Method, system and computer program product for detecting at least one of security threats and undesirable computer files
First Claim
1. A method of detecting security threats in a computer network, the method comprising:
- receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers;
specifying one or more legitimate applications;
establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry;
monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and
generating a signal if a security threat is detected;
wherein the metadata contains alert filters that specify sets of alerts to match;
wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
wherein the whitelist comprises a mapping from the metadata to legitimate applications.
2 Assignments
0 Petitions
Accused Products
Abstract
Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files.
-
Citations
32 Claims
-
1. A method of detecting security threats in a computer network, the method comprising:
-
receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers; specifying one or more legitimate applications; establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry; monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and generating a signal if a security threat is detected;
wherein the metadata contains alert filters that specify sets of alerts to match;
wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
wherein the whitelist comprises a mapping from the metadata to legitimate applications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for detecting security threats in a computer network, the system comprising:
-
a processor operable to execute computer program instructions; a memory operable to store computer program instructions accessible by the processor; and computer program instructions stored in the memory to perform the steps of; receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers; specifying one or more legitimate applications; establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry; monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and generating a signal if a security threat is detected;
wherein the metadata contains alert filters that specify sets of alerts to match;
wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
wherein the whitelist comprises a mapping from the metadata to legitimate applications. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer program product for detecting security threats in a computer network, the product comprising:
-
a computer readable non-transitory tangible medium; and computer program instructions recorded on the medium and executable by a processor for performing the steps of; receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers; specifying one or more legitimate applications; establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry; monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and generating a signal if a security threat is detected;
wherein the metadata contains alert filters that specify sets of alerts to match;
wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
wherein the whitelist comprises a mapping from the metadata to legitimate applications. - View Dependent Claims (32)
-
Specification