Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

US 9,223,978 B2
Filed: 10/26/2012
Issued: 12/29/2015
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malware, the system comprising:

user devices that monitor executing applications;

a security policy system that receives requests from the user devices for security policies associated with the applications, in which hashes are associated with the applications and uniquely identify each application, and sends the security policies to the user devices from which the requests originated, wherein the security policies use trust scores to represent the trustworthiness of applications and the trust scores are based in part on an absence of expected behaviors and are calculated for the hashes, the trust scores tending to lower when an application fails to display a visible window and increase based on an age of the application,wherein the user devices monitor applications requesting to open files using system dynamic-link libraries, search for hashes corresponding to filenames of the files requested by the application in caches of the user devices, upon locating hashes of the user devices, search for security policies associated with the hashes, and upon locating the security policies associated with the hashes, enforce restrictions of the security policies.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or process executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

30 Citations

View as Search Results

16 Claims

1. A system for detecting malware, the system comprising:
- user devices that monitor executing applications;
  
  a security policy system that receives requests from the user devices for security policies associated with the applications, in which hashes are associated with the applications and uniquely identify each application, and sends the security policies to the user devices from which the requests originated, wherein the security policies use trust scores to represent the trustworthiness of applications and the trust scores are based in part on an absence of expected behaviors and are calculated for the hashes, the trust scores tending to lower when an application fails to display a visible window and increase based on an age of the application,wherein the user devices monitor applications requesting to open files using system dynamic-link libraries, search for hashes corresponding to filenames of the files requested by the application in caches of the user devices, upon locating hashes of the user devices, search for security policies associated with the hashes, and upon locating the security policies associated with the hashes, enforce restrictions of the security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system according to claim 1, wherein the requests from user devices are sent to the security policy system via the Internet using TCP (the Transmission Control Protocol).
  - 3. The system according to claim 2, wherein the requests from user devices for security policies are sent to the security policy system at periodic intervals.
  - 4. The system according to claim 2, wherein the requests from user devices for security policies are sent to the security policy system in response to messages received from the security policy system.
  - 5. The system according to claim 1, wherein the hashes associated with the applications are created with SHA-256, MD5, or SHA-1 hashing functions.
  - 6. The system according to claim 1, wherein the trust scores are based on behavioral information received from the user devices.
  - 7. The system according to claim 6, wherein the behavioral information received from the user devices includes a number of companies reporting the hashes, a number of user devices reporting hashes, and ages of the hashes.
  - 8. The system according to claim 1, wherein the security policy system calculates collective trust scores based on aggregated data from at least two different user devices.
  - 9. The system according to claim 1, wherein the security policy system learns malware behaviors based on statistical variance between malware and trusted applications.
  - 10. The system according to claim 1, wherein the security policy system calculates trust scores for the user devices based on the applications executing on the user devices.
  - 11. The system according to claim 1, wherein the trust scores are increased with the number of user devices reporting on the application.
  - 12. The system according to claim 1, wherein the user devices monitor processes executing on the user devices, search for security policies associated with the processes, upon locating security policies, apply the security policies to the processes, upon failing to locate security policies on the user devices, send requests to the security policy system, and upon receiving security policies from the security policy system, apply the security policies to the processes.
  - 13. The system according to claim 12, wherein the user devices upon failing to receive security policies from the security policy system, implementing default security policies for the processes.
  - 14. The system according to claim 1, wherein the user devices intercept application program interface calls to monitor resource requests of executing processes, maintain a log of the resource requests in a database if the processes are being monitored, apply security policies to the processes if the processes are controlled by security policies, and send the log of resource requests to a security policy system.
  - 15. The system according to claim 1, wherein the absence of expected behaviors comprises a failure of an executing application to display a visible window after making an HTTP connection.
  - 16. The system according to claim 1, wherein the security policy system comprises:
    - a web services component of the security policy system that receives behavioral information about processes executing on the user devices;
      
      an analysis engine of the security policy system that determines trustworthiness for each of the processes based on the behavioral information received from each of the user devices; and
      
      a policy engine of the security policy system that provides security policies for the processes to the user devices based on the determined trustworthiness.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Confer Technologies, Inc. (Broadcom, Inc.)
Inventors
Kraemer, Jeffrey Albin
Primary Examiner(s)
Ho, Dao

Application Number

US13/662,036
Publication Number

US 20130111547A1
Time in Patent Office

1,159 Days
Field of Search

726/1, 726/3
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others