Methods and apparatus providing computer and network security utilizing probabilistic signature generation
First Claim
1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:
- receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment;
wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
a buffer overflow, a process exception and a system configuration file modification;
wherein the details identify at least one system event that occurred on the same computer system;
determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks;
establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress;
wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks;
wherein the probability is based at least in part on one or more weights associated with the at least one system event; and
based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A system receives information from at least one security interceptor associated with at least one computer system. The information identifies details associated with a traffic flow in a computer system of the computer networking environment. The system determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information. The probabilistic link is determined by attack information associated with previous attacks. Based on the information provided by the at least one security interceptor, the system generates a signature utilized to prevent a similar attack on the computer system.
-
Citations
24 Claims
-
1. A method of providing computer security in a computer networking environment including at least one computer system, the method comprising:
-
receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment; wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
a buffer overflow, a process exception and a system configuration file modification;wherein the details identify at least one system event that occurred on the same computer system; determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks; establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress; wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks; wherein the probability is based at least in part on one or more weights associated with the at least one system event; and based on the information provided by the at least one security interceptor, generating a signature utilized to prevent a similar attack on the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system comprising:
-
a memory; a processor; a communications interface; an interconnection mechanism coupling the memory, the processor and the communications interface; and wherein the memory is encoded with an application providing generating a signature that, when performed on the processor, provides a process for processing information, the process causing the computer system to perform the operations of; providing an event correlation engine in communication with an application file interceptor; and
wherein said event correlation engine receives information from at least one security interceptor associated with at least one computer system, the information identifying details associated with a traffic flow in a computer system of the computer networking environment;wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
a buffer overflow, a process exception and a system configuration file modification;wherein the details identify at least one system event that occurred on the same computer system; instructions for determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks; instructions for establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress; wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks; wherein the probability is based at least in part on one or more weights associated with the at least one system event; and based on the information provided by the at least one security interceptor, instructions for generating a signature utilized to prevent a similar attack on the computer system. - View Dependent Claims (18)
-
-
19. A non-transitory computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
-
instructions for receiving information from at least one security interceptor associated with at least one computer system, the information including identifying details associated with a traffic flow in a computer system of the computer networking environment; wherein receiving information from at least one security interceptor associated with at least one computer system comprises receiving information from the at least one security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
a buffer overflow, a process exception and a system configuration file modification;wherein the details identify at least one system event that occurred on the same computer system; instructions for determining a probability that an attack on the computer system is in progress based on attack information associated with previous attacks; instructions for establishing a probabilistic link between the at least one system event and the probability that an attack on the computer system is in progress; wherein the probabilistic link is a correlation between the at least one system event and one or more system events in a plurality of system events associated with previous attacks; wherein the probability is based at least in part on one or more weights associated with the at least one system event; and based on the information provided by the at least one security interceptor, instructions for generating a signature utilized to prevent a similar attack on the computer system. - View Dependent Claims (23, 24)
-
-
20. A method comprising:
-
receiving a first event from a first security interceptor configured on at least one computer system to intercept a traffic flow in the at least one computer system; determining whether the first event corresponds to one of a plurality of events associated with previous attacks; in response to determining that the first event corresponds to one of a plurality of events associated with previous attacks, increasing an attack probability value based on a value associated with the first event ; determining that the same computer system is being attacked when the attack probability value exceeds an attack threshold; wherein determining that the first event corresponds to one of a plurality of events associated with previous attacks comprises receiving information from the first security interceptor indicating an occurrence, at a time the traffic flow was intercepted, of at least one of;
a buffer overflow, a process exception, and a system configuration modification. - View Dependent Claims (21, 22)
-
Specification