Early malware detection by cross-referencing host data
First Claim
1. A method of detecting malware, said method comprising:
- determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware;
determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware;
determining, by a central management computer, that said first and second behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free;
determining, by said central management computer, that said first and second computers are both configured to be Web servers, both configured to be database servers, both configured to be e-mail servers, both configured to be proxy servers, both configured to be storage servers, both configured to be source code servers, or are both configured to be pattern update servers and provide a same common service function within said enterprise; and
not issuing a malware alert because of said determining that said first and second computers provide said common service function even though said behaviors on said first and second computers are not shared with said trusted computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer network of an enterprise includes a central management computer linking at least one trusted host computer with at least one user computer. The trusted host computer is not used for normal day-to-day activities within the enterprise, and may also not be used for reading electronic mail nor for accessing the Internet and downloading Web site content. Antivirus software on the user computer screens for suspect activity or features and, if found, the suspect activity or features are compared to rules database. If a determination of malware cannot be made, then these unresolved activities or features are sent to the central management computer to be compared to the trusted, known activities and features of the trusted computer. The suspect activities may be deemed acceptable if activities are shared amongst a certain number of user computers all configured to perform the same function. A user computer may be compared against itself over time.
103 Citations
20 Claims
-
1. A method of detecting malware, said method comprising:
-
determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware; determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware; determining, by a central management computer, that said first and second behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free; determining, by said central management computer, that said first and second computers are both configured to be Web servers, both configured to be database servers, both configured to be e-mail servers, both configured to be proxy servers, both configured to be storage servers, both configured to be source code servers, or are both configured to be pattern update servers and provide a same common service function within said enterprise; and not issuing a malware alert because of said determining that said first and second computers provide said common service function even though said behaviors on said first and second computers are not shared with said trusted computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of detecting malware, said method comprising:
-
determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware; determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware; determining that a third behavior of a third computer within said enterprise is suspected of being caused by malware; determining, by a central management computer, that said first, second and third behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free; and determining, by said central management computer, that said first, second and third computers all are configured to be Web servers, all configured to be database servers, all configured to be e-mail servers, all configured to be proxy servers, all configured to be storage servers, all configured to be source code servers, or are all configured to be pattern update servers and provide a same common service function within said enterprise; not issuing a malware alert because of said determining that said first, second and third computers provide said common service function even though said behaviors on said first, second and third computers are not shared with said trusted computer. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification