Apparatus and method for blocking zombie behavior process

US 9,060,016 B2
Filed: 08/09/2011
Issued: 06/16/2015
Est. Priority Date: 01/04/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:

an enterprise security management (ESM) server;

a security policy storage receiving security policies including one or more zombie behavior type, traffic threshold values related to a specific zombie behavior type, an allowed times exceeding traffic threshold value related to the specific zombie behavior type, and blocking policies related to the specific zombie behavior type from the ESM server, the security policy storage storing the security policies;

a traffic monitor monitoring traffic generated on the computer and detecting abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer;

a process and traffic analyzer detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value;

a process handler handling the abnormal process, whose zombie behavior type has been detected on the basis of a blocking policy defined for the detected zombie behavior type;

an event log storage storing an event log generated in association with the abnormal process and transmitting the event log to the EMS server; and

a new zombie type storage storing traffic characteristics of a new abnormal process whose zombie behavior type has not been detected and transmitting the traffic characteristics of the new abnormal process to the EMS server;

wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value; and

wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server;

wherein the apparatus is disposed in a network driver stage of the computer connected to the network;

wherein the zombie behavior type includes other types of behaviors; and

when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process.

Citations

6 Claims

1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
- an enterprise security management (ESM) server;
  
  a security policy storage receiving security policies including one or more zombie behavior type, traffic threshold values related to a specific zombie behavior type, an allowed times exceeding traffic threshold value related to the specific zombie behavior type, and blocking policies related to the specific zombie behavior type from the ESM server, the security policy storage storing the security policies;
  
  a traffic monitor monitoring traffic generated on the computer and detecting abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer;
  
  a process and traffic analyzer detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value;
  
  a process handler handling the abnormal process, whose zombie behavior type has been detected on the basis of a blocking policy defined for the detected zombie behavior type;
  
  an event log storage storing an event log generated in association with the abnormal process and transmitting the event log to the EMS server; and
  
  a new zombie type storage storing traffic characteristics of a new abnormal process whose zombie behavior type has not been detected and transmitting the traffic characteristics of the new abnormal process to the EMS server;
  
  wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value; and
  
  wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server;
  
  wherein the apparatus is disposed in a network driver stage of the computer connected to the network;
  
  wherein the zombie behavior type includes other types of behaviors; and
  
  when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1, wherein the zombie behavior type includes at least one of a distributed denial of service (DDoS) attack, Internet protocol (IP) scanning, port scanning, and a spoofing attack.
  - 3. The apparatus of claim 1, wherein the process and traffic analyzer detects the zombie behavior type associated with the abnormal process by searching for a corresponding zombie behavior type corresponding to a characteristic of the abnormal traffic caused by the abnormal process on the basis of the traffic threshold values stored in the security policy storage, and determining that the abnormal process is associated with the corresponding zombie behavior type when the abnormal traffic caused by the abnormal process continues for more than the allowed time exceeding traffic threshold value corresponding to the corresponding zombie behavior type.
  - 4. The apparatus of claim 1, wherein the predetermined reference value is defined in the security policy storage.

5. A method of blocking a zombie behavior process generated in a computer connected to a network and attacking an external computer, the method being performed in a network driver stage of the computer and comprising:
- receiving security policies including one or more zombie behavior type, traffic threshold values related to specific zombie behavior type, an allowed times exceeding traffic threshold value related to specific zombie behavior type, and blocking policies related to specific zombie behavior type from an enterprise security management (ESM) server;
  
  storing the security policies to a security policy storage;
  
  monitoring traffic generated on the computer to detect abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer connected to the network;
  
  detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value stored in the security policy storage;
  
  when the zombie behavior type of the abnormal process has been found, handling the abnormal process on the basis of the blocking policies for the zombie behavior type defined in the security policy storage, and transmitting an event log generated in association with the abnormal process to the EMS server; and
  
  when the zombie behavior type having a characteristic of the abnormal traffic caused by a new abnormal process has not been detected, handling the new abnormal process on the basis of the security policies for other types defined in the security policy storage, and transmitting the traffic characteristics of the new abnormal process to the EMS server;
  
  wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value;
  
  wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server;
  
  wherein the zombie behavior type includes other types of behaviors; and
  
  when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein detecting the zombie behavior type associated with the abnormal process includes:
    - searching for a corresponding zombie behavior type corresponding to a characteristic of the abnormal traffic caused by the abnormal process on the basis of the traffic threshold values stored in the security policy storage, and determining that the process is associated with the corresponding zombie behavior type when the abnormal traffic caused by the abnormal process continues for more than the allowed time exceeding traffic threshold value corresponding to the corresponding zombie behavior type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NPCore, Inc.
Original Assignee
NPCore, Inc.
Inventors
Han, Seung Chul
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US13/136,725
Publication Number

US 20120174221A1
Time in Patent Office

1,407 Days
Field of Search

726/23, 713/166
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Apparatus and method for blocking zombie behavior process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for blocking zombie behavior process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links