System and method for network level protection against malicious software
First Claim
1. One or more non-transitory computer readable media that include code for execution and when executed by one or more processors causes the one or more processors to:
- populate, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host;
receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host;
determine a respective trust status of each program file identified in the inventory;
if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database;
create a rule for the program file using the obtained process traffic information; and
push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet.
9 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.
418 Citations
18 Claims
-
1. One or more non-transitory computer readable media that include code for execution and when executed by one or more processors causes the one or more processors to:
-
populate, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host; receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host; determine a respective trust status of each program file identified in the inventory; if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database; create a rule for the program file using the obtained process traffic information; and push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
a protection module; a memory element comprising instructions associated with the protection module; and one or more processors operable to execute the instructions to; populate a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host; receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host; determine a respective trust status of each program file identified in the inventory; if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database; create a rule for the program file using the obtained process traffic information; and push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. The method, comprising:
-
populating, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host; receiving an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host; determining a respective trust status of each program file identified in the inventory; if a program file identified in the inventory is determined to be untrusted, obtaining process traffic information corresponding to the program file from the process traffic mapping database; creating a rule for the program file using the obtained process traffic information; and pushing the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet. - View Dependent Claims (18)
-
Specification