Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

US 9,460,285 B2
Filed: 08/12/2015
Issued: 10/04/2016
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing security policies, the method comprising:

receiving behavioral information about applications executing on user devices and hashes of the processes executing on the user devices;

searching databases of known applications to identify the applications executing on the user devices;

determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices and the hashes of the processes received from each of the user devices and calculating trust scores for the hashes of the processes; and

providing security policies for the applications to the user devices based on the determined trustworthinessstoring information for hashes of whitelisted and blacklisted processes in a whitelist/blacklist database; and

storing summary records of the hashes of the processes in a behavioral information database; and

calculating trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

Citations

14 Claims

1. A method for providing security policies, the method comprising:
- receiving behavioral information about applications executing on user devices and hashes of the processes executing on the user devices;
  
  searching databases of known applications to identify the applications executing on the user devices;
  
  determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices and the hashes of the processes received from each of the user devices and calculating trust scores for the hashes of the processes; and
  
  providing security policies for the applications to the user devices based on the determined trustworthinessstoring information for hashes of whitelisted and blacklisted processes in a whitelist/blacklist database; and
  
  storing summary records of the hashes of the processes in a behavioral information database; and
  
  calculating trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The method of claim 1, wherein receiving behavioral information about applications executing on the user devices comprises receiving report messages including the behavioral information sent from the user devices.
  - 4. The method of claim 1, wherein receiving behavioral information about applications executing on the user devices comprises receiving request messages for the security policies sent from the user devices, the request messages including the behavioral information.
  - 5. The method of claim 1, further comprising utilizing crowdsourcing to identify the applications executing on the user devices by having one or more companies report about the applications and/or request trust scores about the applications.
  - 6. The method of claim 1, wherein determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices comprises calculating trust scores for the applications and determining whether the applications are malicious or benign.
  - 7. The method of claim 1, further comprising determining trustworthiness for unknown applications by comparing actions of the unknown applications to actions performed by malware and trusted applications.
  - 8. The method of claim 7, further comprising providing security policies for the unknown applications to the user devices based on the determined trustworthiness.
  - 9. The method of claim 1, further comprising determining trustworthiness for unknown applications by calculating trust scores for the unknown applications.

2. A security policy system comprising:
- a web services component of the security policy system that receives behavioral information about processes executing on user devices and hashes of the processes executing on the user devices;
  
  an analysis engine of the security policy system that determines trustworthiness for each of the processes based on the behavioral information and the hashes of the processes received from each of the user devices, the analysis engine determining trustworthiness of the processes by calculating trust scores for the hashes of the processes; and
  
  a policy engine of the security policy system that provides security policies for the processes to the user devices based on the determined trustworthiness;
  
  a whitelist/blacklist database that stores information for hashes of whitelisted and blacklisted processes; and
  
  a behavioral information database that stores summary records of the hashes of the processes; and
  
  wherein the analysis engine calculates the trust scores for the hashes of the processes based on the behavioral information about the processes and any information about the hashes of the processes found in the behavioral information database and the whitelist/blacklist database,wherein a computer is executing the web services component, the analysis engine and the policy engine.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 2, wherein the behavioral information is included in report messages sent from the user devices.
  - 11. The system of claim 2, wherein the behavioral information is included in request messages for the security policies sent from the user devices.
  - 12. The system of claim 2, further comprising a reputation database that includes trust scores that the analysis engine calculates for each of the processes and stores to the reputation database.
  - 13. The system of claim 12, wherein the analysis engine calculates the trust scores to determine trustworthiness for each of the processes based on the behavioral information received from each of the user devices and based upon whether the processes are malicious or benign.
  - 14. The system of claim 2, further comprising:
    - a configuration and security policy database that stores the security policies; and
      
      a reputation database that stores hashes for the processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Confer Technologies, Inc. (Broadcom, Inc.)
Inventors
Kraemer, Jeffrey Albin
Primary Examiner(s)
HO, DAO Q

Application Number

US14/824,847
Publication Number

US 20150350237A1
Time in Patent Office

419 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links