Vulnerability detection based on aggregated primitives

US 9,231,964 B2
Filed: 04/14/2009
Issued: 01/05/2016
Est. Priority Date: 04/14/2009
Status: Active Grant

First Claim

Patent Images

1. A computer based vulnerability detection system comprising:

an interface of a computer configured to receive a plurality of network messages, each of the plurality of network messages including a network message payload;

a translation module of the computer executable by the computer to translate each of the network message payloads into one or more primitives;

an aggregation module of the computer configured to aggregate each of the network message payloads, including aggregating primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types, to produce aggregated primitives;

an analysis module of the computer configured to generate an analysis outputupon identifying a match between the aggregated primitives and a policy, wherein a difference between a first value in the aggregated primitives and a second value in the aggregated primitives is identified by the policy as an indication of a threat, wherein the first value is associated with a first primitive corresponding to a first network message payload and wherein the second value is associated with a second primitive corresponding to a second network message payload; and

an enforcement module configured to generate a security alert based on the analysis output.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer-readable media are disclosed for detecting vulnerabilities based on aggregated primitives. A particular method includes receiving a plurality of data transmissions. At least one of the data transmissions includes a protocol anomaly that is not indicative of a security threat. The method includes identifying a plurality of primitives associated with the data transmissions. The primitives are aggregated, and an attack condition is identified based on the aggregated primitives. A security alert is generated based on the identified attack condition.

Citations

20 Claims

1. A computer based vulnerability detection system comprising:
- an interface of a computer configured to receive a plurality of network messages, each of the plurality of network messages including a network message payload;
  
  a translation module of the computer executable by the computer to translate each of the network message payloads into one or more primitives;
  
  an aggregation module of the computer configured to aggregate each of the network message payloads, including aggregating primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types, to produce aggregated primitives;
  
  an analysis module of the computer configured to generate an analysis outputupon identifying a match between the aggregated primitives and a policy, wherein a difference between a first value in the aggregated primitives and a second value in the aggregated primitives is identified by the policy as an indication of a threat, wherein the first value is associated with a first primitive corresponding to a first network message payload and wherein the second value is associated with a second primitive corresponding to a second network message payload; and
  
  an enforcement module configured to generate a security alert based on the analysis output.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The system of claim 1, wherein the first value and the second value are stored as double words, and wherein the second value being larger than the first value is identified by the policy as an indication of the threat.
  - 3. The system of claim 1, wherein the security alert is sent to an intermediary device.
  - 4. The system of claim 1, wherein the analysis module is located at or coupled to an intrusion prevention system or an intrusion detection system.
  - 5. The system of claim 1, wherein the first message payload, the second message payload, and the one or more primitives are stored at a data store, and wherein the aggregation module is further configured to retrieve the first message payload, the second message payload, and the one or more primitives from the data store.
  - 6. The system of claim 1, wherein the policy is retrieved from a policy database, wherein the policy is expressed in a meta language, and wherein the policy is a rule based policy that does not include information defining a known malware, a known security exploit, or a known vulnerable data structure.
  - 7. The system of claim 6, wherein the meta language includes an extensible markup language (XML), a binary representation, a generic application level protocol analyzer language (GAPAL), or any combination thereof.
  - 20. The system of claim 6, wherein the policy database is updatable independently from an intrusion detection system.

8. A method comprising:
- receiving a plurality of network messages including a first network message including a first payload and a second network message including a second payload, wherein the first payload includes a first protocol anomaly and the second payload includes a second protocol anomaly wherein the first protocol anomaly and the second protocol anomaly are not individually indicative of a security threat;
  
  identifying a plurality of primitives by translating the first payload and the second payload into primitives, wherein the primitives include primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types;
  
  aggregating the identified plurality of primitives to produce aggregated primitives, the aggregated primitives including a first primitive translated from the first protocol anomaly and a second primitive translated from the second protocol anomaly, wherein the first primitive corresponds to a first value and the second primitive corresponds to a second value, and wherein the second value being different than the first value indicates an attack condition; and
  
  generating a security alert based on the indicated attack condition.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the protocol anomalies include at least one of a data structure overflow, a missing expected data structure, an invalid data value, an improper sequence of numbers, an out of order message, a name mismatch, or any combination thereof.
  - 10. The method of claim 8, wherein the plurality of primitives includes a low-level language primitive or a high-level typed primitive.
  - 11. The method of claim 8, wherein the attack condition is identified further based on a match between the aggregated primitives and a policy, wherein the policy does not rely upon information defining a known malware, a known security exploit, or a known vulnerable data structure.
  - 12. The method of claim 8, further comprising determining an identity of a specific source of one or more of the plurality of network messages.
  - 13. The method of claim 12, wherein identifying the attack condition includes calculating a frequency of anomalous data transmissions from the specific source and determining that the frequency is greater than an allowed anomalous data transmission frequency threshold.
  - 14. The method of claim 8, wherein generating the security alert includes generating an event of an event-based alert system or generating a synchronous security notification.

15. A computer-readable storage device comprising instructions, that when executed by a computer, cause the computer to:
- receive a plurality of network message payloads, the network message payloads from anomalous data transmissions, wherein each of the anomalous data transmissions does not individually trigger a security response;
  
  translate the plurality of network message payloads into a plurality of primitives including primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types;
  
  aggregate the plurality of primitives;
  
  identify an attack condition based on the aggregated plurality of primitives; and
  
  trigger an action based on the identified attack condition, wherein the aggregated plurality of primitives includes a first primitive translated from a first network message payload and a second primitive translated from a second network message payload, wherein the first primitive corresponds to a first value, wherein the second primitive corresponds to a second value, and wherein the second value differing from the first value indicates malicious activity.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable storage device of claim 15, wherein the action occurs at an intrusion detection system associated with the computer or at an intrusion prevention system associated with the computer.
  - 17. The computer-readable storage device of claim 15, wherein the action includes a behavior change of an application at the computer.
  - 18. The computer-readable storage device of claim 15, wherein the action includes blocking subsequent data transmissions from one or more sources of the plurality of network message payloads.
  - 19. The computer-readable storage device of claim 15, wherein the first primitive is converted to a first double word corresponding to the first value and the second primitive is converted to a second double word corresponding to the second value, wherein the second value exceeding the first value indicates a security threat, and wherein each of the values individually does not indicate the security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cross, David B., Nice, Nir
Primary Examiner(s)
BROWN, CHRISTOPHER J

Application Number

US12/423,029
Publication Number

US 20100263049A1
Time in Patent Office

2,457 Days
Field of Search

726/22, 713/187, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1416 Event detection, e.g. attac...

Vulnerability detection based on aggregated primitives

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Vulnerability detection based on aggregated primitives

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links