Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware
First Claim
Patent Images
1. A method for providing security policies, the method comprising:
- receiving behavioral information about applications executing on user devices and hashes of the processes executing on the user devices;
searching databases of known applications to identify the applications executing on the user devices;
determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices and the hashes of the processes received from each of the user devices and calculating trust scores for the hashes of the processes; and
providing security policies for the applications to the user devices based on the determined trustworthinessstoring information for hashes of whitelisted and blacklisted processes in a whitelist/blacklist database; and
storing summary records of the hashes of the processes in a behavioral information database; and
calculating trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database.
2 Assignments
0 Petitions
Accused Products
Abstract
The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.
-
Citations
14 Claims
-
1. A method for providing security policies, the method comprising:
-
receiving behavioral information about applications executing on user devices and hashes of the processes executing on the user devices; searching databases of known applications to identify the applications executing on the user devices; determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices and the hashes of the processes received from each of the user devices and calculating trust scores for the hashes of the processes; and providing security policies for the applications to the user devices based on the determined trustworthiness storing information for hashes of whitelisted and blacklisted processes in a whitelist/blacklist database; and storing summary records of the hashes of the processes in a behavioral information database; and calculating trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
2. A security policy system comprising:
-
a web services component of the security policy system that receives behavioral information about processes executing on user devices and hashes of the processes executing on the user devices; an analysis engine of the security policy system that determines trustworthiness for each of the processes based on the behavioral information and the hashes of the processes received from each of the user devices, the analysis engine determining trustworthiness of the processes by calculating trust scores for the hashes of the processes; and a policy engine of the security policy system that provides security policies for the processes to the user devices based on the determined trustworthiness; a whitelist/blacklist database that stores information for hashes of whitelisted and blacklisted processes; and a behavioral information database that stores summary records of the hashes of the processes; and wherein the analysis engine calculates the trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database, wherein a computer is executing the web services component, the analysis engine and the policy engine. - View Dependent Claims (10, 11, 12, 13, 14)
-
Specification