SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE

US 20100154061A1
Filed: 12/16/2008
Published: 06/17/2010
Est. Priority Date: 12/16/2008
Status: Abandoned Application

First Claim

Patent Images

1. A computer implemented method for identifying malware activities, implemented within a computer infrastructure, the method comprising:

receiving a data communication via a data channel;

determining a user is not interactively logged in to a host; and

identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.

11 Citations

View as Search Results

20 Claims

1. A computer implemented method for identifying malware activities, implemented within a computer infrastructure, the method comprising:
- receiving a data communication via a data channel;
  
  determining a user is not interactively logged in to a host; and
  
  identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the determining the user is not interactively logged in to the host comprises determining at least one of:
    - the user is not currently logged in to the host;
      
      the host is in a screen saver mode;
      
      the host is in a keyboard-locked state; and
      
      the host is in a screen powered-down mode.
  - 3. The method of claim 1, further comprising:
    - determining the user is interactively logged in to the host; and
      
      identifying the data communication as a non-malware communication based on the determining the user is interactively logged in to the host.
  - 4. The method of claim 3, wherein the determining the user is interactively logged in to the host comprises determining:
    - the user is currently logged in to the host;
      
      the host is not in a screen saver mode;
      
      the host is not in a keyboard-locked state; and
      
      the host is not in a screen powered-down mode.
  - 5. The method of claim 1, further comprising storing the potential malware communication and an association with the data channel in a database.
  - 6. The method of claim 1, further comprising deleting at least one of the potential malware communication and an associated malware program used to at least one of create and distribute the potential malware communication.
  - 7. The method of claim 1, wherein the determining the user is not interactively logged in to the host is performed using one or more application programming interfaces (APIs).
  - 8. The method of claim 1, wherein the determining the user is not interactively logged in to the host is performed using one or more client software agents.
  - 9. The method of claim 1, wherein the data communication is one of:
    - an internet relay chat (IRC) communication;
      
      an internet messaging communication; and
      
      a hypertext transfer protocol over secure socket layer (HTTPS) communication.
  - 10. The method of claim 1, wherein a service provider at least one of creates, maintains, deploys and supports the computer infrastructure.
  - 11. The method of claim 1, wherein steps of claim 1 are provided by a service provider on a subscription, advertising, and/or fee basis.

12. A computer system for identifying malware, the system comprising:
- a storage, a memory and a central processing unit;
  
  first program instructions to receive a data communication via a data channel;
  
  second program instructions to determine a user is not interactively logged in to a host; and
  
  ;
  
  third program instructions to identify the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host,wherein the first, second and third program instructions are stored in the storage for execution by the central processing unit via the memory.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the second program instructions are operable to determine the user is not interactively logged in to the host when at least one of:
    - the user is not currently logged in to the host;
      
      the host is in a screen saver mode;
      
      the host is in a keyboard-locked state; and
      
      the host is in a screen powered-down mode.
  - 14. The system of claim 12, further comprising:
    - fourth program instructions to determining the user is interactively logged in to the host; and
      
      fifth program instructions to identify the data communication as a non-malware communication based on the determining the user is interactively logged in to the host,wherein the fourth and fifth program instructions are stored in the storage for execution by the central processing unit via the memory.
  - 15. The system of claim 14, wherein the fourth program instructions are operable to determine the user is interactively logged in to the host when:
    - the user is currently logged in to the host;
      
      the host is not in a screen saver mode;
      
      the host is not in a keyboard-locked state; and
      
      the host is not in a screen powered-down mode.
  - 16. The system of claim 12, further comprising sixth program instructions for storing the potential malware communication and an association with the data channel in a database,wherein the sixth program instructions are stored in the storage for execution by the central processing unit via the memory.
  - 17. The system of claim 12, further comprising seventh program instructions for deleting at least one of the potential malware communication and an associated malware program used to create and/or distribute the potential malware communication,wherein the seventh program instructions are stored in the storage for execution by the central processing unit via the memory.
  - 18. The system of claim 12, wherein the determining the user is not interactively logged in to the host is performed using at least one of one or more application programming interfaces (APIs) and one or more client software agents.
  - 19. The system of claim 12, wherein the data communication is one of:
    - an internet relay chat (IRC) communication;
      
      an internet messaging communication; and
      
      a hypertext transfer protocol over secure socket layer (HTTPS) communication.

20. A computer program product comprising a computer usable storage medium having readable program code embodied in the storage medium, the computer program product includes at least one component operable to:
- receive a data communication via a data channel;
  
  determine one of a user is not interactively logged in to a host and the user is interactively logged in to the host;
  
  identify the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host;
  
  identify the data communication as a non-malware communication in response to the determining the user is interactively logged in to the host, wherein;
  
  the determining the user is not interactively logged in to the host comprises determining at least one of;
  
  the user is not currently logged in to the host;
  
  the host is in a screen saver mode;
  
  the host is in a keyboard-locked state; and
  
  the host is in a screen powered-down mode, andthe determining the user is interactively logged in to the host comprises determining;
  
  the user is currently logged in to the host;
  
  the host is not in the screen saver mode;
  
  the host is not in the keyboard-locked state; and
  
  the host is not in the screen powered-down mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
OLLMANN, Gunter D.

Application Number

US12/335,824
Publication Number

US 20100154061A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links