NON-INVASIVE WHITELISTING

US 20160088011A1
Filed: 09/24/2014
Published: 03/24/2016
Est. Priority Date: 09/24/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a storage containing an executable object; and

one or more logic elements comprising a security engine operable for;

detecting that the executable object has attempted to perform an action;

intercepting the action;

assigning a reputation to the action; and

acting on the reputation.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is disclosed a security architecture for enhanced, non-invasive whitelisting of executable objects. When an executable object tries to perform an action, a security engine seamlessly intercepts the action and determines whether the action is whitelisted, blacklisted, or graylisted, assigning the action a corresponding security score. Whitelisted actions may be allowed, blacklisted actions may be disallowed, and graylisted actions may require additional verification from a user. Because the score is assigned to the combination of the executable object and the action, false positives may be avoided, such as those that may occur when an executable object is prefetched but has not yet tried to perform any useful work.

Citations

25 Claims

1. A computing device comprising:
- a storage containing an executable object; and
  
  one or more logic elements comprising a security engine operable for;
  
  detecting that the executable object has attempted to perform an action;
  
  intercepting the action;
  
  assigning a reputation to the action; and
  
  acting on the reputation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing device of claim 1, wherein acting on the reputation comprises permitting the executable object to perform the action.
  - 3. The computing device of claim 1, wherein acting on the reputation comprises blocking the executable object from performing the action.
  - 4. The computing device of claim 1, wherein acting on the reputation comprises providing a warning to a user.
  - 5. The computing device of claim 1, wherein acting on the reputation comprises receiving a user decision related to the action.
  - 6. The computing device of claim 5, wherein the reputation engine is further operable for caching the user decision.
  - 7. The computing device of claim 1, wherein assigning a reputation to the action comprises using heuristics.
  - 8. The computing device of claim 1, wherein assigning a reputation to the action comprises:
    - identifying the object'"'"'s type;
      
      calculating a checksum for the object; and
      
      extracting object attributes.
  - 9. The computing device of claim 1, wherein assigning a reputation to the action comprises consulting a threat intelligence database.
  - 10. The computing device of claim 1, wherein assigning a reputation to the action comprises detecting an input/output request packet.
  - 11. The computing device of claim 1, wherein assigning a reputation comprises providing a self-approval.
  - 12. The computing device of claim 1, wherein acting on the reputation comprises detecting and avoiding false positives.
  - 13. The computing device of claim 12, wherein detecting and avoiding false positives comprises determining that the executable object has been pre-fetched, and allowing pre-fetch actions without requesting a user decision.

14. One or more computer-readable mediums having stored thereon executable instructions operable for instructing a processor for:
- detecting that an executable object has attempted to perform an action;
  
  intercepting the action;
  
  assigning a reputation to the action; and
  
  acting on the reputation.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein acting on the reputation comprises permitting the executable object to perform the action.
  - 16. The one or more computer-readable mediums of claim 14, wherein acting on the reputation comprises blocking the executable object from performing the action.
  - 17. The one or more computer-readable mediums of claim 14, wherein acting on the reputation comprises providing a warning to a user.
  - 18. The one or more computer-readable mediums of claim 14, wherein acting on the reputation comprises receiving a user decision related to the action.
  - 19. The one or more computer-readable mediums of claim 18, wherein the instructions are further operable for instructing the processor for caching the user decision.
  - 20. The one or more computer-readable mediums of claim 14, wherein assigning a reputation to the action comprises:
    - identifying the object'"'"'s type;
      
      calculating a checksum for the object; and
      
      extracting object attributes.
  - 21. The one or more computer-readable mediums of claim 14, wherein assigning a reputation to the action comprises detecting an input/output request packet.
  - 22. The one or more computer-readable mediums of claim 14, wherein acting on the reputation comprises detecting and avoiding false positives.
  - 23. The one or more computer-readable mediums of claim 22, wherein detecting and avoiding false positives comprises determining that the executable object has been pre-fetched, and allowing pre-fetch actions without requesting a user decision.

24. A method comprising:
- detecting that an executable object has attempted to perform an action;
  
  intercepting the action;
  
  assigning a reputation to the action; and
  
  acting on the reputation.
- View Dependent Claims (25)
- - 25. The method of claim 24, wherein acting on the reputation comprises detecting and avoiding false positives.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Balbir, Johri, Amritanshu, Khurana, Jaskaran, Pandey, Ratnesh

Granted Patent

US 10,050,993 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

NON-INVASIVE WHITELISTING

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

NON-INVASIVE WHITELISTING

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links