A method implemented in a computing device operable to facilitate communication of a packet to at least one node of a plurality of networked nodes, the method comprising:
- generating a plurality of countermeasures useable in at least substantially reducing a harm caused by a malware (hereafter “
  
  malware countermeasure”
  
  ), the plurality of malware countermeasures generated responsive to an indication of the malware being present on a node of the plurality of networked nodes;
  
  selecting a generated malware countermeasure for distribution from among at least two of the generated malware countermeasures;
  
  determining if a criterion for distribution of the selected generated malware countermeasure to the plurality of networked nodes is met, the criterion for distribution of the selected generated malware countermeasure is independent of the indication of the malware being present on the node of the plurality of networked nodes; and
  
  causing a transmission of the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - detecting an indication of a malware presence in the network device and generating the plurality of malware countermeasures in response to the indicated malware.
  - 18. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - detecting a signature and/or an anomaly corresponding to a malware presence in at least one of the network device, and/or in a node of the plurality of networked nodes, and generating the plurality of malware countermeasures in response to the detected signature and/or anomaly.
  - 19. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - identifying a malware having a presence in at least one of the network device and/or in a node of the plurality of networked nodes, and generating the plurality of malware countermeasures in response to the identified malware.
  - 20. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - identifying a signature and/or anomaly indicative of a malware having a presence in at least one of the network device and/or in a node of the plurality of networked nodes, and generating the plurality of malware countermeasures in response to the identified malware.
  - 21. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - generating the plurality of malware countermeasures in response to a signature characteristic of a malware having an indicated presence in at least one of the network device, and/or in a node of the plurality of networked nodes.
  - 22. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - generating the plurality of malware countermeasures in response to an anomaly aspect of a malware having an indicated presence in at least one of the network device, and/or in a node of the plurality of networked nodes.
  - 23. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - generating the plurality of malware countermeasures that include at least one of;
      
      closing at least one port of the node of the plurality of networked nodes;
      
      at least substantially isolating the node of the plurality of networked nodes from a remaining plurality of networked nodes;
      
      at least substantially isolating at least one sub-network of nodes from the remaining plurality of networked nodes; and
      
      /orat least substantially isolating a first sub-network of the plurality network nodes from a second sub-network of the plurality network nodes.
  - 24. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - generating the plurality of malware countermeasures that includes at least one of;
      
      at least substantially reducing a functionality of the node of the plurality of networked nodes;
      
      at least substantially reducing a communication privilege allowed the node of the plurality of networked nodes; and
      
      /orsending a notice receivable by a device associatable with a person associated with the node of the plurality of networked nodes.
  - 25. The method of claim 16, wherein the generating a plurality of malware countermeasures further includes:
    - generating the plurality of malware countermeasures in response to receiving data indicating a buffer overflow occurrence at the node of the plurality of nodes.
  - 26. The method of claim 16, wherein the determining if a criterion is met for distribution of the selected generated malware countermeasure to the plurality of networked nodes further includes:
    - transmitting the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes using a distribution schema if the criterion is met.
  - 27. The method of claim 16, wherein a particular node of a plurality of networked nodes further includes:
    - another network device, a network appliance, a computing device, a desktop computing device, a laptop computing device, a mobile computing device, a host, a server, and/or a network card of a computing device.
  - 28. The method of claim 16, wherein a particular node of a plurality of networked nodes further includes:
    - a switch, a bridge, a router, an edge router, a gateway, a hub, and/or a repeater.
  - 29. The method of claim 16, further comprising:
    - saving at least one generated malware countermeasure to an information store.
  - 30. The method of claim 16, further comprising:
    - causing a transmission of a packet to at least one node of the plurality of networked nodes.

31. A device comprising:
- means for generating a plurality of countermeasures useable in at least substantially reducing a harm caused by a malware (hereafter “
  
  malware countermeasure”
  
  ), the malware countermeasures generated responsive to an indication of the malware being present on a node of a plurality of networked nodes;
  
  means for selecting a generated malware countermeasure for distribution from among at least two of the generated malware countermeasures;
  
  means for determining if a criterion for distribution of the selected generated malware countermeasure to the plurality of networked nodes is met, the criterion for distribution of the selected generated malware countermeasure is independent of the indication of the malware being present on the node of the plurality of networked nodes; and
  
  means for transmitting the selected generated malware countermeasure to a first set of nodes of the plurality of networked nodes if the criterion is met.
- View Dependent Claims (32, 33)
- - 32. The device of claim 31, further comprising:
    - means for saving at least one generated malware countermeasure.
  - 33. The device of claim 31, further comprising:
    - means for causing a transmission of a packet to at least one node of the plurality of networked nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Invention Science Fund I, L.L.C. (Intellectual Ventures LLC)
Original Assignee
The Invention Science Fund I, L.L.C. (Intellectual Ventures LLC)
Inventors
Malamud, Mark A., Mangione-Smith, William Henry, Jung, Edward K. Y., Levien, Royce A., Lord, Robert W.
Primary Examiner(s)
Uddin, Mohammed R

Application Number

US11/487,595
Publication Number

US 20070255724A1
Time in Patent Office

3,147 Days
Field of Search

707 9- 10, 707/687, 726/22, 726/23, 726/24, 726/25, 713/188
US Class Current

726/24
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

Generating and distributing a malware countermeasure

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Generating and distributing a malware countermeasure

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links