Identifying security properties of systems from application crash traffic

US 9,871,811 B2
Filed: 05/26/2009
Issued: 01/16/2018
Est. Priority Date: 05/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer processing unit, the method comprising:

obtaining, from a network capture point that connects a first network to a second network, a network traffic log reflecting communications of multiple computing devices on the first network that connect to the second network through the network capture point;

distinguishing error reporting traffic in the network traffic log from other network traffic in the network traffic log using a known characteristic of the error reporting traffic, wherein the error reporting web traffic includes;

first error reporting traffic sent by a first computing device through the network capture point to an error reporting service, wherein the first error reporting traffic sent by the first computing device through the network capture point to the error reporting service reports that a first crash or problem involving a first application has occurred on the first computing device, andsecond error reporting traffic sent by a second computing device through the network capture point to the error reporting service, wherein the second error reporting traffic sent by the second computing device through the network capture point to the error reporting service reports that a second crash or problem involving a second application has occurred on the second computing device;

reviewing the first error reporting traffic to identify a first reportable error that indicates a cause of the first crash or problem;

reviewing the second error reporting traffic to identify a second reportable error that indicates a cause of the second crash or problem; and

outputting the first reportable error and the second reportable error.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Most machines in an organization'"'"'s computer network connect to the Internet and create web traffic logs which allow analysis of HTTP traffic in a simple, centralized way. The web traffic logs may contain error reports and error reports contain significant information that can be used to detect network security. By reviewing the error reports, significant information about a network and its security can be found as common sources of network security weakness may be watched for in the error reports.

Citations

22 Claims

1. A method performed by a computer processing unit, the method comprising:
- obtaining, from a network capture point that connects a first network to a second network, a network traffic log reflecting communications of multiple computing devices on the first network that connect to the second network through the network capture point;
  
  distinguishing error reporting traffic in the network traffic log from other network traffic in the network traffic log using a known characteristic of the error reporting traffic, wherein the error reporting web traffic includes;
  
  first error reporting traffic sent by a first computing device through the network capture point to an error reporting service, wherein the first error reporting traffic sent by the first computing device through the network capture point to the error reporting service reports that a first crash or problem involving a first application has occurred on the first computing device, andsecond error reporting traffic sent by a second computing device through the network capture point to the error reporting service, wherein the second error reporting traffic sent by the second computing device through the network capture point to the error reporting service reports that a second crash or problem involving a second application has occurred on the second computing device;
  
  reviewing the first error reporting traffic to identify a first reportable error that indicates a cause of the first crash or problem;
  
  reviewing the second error reporting traffic to identify a second reportable error that indicates a cause of the second crash or problem; and
  
  outputting the first reportable error and the second reportable error.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting that an unauthorized application has crashed by comparing an application name in the first error reporting traffic to a list of unauthorized applications; and
      
      identifying the unauthorized application in the first reportable error.
  - 3. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting that an individual application that has crashed is malware by determining that the first error reporting traffic comprises a particular file version number; and
      
      identifying the malware in the first reportable error.
  - 4. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting that an individual application that has crashed is malware based at least on a file date stamp of a corresponding application that is named in the first error reporting traffic; and
      
      identifying the malware in the first reportable error.
  - 5. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting an intrusion attempt by determining that an individual application that has crashed triggered a digital defense that is identified in the first error reporting traffic; and
      
      identifying the intrusion attempt in the first reportable error.
  - 6. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting an exploit by determining that a crash offset in the first error reporting traffic matches a crash offset pattern used in known attack techniques; and
      
      identifying the exploit in the first reportable error.
  - 7. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting that an individual application that has crashed is not up to date based at least on a version of the individual application included in the first error reporting traffic; and
      
      identifying the individual application in the first reportable error.
  - 8. The method of claim 1, wherein the reviewing the first error reporting traffic comprises detecting an anti-virus signature in the first error reporting traffic.
  - 9. The method of claim 1, wherein the reviewing the first error reporting traffic comprises:
    - detecting an unknown vulnerability when the first error reporting traffic indicates that an individual application that has crashed is fully patched and includes a crash offset that matches patterns used in known attack techniques; and
      
      identifying the individual application in the first reportable error.
  - 10. The method of claim 1, wherein the network traffic log comprises web traffic.

11. A computer system comprising:
- a computer processing unit; and
  
  computer executable instructions which, when executed by the computer processing unit, cause the computer processing unit to;
  
  obtain, from an access point that connects a first network to a second network, a network traffic log reflecting network communications of multiple computing devices on the first network that connect to the second network through the access point;
  
  distinguish error reporting traffic in the network traffic log from other network traffic in the network traffic log using a known characteristic of the error reporting traffic, wherein the error reporting web traffic includes;
  
  first error reporting traffic sent by a first computing device through the access point to an error reporting service, wherein the first error reporting traffic sent by the first computing device through the access point to the error reporting service reports that a first crash or problem involving a first application has occurred on the first computing device, andsecond error reporting traffic sent by a second computing device through the access point to the error reporting service, wherein the second error reporting traffic sent by the second computing device through the access point to the error reporting service reports that a second crash or problem involving a second application has occurred on the second computing device;
  
  review the first error reporting traffic to identify a first reportable error that indicates a cause of the first crash or problem;
  
  review the second error reporting traffic to identify a second reportable error that indicates a cause of the second crash or problem; and
  
  output the first reportable error and the second reportable error.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer system according to claim 11, wherein the first network is associated with an organization, the second network is the Internet, and the first error reporting traffic and the second error reporting traffic are sent through the access point to the Internet before being received by the error reporting service over the Internet.
  - 13. The computer system according to claim 11, wherein the computer executable instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - identify the first error reporting traffic and the second error reporting traffic in the network traffic log using an error description format used for error reporting to the error reporting service, wherein the first error reporting traffic and the second error reporting traffic conform to the error description format and the other network traffic in the network traffic log does not conform to the error description format.
  - 14. The computer system according to claim 11, wherein the computer executable instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - distinguish the first error reporting traffic and the second error reporting traffic from the other network traffic in the network traffic log by identifying an address of the error reporting service in the first error reporting traffic and the second error reporting traffic.
  - 15. The computer system according to claim 11, wherein the first error reporting traffic and the second error reporting traffic are destined for the error reporting service and the other network traffic is destined for destinations other than the error reporting service.
  - 16. The computer system according to claim 11, wherein the computer executable instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - analyze the first error reporting web traffic and the second error reporting traffic to determine how often crashes occur on the first network.

17. A computer storage device or memory device comprising computer executable instructions that physically configure a computer processing unit to perform acts comprising:
- obtaining, from a network device that connects a first network to a second network, a network traffic log reflecting communications of multiple computing devices on the first network that send the communications to the second network through the first network and the network device;
  
  distinguishing error reporting traffic in the network traffic log from other network traffic in the network traffic log using a known characteristic of the error reporting traffic, wherein the error reporting web traffic includes;
  
  first error reporting traffic sent by a first computing device through the network device to an error reporting service, wherein the first error reporting traffic sent by the first computing device through the network device to the error reporting service reports that a first crash or problem involving a first application has occurred on the first computing device, andsecond error reporting traffic sent by a second computing device through the network device to the error reporting service, wherein the second error reporting traffic sent by the second computing device through the network device to the error reporting service reports that a second crash or problem involving a second application has occurred on the second computing device;
  
  reviewing the first error reporting traffic to identify a first reportable error that indicates a cause of the first crash or problem;
  
  reviewing the second error reporting traffic to identify a second reportable error that indicates a cause of the second crash or problem; and
  
  outputting the first reportable error and the second reportable error.
- View Dependent Claims (18, 19, 20)
- - 18. The computer storage device or memory device of claim 17, wherein the first error reporting traffic comprises web traffic.
  - 19. The computer storage device or memory device of claim 18, wherein the outputting comprises:
    - in issuing a first alert that the first reportable error was located on the first computing device; and
      
      issuing a second alert that the second reportable error was located on the second computing device.
  - 20. The computer storage device of claim 19, wherein the first computing device, the second computing device, and the first network are associated with an organization, the second network comprises the Internet, and the network device from which the network traffic log is obtained connects the first network associated with the organization to the Internet.

21. A method performed by a computer processing unit, the method comprising:
- obtaining, from a network capture point that connects a first network to the Internet, one or more web traffic logs reflecting web communications of multiple computing devices on the first network that send the web communications to the Internet through the first network and the network capture point;
  
  distinguishing error reporting web traffic from other web traffic in the one or more web traffic logs obtained from the network capture point by evaluating the one or more web traffic logs using one or more known characteristics of the error reporting web traffic, wherein the error reporting web traffic includes;
  
  first error reporting traffic sent by a first computing device through the network capture point to an Internet error reporting service, wherein the first error reporting traffic sent by the first computing device through the network capture point to the Internet error reporting service reports that a first crash or problem involving a first application has occurred on the first computing device, andsecond error reporting traffic sent by a second computing device through the network capture point to the Internet error reporting service, wherein the second error reporting traffic sent by the second computing device through the network capture point to the Internet error reporting service reports that a second crash or problem involving a second application has occurred on the second computing device;
  
  reviewing the first error reporting traffic to identify a first reportable error that indicates a cause of the first crash or problem;
  
  reviewing the second error reporting traffic to identify a second reportable error that indicates a cause of the second crash or problem; and
  
  outputting the first reportable error and the second reportable error.
- View Dependent Claims (22)
- - 22. The method of claim 21, wherein the distinguishing the error reporting web traffic from the other web traffic in the one or more web traffic logs obtained from the network capture point comprises determining that the error reporting web traffic is destined for the error reporting service and the other web traffic is destined for Internet locations other than the error reporting service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lambert, John Joseph, Bucher, Matthew, Canavor, Darren, Miller, Matthew Ryan
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US12/472,096
Publication Number

US 20100306847A1
Time in Patent Office

3,157 Days
Field of Search

726 22- 24, 726 3, 714 37, 714E11029, 714 38, 714 52, 714 57, 714752, 709224, 709203
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1425   Traffic logging, e.g. anoma...

Identifying security properties of systems from application crash traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying security properties of systems from application crash traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links