Systems and methods for automated memory and thread execution anomaly detection in a computer network

US 8,984,331 B2
Filed: 09/06/2012
Issued: 03/17/2015
Est. Priority Date: 09/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:

receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;

generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and

comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for detecting an anomaly in a computer that is part of a population of networked computers. Snapshots are received from a plurality of computers within the population of computers, where individual snapshots include a state of assets and runtime processes of a respective computer. An asset normalization model is generated from the snapshots and serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer. A snapshot from at least one of the computers is compared to the asset normalization model in order to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.

99 Citations

View as Search Results

35 Claims

1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
- receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
  
  generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and
  
  comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising deploying to the plurality of computers an agent that is configured for one or more of generating a snapshot, transmitting the snapshot, and detecting an anomaly using the asset normalization model.
  - 3. The method of claim 1, wherein the snapshots comprise code segments that have been encoded using a transform function.
  - 4. The method of claim 3, wherein the transform function includes a cryptographic hash.
  - 5. The method of claim 1, wherein changes in code include changes in a code segment, code injection, and code removal.
  - 6. The method of claim 1, wherein changes in the execution stack include improper code addresses inserted into the call stack.
  - 7. The method of claim 1, wherein changes in thread execution include improper thread creation, improper thread execution, and improper thread destruction.
  - 8. The method of claim 1, deriving a statistical model for normal process execution in order to detect changes in runtime process behavior that constitute a behavioral anomaly.
  - 9. The method of claim 1, further comprising:
    - searching the assets and runtime processes in order to find unique identifiers and related assets;
      
      adding found unique identifiers to a list of previously found unique identifiers and related assets;
      
      using the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; and
      
      periodically updating the list of unique identifiers as assets and runtime processes are added and removed from a respective computer.
  - 10. The method of claim 1, further comprising, when an anomaly is detected:
    - repairing the asset or runtime process associated with the anomaly by removing the asset, replacing the asset, or stopping the runtime process; and
      
      repairing any faults in the execution stack associated with the anomaly.

11. A system for detecting an anomaly in a computer that is part of a population of networked computers, comprising:
- a network interface configured to receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; and
  
  a processor configured to;
  
  generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and
  
  compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of at least one of the computers.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the processor is further configured to deploy to the plurality of computers an agent that is configured for one or more of generating a snapshot, transmitting the snapshot, and detecting an anomaly using the asset normalization model.
  - 13. The system of claim 11, wherein the network interface is configured to receive snapshots that comprise code segments that have been encoded using a transform function.
  - 14. The system of claim 11, wherein changes in code include changes in a code segment, code injection, and code removal.
  - 15. The system of claim 11, wherein changes in the execution stack include improper code addresses inserted into the call stack.
  - 16. The system of claim 11, wherein changes in thread execution include improper thread creation, improper thread execution, and improper thread destruction.
  - 17. The system of claim 11, wherein the processor is configured to derive a statistical model for normal process execution in order to detect changes in runtime process behavior that constitute a behavioral anomaly.
  - 18. The system of claim 13, wherein the transform function includes a cryptographic hash.
  - 19. The system of claim 11, wherein the processor is further configured to:
    - search the assets and runtime processes in order to find unique identifiers and related assets;
      
      add found unique identifiers to a list of previously found unique identifiers and related assets;
      
      use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; and
      
      periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer.
  - 20. The system of claim 11, wherein when an anomaly is detected, the processor is further configured to:
    - repair the asset or runtime process associated with the anomaly by removing the asset, replacing the asset, or stopping the runtime process; and
      
      repair any faults in the execution stack associated with the anomaly.

21. One or more computer readable storage media storing instructions for detecting an anomaly in a computer that is part of a population of networked computers, the instructions, when executed by a processor, cause the processor to:
- receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
  
  generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and
  
  compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer readable storage media of claim 21, further comprising instructions that are operable to deploy to the plurality of computers an agent that is configured for one or more of generating a snapshot, transmitting the snapshot, and detecting an anomaly using the asset normalization model.
  - 23. The computer readable storage media of claim 21, wherein the instructions that are operable to receive comprise instructions that are operable to receive the snapshots that comprise code segments that have been encoded using a cryptographic hash.
  - 24. The computer readable storage media of claim 21, wherein changes in code include changes in a code segment, code injection, and code removal.
  - 25. The computer readable storage media of claim 21, wherein changes in the execution stack include improper code addresses inserted into the call stack.
  - 26. The computer readable storage media of claim 21, wherein changes in thread execution include improper thread creation, improper thread execution, and improper thread destruction.
  - 27. The computer readable storage media of claim 21, further comprising instructions that are operable to derive a statistical model for normal process execution in order to detect changes in runtime process behavior that constitute a behavioral anomaly.
  - 28. The computer readable storage media of claim 21, further comprising instructions that are operable to:
    - search the assets and runtime processes in order to find unique identifiers and related assets;
      
      add found unique identifiers to a list of previously found unique identifiers and related assets;
      
      use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; and
      
      periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer.
  - 29. The computer readable storage media of claim 21, wherein when an anomaly is detected, further comprising instructions that are operable to:
    - repair the asset or runtime process associated with the anomaly by removing the asset, replacing the asset, or stopping the runtime process; and
      
      repair any faults in the execution stack associated with the anomaly.

30. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
- searching the assets and runtime processes in order to find unique identifiers and related assets;
  
  adding found unique identifiers to a list of previously found unique identifiers and related assets;
  
  using the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot;
  
  periodically updating the list of unique identifiers as assets and runtime processes are added and removed from a respective computer;
  
  receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
  
  generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and
  
  comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
- View Dependent Claims (31, 32, 33)
- - 31. The method of claim 30, further comprising, when an anomaly is detected:
    - repairing the asset or runtime process associated with the anomaly by removing the asset, replacing the asset, or stopping the runtime process; and
      
      repairing any faults in the execution stack associated with the anomaly.
  - 32. The method of claim 30, deriving a statistical model for normal process execution in order to detect changes in runtime process behavior that constitute a behavioral anomaly.
  - 33. The method of claim 30, wherein the snapshots comprise code segments that have been encoded using a transform function.

34. A system for detecting an anomaly in a computer that is part of a population of networked computers, comprising:
- a network interface configured to receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; and
  
  a processor configured to;
  
  search the assets and runtime processes in order to find unique identifiers and related assets;
  
  add found unique identifiers to a list of previously found unique identifiers and related assets;
  
  use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot;
  
  periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer;
  
  generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and
  
  compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of at least one of the computers.

35. One or more computer readable storage media storing instructions for detecting an anomaly in a computer that is part of a population of networked computers, the instructions, when executed by a processor, cause the processor to:
- search the assets and runtime processes in order to find unique identifiers and related assets;
  
  add found unique identifiers to a list of previously found unique identifiers and related assets;
  
  use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; and
  
  periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer;
  
  receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
  
  generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and
  
  compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Triumfant Incorporated
Inventors
Quinn, Mitchell N.
Primary Examiner(s)
Ehne, Charles

Application Number

US13/605,445
Publication Number

US 20140068326A1
Time in Patent Office

922 Days
Field of Search
US Class Current

714/4.2
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0715   in a system implementing mu...

G06F 11/0748   in a remote unit communicat...

G06F 11/0751   Error or fault detection no...

Systems and methods for automated memory and thread execution anomaly detection in a computer network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for automated memory and thread execution anomaly detection in a computer network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others