System and method for identifying unauthorized activities on a computer system using a data structure model

US 9,106,697 B2
Filed: 06/17/2011
Issued: 08/11/2015
Est. Priority Date: 06/24/2010
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A computer implemented method of identifying unauthorized activities on a decoy computer system attached to a computer network, wherein the decoy system comprises:

one or more processors; and

memory storing;

a virtual machine; and

a virtual machine monitor supervising the virtual machine, the method comprising, at the virtual machine monitor;

monitoring activity on the virtual machine;

identifying a plurality of activities being performed at the virtual machine, wherein each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;

storing in the memory the activity sources, activity targets, and associations;

creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and

transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A computer implemented method includes monitoring activity on the virtual machine. A plurality of activities being performed at the virtual machine is identified. Each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target. The activity sources, activity targets, and associations are stored in the memory. A fingerprint indicative of the activity on the virtual machine is created from the stored activities. The fingerprint is transmitted to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.

Citations

23 Claims

1. A computer implemented method of identifying unauthorized activities on a decoy computer system attached to a computer network, wherein the decoy system comprises:
- one or more processors; and
  
  memory storing;
  
  a virtual machine; and
  
  a virtual machine monitor supervising the virtual machine, the method comprising, at the virtual machine monitor;
  
  monitoring activity on the virtual machine;
  
  identifying a plurality of activities being performed at the virtual machine, wherein each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;
  
  storing in the memory the activity sources, activity targets, and associations;
  
  creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and
  
  transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 21, 22, 23)
- - 2. The method of claim 1, wherein the monitoring further comprises monitoring all activity on the virtual machine, and all activity on the virtual machine is assumed to be unauthorized.
  - 3. The method of claim 1, wherein the fingerprint includes files that are affected by the unauthorized activities on the virtual machine.
  - 4. The method of claim 1, wherein the fingerprint includes processes that are affected by the unauthorized activities on the virtual machine.
  - 5. The method of claim 1, wherein the activities comprise two or more of:
    - a file initiating an execution of an instruction, an instruction reading a file, an instruction writing to a file, and receiving data through the network.
  - 6. The method of claim 1, wherein a respective activity target comprises one of:
    - a file, a user, an instruction, a thread, data stream, and network socket connections.
  - 7. The method of claim 1, wherein a respective activity source comprises one of:
    - a file, a user, an instruction, a thread, data stream, and network socket connections.
  - 8. The method of claim 1, further comprising graphically displaying at least a subset of the stored activities.
  - 9. The method of claim 8, wherein the displaying includes visually distinguishing at least a subset of the associations.
  - 10. The method of claim 8, wherein the subset of activities includes a first activity and a second activity, and the activity target of the first activity is the activity source of the second activity.
  - 11. The method of claim 1, further comprising identifying a respective association between a first activity source and a first activity target as unauthorized, wherein the first activity target, when associated as a second activity source with a second activity target, causes unauthorized activities on the second activity target.
  - 12. The method of claim 11, further comprising tracking a transfer of malicious associations over time.
  - 13. The method of claim 1, further comprising identifying activity sources that are affected by unauthorized activities.
  - 14. The method of claim 13, wherein the identifying activity sources that are affected by unauthorized activities includes identifying activity sources that request to access a portion of memory that is set as non-executable.
  - 15. The method of claim 13, wherein:
    - instructions executed by the one or more processors have respective privilege levels;
      
      respective activity sources have respective privilege levels; and
      
      the identifying activity sources that are affected by unauthorized activities includes identifying activity sources that request to execute underprivileged instructions.
  - 16. The method of claim 13, wherein the identifying activity sources that are affected by unauthorized activities includes identifying data stream incoming from outside the computer system.
  - 17. The method of claim 1, further comprising determining an activity status for the stored events, the activity status comprising one of:
    - a complete status, representing that a source of unauthorized activities is identified, and each activity target in the stored activities is associated with the source through one or more associations; and
      
      an incomplete status, which represents that the source of unauthorized activities is not identified, or at least one activity target in the stored activities is not associated with the source through one or more associations.
  - 18. The method of claim 1, further comprising determining an activity level representing a frequency of unauthorized activities on the virtual machine during a predefined time interval.
  - 21. The method of claim 1, wherein an activity target of a first activity of the plurality of activities is an activity source of a second activity of the plurality of activities.
  - 22. The method of claim 1, further comprising:
    - identifying a type of the association between the activity source and the activity target.
  - 23. The method of claim 1, further comprising:
    - identifying a respective activity as unauthorized based on a determination that the respective activity is associated with an unauthorized activity that is distinct from the respective activity.

19. A system, comprising:
- one or more processors; and
  
  memory storing;
  
  a virtual machine;
  
  a virtual machine monitor supervising the virtual machine; and
  
  one or more programs, the one or more programs including instructions for;
  
  monitoring activity on the virtual machine;
  
  identifying a plurality of activities being performed at the virtual machine, where each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;
  
  storing in the memory the activity sources, activity targets, and associations;
  
  creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and
  
  transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.

20. A non-transitory computer readable storage medium, including one or more programs for execution by one or more processors of a computer system, the one or more programs including instructions for:
- monitoring activity on the virtual machine;
  
  identifying a plurality of activities being performed at the virtual machine, where each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;
  
  storing in the memory the activity sources, activity targets, and associations;
  
  creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and
  
  transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
GoSecure, Inc.
Original Assignee
Neurallq Incorporated
Inventors
Capalik, Alen, Andrews, David, Becker, Ben
Primary Examiner(s)
NGUYEN, THU HA T

Application Number

US13/163,590
Publication Number

US 20110321166A1
Time in Patent Office

1,516 Days
Field of Search

713/155, 713/164, 713/165, 726/3, 726 14- 15, 726/22, 726 24- 26, 709/223, 709/224, 718/1, 718/100
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1491 using deception as counterm...

System and method for identifying unauthorized activities on a computer system using a data structure model

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying unauthorized activities on a computer system using a data structure model

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links