Methods and apparatus providing automatic signature generation and enforcement

US 9,148,442 B2
Filed: 08/12/2014
Issued: 09/29/2015
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security on a computer system, the method comprising:

receiving execution information associated with at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system, the traffic flow comprising a plurality of data payloads on the at least one computer system;

identifying a set of one or more sub-strings from the plurality of data payloads on the at least one computer system;

generating a signature based on the set of one or more sub-strings from the plurality of data payloads on the at least one computer system, the signature utilized to prevent further damage caused to the at least one computer system by at least one attack.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

6 Citations

View as Search Results

18 Claims

1. A method of providing computer security on a computer system, the method comprising:
- receiving execution information associated with at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system, the traffic flow comprising a plurality of data payloads on the at least one computer system;
  
  identifying a set of one or more sub-strings from the plurality of data payloads on the at least one computer system;
  
  generating a signature based on the set of one or more sub-strings from the plurality of data payloads on the at least one computer system, the signature utilized to prevent further damage caused to the at least one computer system by at least one attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - utilizing at least one notifying identifier to filter data processing on the at least one computer system.
  - 3. The method of claim 1 further comprising:
    - controlling a behavior of at least one application on the at least one computer system by insertion of at least one notifying identifier in the computer system.
  - 4. The method of claim 1 wherein receiving execution information from the at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system comprises:
    - receiving notification that at least one attack has occurred on the at least one computer system; and
      
      receiving execution information associated with the at least one attack that occurred on the at least one computer system;
      
      mapping the execution information associated with the at least one attack to at least one data entry point on the at least one computer system; and
      
      identifying that the at least one attack is specific to that at least one data entry point on the computer system.
  - 5. The method of claim 1, further comprising:
    - refining the signature by identifying common sub-strings from the plurality of data payloads.
  - 6. The method of claim 1, further comprising assigning a probability to each sub-string in the set of one or more sub-strings;
    - and associating the probability to a likelihood that a data payload associated with each sub-string in the set of one or more sub-strings is one of the group consisting of a good data payload and a bad data payload.
  - 7. The method of claim 1 comprising:
    - receiving a particular data payload on a computer system;
      
      comparing the particular data payload to the signature; and
      
      denying the particular data payload access to the computer system based on the comparison of the data payload to the signature.

8. A computerized device comprising:
- a memory;
  
  a hardware processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the hardware processor and the communications interface;
  
  wherein the memory is encoded with a signature generating application that when executed on the hardware processor is capable of providing computer security on the computerized device by performing the operations of;
  
  receiving execution information associated with at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system, the traffic flow comprising a plurality of data payloads on the at least one computer system;
  
  identifying a set of one or more sub-strings from the plurality of data payloads on the at least one computer system;
  
  generating a signature based on the set of one or more sub-strings from the plurality of data payloads on the at least one computer system, the signature utilized to prevent further damage caused to the at least one computer system by at least one attack.
- View Dependent Claims (9, 10, 11)
- - 9. The computerized device of claim 8 wherein the signature generating application, when executed on the hardware processor, performs the operation of:
    - utilizing at least one notifying identifier to filter data processing on the computer system.
  - 10. The computerized device of claim 8 wherein the signature generating application, when executed on the hardware processor, performs the operation of:
    - refining the signature by identifying common sub-strings from the plurality of data payloads.
  - 11. The computerized device of claim 8 wherein the signature generating application, when executed on the hardware processor, performs operations of:
    - assigning a probability to each sub-string in the set of one or more sub-strings; and
      
      associating the probability to a likelihood that a data payload associated with each sub-string in the set of one or more sub-strings is one of the group consisting of a good data payload and a bad data payload.

12. A non-transitory computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
- instructions for execution information associated with at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system, the traffic flow comprising a plurality of data payloads on the at least one computer system;
  
  instructions for identifying a set of one or more sub-strings from the plurality of data payloads on the at least one computer system; and
  
  instructions for generating a signature based on the set of one or more sub-strings from the plurality of data payloads on the at least one computer system, the signature utilized to prevent further damage caused to the at least one computer system by at least one attack.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer readable medium of claim 12, the medium further comprising:
    - instructions for utilizing at least one notifying identifier to filter data processing on the at least one computer system.
  - 14. The non-transitory computer readable medium of claim 12 the medium further comprising:
    - instructions for controlling a behavior of at least one application on the at least one computer system by insertion of at least one notifying identifier in the computer system.
  - 15. The non-transitory computer readable medium of claim 12 wherein instructions for receiving execution information from the at least one computer system, the execution information identifying details associated with a traffic flow on the at least one computer system comprise instructions for:
    - receiving notification that at least one attack has occurred on the at least one computer system; and
      
      receiving execution information associated with the at least one attack that occurred on the at least one computer system;
      
      mapping the execution information associated with the at least one attack to at least one data entry point on the at least one computer system; and
      
      identifying that the at least one attack is specific to that at least one data entry point on the computer system.
  - 16. The non-transitory computer readable medium of claim 12, further comprising:
    - instructions for refining the signature by identifying common sub-strings from the plurality of data payloads.
  - 17. The non-transitory computer readable medium of claim 12, further comprising:
    - instructions for assigning a probability to each sub-string in the set of one or more; and
      
      instructions for associating the probability to a likelihood that a data payload associated with each sub-string in the set of one or more sub-strings is one of the group consisting of a good data payload and a bad data payload.
  - 18. The non-transitory computer readable medium of claim 12 comprising:
    - instructions for receiving a particular data payload on a computer system;
      
      instructions for comparing the particular data payload to the signature; and
      
      instructions for denying the particular data payload access to the computer system based on the comparison of the data payload to the signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zawadowskiy, Andrew, Kraemer, Jeffrey A, Gladstone, Philip J. S
Primary Examiner(s)
LEE, JASON T

Application Number

US14/458,096
Publication Number

US 20140351942A1
Time in Patent Office

413 Days
Field of Search

726/13, 726/14, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Methods and apparatus providing automatic signature generation and enforcement

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus providing automatic signature generation and enforcement

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others