Peer integrity checking system

US 9,754,130 B2
Filed: 05/02/2012
Issued: 09/05/2017
Est. Priority Date: 05/02/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer;

storing the database in a distributed manner throughout a peer-to-peer (P2P) network of nodes using a distributed hash table to select the nodes of the P2P network such that the file properties contained within the database are stored to different ones of the nodes of the P2P network, wherein storing the database further comprises;

performing a plurality of different content-hash functions on each of the file properties of the system files to produce a plurality of hash values for each of the file properties;

re-hashing each of the plurality of hash values with a hash function associated with the distributed hash table to generate respective keys that map each of the plurality of hash values for each of the file properties into a key space of the distributed hash table; and

selecting nodes of the P2P network as storage nodes to store the plurality of hash values for each of the file properties based on the generated keys; and

performing, by a first node of the P2P network, an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other.

77 Citations

View as Search Results

13 Claims

1. A method comprising:
- generating a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer;
  
  storing the database in a distributed manner throughout a peer-to-peer (P2P) network of nodes using a distributed hash table to select the nodes of the P2P network such that the file properties contained within the database are stored to different ones of the nodes of the P2P network, wherein storing the database further comprises;
  
  performing a plurality of different content-hash functions on each of the file properties of the system files to produce a plurality of hash values for each of the file properties;
  
  re-hashing each of the plurality of hash values with a hash function associated with the distributed hash table to generate respective keys that map each of the plurality of hash values for each of the file properties into a key space of the distributed hash table; and
  
  selecting nodes of the P2P network as storage nodes to store the plurality of hash values for each of the file properties based on the generated keys; and
  
  performing, by a first node of the P2P network, an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein performing the integrity check comprises:
    - outputting a challenge from the first node of the P2P network to the second node of the P2P network requesting that the second node perform an integrity check on system files for an operating system currently executing on the second node;
      
      accessing, with the first node and using the distributed hash table, the database distributed throughout the P2P network to retrieve file properties from the database;
      
      comparing, by the first node, file properties of the system files of the operating system currently executing on the second node reported by the second node as a result from the integrity check to the file properties retrieved from the database distributed throughout the P2P network; and
      
      determining that the system files for the operating system currently executing on the second node have been compromised and initiating a counter-measure when one or more of the file properties reported by the second node does not match the file properties retrieved from the database.
  - 3. The method of claim 1, further comprising using the distributed hash table to store a plurality of databases to the P2P network,wherein each of the databases contains master records of properties of system files for different types of hosts computing devices, andwherein the respective file properties contained within the databases are stored to different ones of the nodes of the P2P network in accordance with the distributed hash table.
  - 4. The method of claim 3,wherein the master records contained within the databases stored to the P2P network contain master records for different versions of the same system file,the method further comprising detecting a system update, patch, or upgrade as part of a valid distribution to one of the nodes of the P2P network by accessing the database storing the master records for the one of the nodes of the P2P network, and reducing a severity-level of a corresponding alert upon confirming that a new or changed file on the one of the nodes of the P2P network is a valid part of the distribution.

5. A system comprising:
- a communications network;
  
  a plurality of peer nodes coupled by the communications network to form a peer-to-peer overlay network, wherein each of the peer nodes includes a local storage area, andwherein a first node of the P2P network comprises;
  
  a microprocessor;
  
  a distributed hash table service that applies a distributed hash table to provide a lookup service to identify locations for objects within the local storage areas of the peer nodes; and
  
  an integrity checker software executing on the microprocessor that generates a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer and stores entries of the database to the local storage area of the peer nodes in a distributed manner using the distributed hash table service such that the file properties contained within the database are stored to different ones of the nodes of the P2P network,wherein the integrity checker software performs an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network,wherein the integrity checker software generates the database by performing a plurality of different content-hash functions on each of the properties of the database to produce a plurality of hash values for each of the properties,wherein the distributed hash table service further re-hashes each of the plurality of hash values with a hash function associated with the distributed hash table to generate respective keys that maps each of the plurality of hash values for each of the properties into a key space of the distributed hash table and selects peer nodes as storage nodes to store the plurality of hash values of each of the file properties based on the generated keys.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, further comprising a scheduler that periodically invokes integrity checker software to perform an integrity check using the distributed hash table.
  - 7. The system of claim 5, wherein the set of valid system files is associated with a different one of the peer nodes than the first node on which the integrity checker software executes.
  - 8. The system of claim 5, further comprising a monitoring process that outputs a challenge from the first node to the second node of the peer nodes requesting that the second node performs an integrity check on system files for an operating system currently executing on the second one of the P2P nodes,wherein the monitoring process is configured to access, with the first node and using the distributed hash table, the database distributed throughout the P2P network to retrieve file properties from the database and compare file properties of the system file of the operating system currently executing on the second node reported by the second node as a result from the integrity check to the file properties retrieved from the database distributed throughout the P2P network, andwherein the monitoring process is configured to initiate a counter-measure when one or more of the file properties reported by the second node does not match the file properties retrieved from the database.

9. A non-transitory computer-readable storage medium comprising instructions that cause a processor to:
- generate a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer;
  
  store the database to in a distributed manner throughout a peer-to-peer (P2P) network of nodes using a distributed hash table to select the nodes of the P2P network such that the file properties contained within the database are stored to different ones of the nodes of the P2P network, wherein storing the database further comprises;
  
  performing a plurality of different content-hash functions on each of the file properties of the system files to produce a plurality of hash values for each of the file properties;
  
  re-hashing each of the plurality of hash values with a hash function associated with the distributed hash table to generate respective keys that map each of the plurality of hash values for each of the file properties into a key space of the distributed hash table; and
  
  selecting nodes of the P2P network as storage nodes to store the plurality of hash values for each of the file properties based on the generated keys; and
  
  perform, with a first node of the P2P network, an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network.

10. A method comprising:
- generating a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer;
  
  storing the database in a distributed manner throughout a peer-to-peer (P2P) network of nodes using a distributed hash table to select the nodes of the P2P network such that the file properties contained within the database are stored to different ones of the nodes of the P2P network; and
  
  performing, by a first node of the P2P network, an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network, wherein performing the integrity check comprises;
  
  outputting a challenge from the first node of the P2P network to the second node of the P2P network requesting that the second node perform an integrity check on system files for an operating system currently executing on the second node;
  
  accessing, with the first node and using the distributed hash table, the database distributed throughout the P2P network to retrieve file properties from the database;
  
  comparing, by the first node, file properties of the system files of the operating system currently executing on the second node reported by the second node as a result from the integrity check to the file properties retrieved from the database distributed throughout the P2P network; and
  
  determining that the system files for the operating system currently executing on the second node have been compromised and initiating a counter-measure when one or more of the file properties reported by the second node does not match the file properties retrieved from the database.

11. A system comprising:
- a communications network;
  
  a plurality of peer nodes coupled by the communications network to form a peer-to-peer overlay network, wherein each of the peer nodes includes a local storage area, andwherein a first node of the P2P network comprises;
  
  a microprocessor;
  
  a distributed hash table service that applies a distributed hash table to provide a lookup service to identify locations for objects within the local storage areas of the peer nodes;
  
  an integrity checker software executing on the microprocessor that generates a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer and stores entries of the database to the local storage area of the peer nodes in a distributed manner using the distributed hash table service such that the file properties contained within the database are stored to different ones of the nodes of the P2P network,wherein the integrity checker software performs an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network, wherein the integrity checker software performs the integrity check comprises;
  
  outputting a challenge from the first node of the P2P network to the second node of the P2P network requesting that the second node perform an integrity check on system files for an operating system currently executing on the second node;
  
  accessing, with the first node and using the distributed hash table, the database distributed throughout the P2P network to retrieve file properties from the database;
  
  comparing, by the first node, file properties of the system files of the operating system currently executing on the second node reported by the second node as a result from the integrity check to the file properties retrieved from the database distributed throughout the P2P network; and
  
  determining that the system files for the operating system currently executing on the second node have been compromised and initiating a counter-measure when one or more of the file properties reported by the second node does not match the file properties retrieved from the database.

12. A method comprising:
- generating a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer;
  
  storing the database in a distributed manner throughout a peer-to-peer (P2P) network of nodes using a distributed hash table to select the nodes of the P2P network such that the file properties contained within the database are stored to different ones of the nodes of the P2P network;
  
  using the distributed hash table to store a plurality of databases to the P2P network, wherein each of the databases contains master records of properties of system files for different types of hosts computing devices, wherein the respective file properties contained within the databases are stored to different ones of the nodes of the P2P network in accordance with the distributed hash table, and wherein the master records contained within the databases stored to the P2P network contain master records for different versions of the same system file;
  
  performing, by a first node of the P2P network, an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network; and
  
  detecting a system update, patch, or upgrade as part of a valid distribution to one of the nodes of the P2P network by accessing the database storing the master records for the one of the nodes of the P2P network, and reducing a severity-level of a corresponding alert upon confirming that a new or changed file on the one of the nodes of the P2P network is a valid part of the distribution.

13. A system comprising:
- a communications network;
  
  a plurality of peer nodes coupled by the communications network to form a peer-to-peer overlay network, wherein each of the peer nodes includes a local storage area, andwherein a first node of the P2P network comprises;
  
  a microprocessor;
  
  a distributed hash table service that applies a distributed hash table to provide a lookup service to identify locations for objects within the local storage areas of the peer nodes and uses the distributed hash table to store a plurality of databases to the P2P network, wherein each of the databases contains master records of properties of system files for different types of hosts computing devices, wherein the respective file properties contained within the databases are stored to different ones of the nodes of the P2P network in accordance with the distributed hash table, and wherein the master records contained within the databases stored to the P2P network contain master records for different versions of the same system file; and
  
  an integrity checker software executing on the microprocessor that generates a database that contains file properties for a set of valid system files for a non-compromised operating system of a host computer and stores entries of the database to the local storage area of the peer nodes in a distributed manner using the distributed hash table service such that the file properties contained within the database are stored to different ones of the nodes of the P2P network,wherein the integrity checker software performs an integrity check of a second node of the P2P network using the distributed hash table to access the file properties contained within the database distributed throughout the P2P network to detect whether a system file of an operating system currently executing on the second node of the P2P network has been compromised by comparing, with the first node, file properties of the system file of the operating system currently executing on the second node of the P2P network with the file properties contained within the database distributed throughout the P2P network,and wherein the integrity checker software detects a system update, patch, or upgrade as part of a valid distribution to one of the nodes of the P2P network by accessing the database storing the master records for the one of the nodes of the P2P network, and reducing a severity-level of a corresponding alert upon confirming that a new or changed file on the one of the nodes of the P2P network is a valid part of the distribution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Trent, Barry A., Mandy, Edward R.
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/462,000
Publication Number

US 20120284794A1
Time in Patent Office

1,952 Days
Field of Search

726 13, 726 22- 25, 713164, 713187-188, 713193-194, 709206, 707 9
US Class Current
CPC Class Codes

G06F 21/568   eliminating virus, restorin...

G06F 21/64   Protecting data integrity, ...

H04L 67/104   Peer-to-peer [P2P] networks

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3271   using challenge-response

Peer integrity checking system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

77 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Peer integrity checking system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others