Methods and apparatus providing computer and network security utilizing probabilistic signature generation

US 9,286,469 B2
Filed: 08/04/2006
Issued: 03/15/2016
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:

receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment;

wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;

a buffer overflow, a process exception and a system configuration file modification;

wherein the details identify at least one system event that occurred on the same computer system;

determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks;

establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress;

wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks;

wherein the probability is based at least in part on one or more weights associated with the at least one system event; and

based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system receives information from at least one security interceptor associated with at least one computer system. The information identifies details associated with a traffic flow in a computer system of the computer networking environment. The system determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information. The probabilistic link is determined by attack information associated with previous attacks. Based on the information provided by the at least one security interceptor, the system generates a signature utilized to prevent a similar attack on the computer system.

Citations

24 Claims

1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:
- receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
  
  a buffer overflow, a process exception and a system configuration file modification;
  
  wherein the details identify at least one system event that occurred on the same computer system;
  
  determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks;
  
  establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress;
  
  wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks;
  
  wherein the probability is based at least in part on one or more weights associated with the at least one system event; and
  
  based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - inserting at least one security interceptor in the computer system, the at least one security interceptor providing information associated with the computer system.
  - 3. The method of claim 1 wherein receiving information from at least one security interceptor associated with at least one computer system comprises:
    - receiving information from the at least one security interceptor monitoring at least one of;
      
      a system call;
      
      an instance of downloaded content;
      
      an instance of CPU utilization;
      
      at least one network connection;
      
      an instance of a new software program installation;
      
      an instance of a new service installation;
      
      a first time instance of an application invocation;
      
      an instance of mobile code execution;
      
      an instance of at least one root-kit detection; and
      
      an instance of memory utilization.
  - 4. The method of claim 2 further comprising:
    - using the at least one security interceptor to filter data processing in the computer system.
  - 5. The method of claim 2 further comprising:
    - controlling a behavior of at least one application on the computer system by the at least one security interceptor.
  - 6. The method of claim 1 wherein receiving information from at least one security interceptor associated with at least one computer system comprises:
    - receiving notification that the at least one event has occurred on the computer system;
      
      receiving information associated with the at least one event that occurred on the computer system;
      
      mapping the information associated with the at least one event to at least one data entry point on the computer system; and
      
      identifying that the at least one event is specific to the at least one data entry point on the computer system.
  - 7. The method of claim 6 wherein receiving information associated with the at least one event that occurred on the computer system comprises:
    - detecting the at least one event is associated with a set of events, the at least one event occurring generally at a same time as the set of events.
  - 8. The method of claim 7 wherein detecting the at least one event is associated with a set of events comprises:
    - identifying the at least one event is related to the set of events, the at least one event having a link to the set of events.
  - 9. The method of claim 7 further comprising:
    - identifying the at least one event is not related to the set of events despite having occurred generally at a same time as the set of events.
  - 10. The method of claim 7 wherein detecting the at least one event is associated with a set of events comprises:
    - observing an order of the set of events, the order including a placement of the at least one event within the order of the set of events.
  - 11. The method of claim 1 wherein determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information comprises:
    - associating the probability to a configurable limit, the configurable limit defining a threshold beyond which an attack is assumed to be in progress.
  - 12. The method of claim 11 wherein associating the probability to a configurable limit comprises:
    - initializing the configurable limit of the probability of an attack.
  - 13. The method of claim 11 wherein associating the probability to a configurable limit comprises:
    - defining the configurable limit of the probability of an attack as a range of configurable limits.
  - 14. The method of claim 1 wherein determining a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information comprises:
    - modifying the probability of an attack on the computer system based on the information provided by the at least one security interceptor.
  - 15. The method of claim 1 wherein based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system comprises:
    - probabilistically identifying a data packet responsible for the attack.
  - 16. The method of claim 1 wherein based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system comprises:
    - deducing a cause of the attack based on at least one tracked resource request.

17. A computer system comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an application providing generating a signature that, when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of;
  
  providing an event correlation engine in communication with an application file interceptor; and
  
  wherein said event correlation engine receives information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
  
  a buffer overflow, a process exception and a system configuration file modification;
  
  wherein the details identify at least one system event that occurred on the same computer system;
  
  instructions for determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks;
  
  instructions for establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress;
  
  wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks;
  
  wherein the probability is based at least in part on one or more weights associated with the at least one system event; and
  
  based on the information provided by the at least one security interceptor, instructions for generating a signature utilized to prevent a similar attack on the computer system.
- View Dependent Claims (18)
- - 18. The computer system of claim 17 wherein when the event correlation engine determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information, the event correlation engine correlates the probability to a configure limit.

19. A non-transitory computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
- instructions for receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment;
  
  wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
  
  a buffer overflow, a process exception and a system configuration file modification;
  
  wherein the details identify at least one system event that occurred on the same computer system;
  
  instructions for determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks;
  
  instructions for establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress;
  
  wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks;
  
  wherein the probability is based at least in part on one or more weights associated with the at least one system event; and
  
  based on the information provided by the at least one security interceptor, instructions for generating a signature utilized to prevent a similar attack on the computer system.
- View Dependent Claims (23, 24)
- - 23. The non-transitory computer readable medium of claim 19 further comprising:
    - instructions for inserting an additional security interceptor in the computer system, the additional security interceptor providing information associated with the computer system.
  - 24. The non-transitory computer readable medium of claim 23 wherein instructions for receiving information from at least one security interceptor associated with at least one computer system further comprise:
    - instructions for receiving information from the at least one security interceptor monitoring at least one of;
      
      a system call, an instance of downloaded content, an instance of CPU utilization, at least one network connection, an instance of a new software program installation, an instance of a new service installation, a first time instance of an application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, and an instance of memory utilization.

20. A method comprising:
- receiving a first event from a first security interceptor configured on at least one computer system to intercept a traffic flow in the at least one computer system;
  
  determining whether the first event corresponds to one of a plurality of events associated with previous attacks;
  
  in response to determining that the first event corresponds to one of a plurality of events associated with previous attacks, increasing an attack probability value based on a value associated with the first event ;
  
  determining that the same computer system is being attacked when the attack probability value exceeds an attack threshold;
  
  wherein determining that the first event corresponds to one of a plurality of events associated with previous attacks comprises receiving information from the first security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
  
  a buffer overflow, a process exception, and a system configuration modification.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20 further comprising:
    - inserting a second security interceptor in the computer system, the second security interceptor providing information associated with the computer system.
  - 22. The method of claim 21 wherein receiving information from the first security interceptor associated with at least one computer system further comprises:
    - receiving information from the first security interceptor monitoring at least one of;
      
      a system call, an instance of downloaded content, an instance of CPU utilization, at least one network connection, an instance of a new software program installation, an instance of a new service installation, a first time instance of an application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, and an instance of memory utilization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kraemer, Jeffrey A., Zawadowskiy, Andrew
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US11/499,460
Publication Number

US 20070256127A1
Time in Patent Office

3,511 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Methods and apparatus providing computer and network security utilizing probabilistic signature generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing computer and network security utilizing probabilistic signature generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links