Isolated security monitoring system

US 8,499,351 B1
Filed: 12/17/2009
Issued: 07/30/2013
Est. Priority Date: 12/17/2009
Status: Active Grant

First Claim

Patent Images

1. A computer device comprising:

an integrated processing unit, the integrated processing unit comprising;

a user system comprising a first processor and a first computer storage medium; and

an auditor system comprising;

a second processor, wherein the second processor is isolated from the first processor; and

a second computer storage medium, wherein the second computer storage medium is isolated from the first computer storage medium so that the user system is unable to access data stored on the second computer storage medium, and the second computer storage medium stores instructions that, when executed by the second processor, cause the second processor to perform operations comprising;

receiving auditing data from a remote source over a secure communication channel;

loading the auditing data in isolation from the user system, wherein the auditing data specifies signatures of unauthorized processes and the user system is restricted from influencing loading of the auditing data onto the auditor system;

monitoring processes on the user system, and determining from the auditing data that one of the processes is an unauthorized process; and

performing one or more security processes on the unauthorized process.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for security monitoring. In one aspect, a device includes an integrated processing unit, including a user system and an auditor system. The user system includes a first processor and a first computer storage medium. The auditor system includes a second processor that is isolated from the first processor and a second computer storage medium that is isolated from the first computer storage medium. The second computer storage medium stores instructions that cause the second processor to load auditing data in isolation from the user system, monitor processes on the user system, determine from the auditing data that one of the processes is an unauthorized process, and perform one or more security processes on the unauthorized process.

19 Citations

View as Search Results

27 Claims

1. A computer device comprising:
- an integrated processing unit, the integrated processing unit comprising;
  
  a user system comprising a first processor and a first computer storage medium; and
  
  an auditor system comprising;
  
  a second processor, wherein the second processor is isolated from the first processor; and
  
  a second computer storage medium, wherein the second computer storage medium is isolated from the first computer storage medium so that the user system is unable to access data stored on the second computer storage medium, and the second computer storage medium stores instructions that, when executed by the second processor, cause the second processor to perform operations comprising;
  
  receiving auditing data from a remote source over a secure communication channel;
  
  loading the auditing data in isolation from the user system, wherein the auditing data specifies signatures of unauthorized processes and the user system is restricted from influencing loading of the auditing data onto the auditor system;
  
  monitoring processes on the user system, and determining from the auditing data that one of the processes is an unauthorized process; and
  
  performing one or more security processes on the unauthorized process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The device of claim 1, wherein the second processor is physically isolated from the first processor and the second computer storage medium is physically isolated from the first computer storage medium.
  - 3. The device of claim 1, wherein determining that the process is an unauthorized process comprises determining that the first processor is executing program instructions that are not associated with a process in a process table for the user system, and wherein the process table is stored on the first computer storage medium.
  - 4. The device of claim 1, wherein the auditing data specifies a threshold time for a particular process, and determining that the process is an unauthorized process comprises determining that an actual time the user system takes to execute the particular process is longer than the threshold time.
  - 5. The device of claim 1, wherein determining that the process is an unauthorized process comprises matching stored program data for the process to a signature of at least one unauthorized process specified in the auditing data.
  - 6. The device of claim 1, wherein determining that the process is an unauthorized process comprises detecting network traffic initiated by the process, and matching patterns in the network traffic to patterns associated with unauthorized processes in the auditing data.
  - 7. The device of claim 1, wherein monitoring processes on the system include monitoring one or more of:
    - process tables, physical memory allocations, virtual memory allocations, kernel code, process code, disk drives, cache data, or BIOS data stored on the first computer storage medium.
  - 8. The device of claim 1, wherein performing one or more security processes on the unauthorized process comprises terminating the unauthorized process.
  - 9. The device of claim 8, wherein terminating the unauthorized process comprises:
    - determining an appropriate command using an application programming interface for an operating system on the user system, wherein the command instructs the operating system to terminate the unauthorized process; and
      
      sending the command to the operating system.
  - 10. The device of claim 8, wherein terminating the unauthorized process comprises modifying, by the second processor, data stored in a process table on the first computer storage device to remove the unauthorized process from the process table.
  - 11. The device of claim 8, wherein terminating the unauthorized process comprises storing in the user system, by the second processor, data identifying a region of the first computer storage medium used by the unauthorized process, the data indicating that instructions stored in the region of the first computer storage device should not be executed by the first processor.
  - 12. The device of claim 11, wherein the data is stored in one or more registers in the user system, wherein the registers are read-write registers for the auditor system and are read-only registers for the user system.
  - 13. The device of claim 1, wherein performing one or more security processes comprises halting execution of the first processor.

14. A computer-implemented method, comprising:
- loading auditing data onto an auditor system, wherein the auditing data is received from a remote source over a secure communication channel and specifies signatures of unauthorized processes, and wherein the auditor system includes an auditor processor and an auditor computer storage medium;
  
  monitoring, with the auditor system, processes on a user system, and determining from the auditing data that one of the processes is an unauthorized process, wherein the user system includes a user processor and a user computer storage medium, the auditor processor is isolated from the user processor, and the auditor computer storage medium is isolated from the user computer storage medium, wherein the user system is restricted from influencing loading of the auditing data onto the auditor system; and
  
  performing, with the auditor system one or more security processes on the unauthorized process.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The method of claim 14, wherein the auditor processor is physically isolated from the user processor and the auditor computer storage medium is physically isolated from the user computer storage medium.
  - 16. The method of claim 14, wherein determining that the process is an unauthorized process comprises determining that the user processor is executing program instructions that are not associated with a process in a process table for the user system, and wherein the process table is stored on the user computer storage medium.
  - 17. The method of claim 14, wherein the auditing data specifies a threshold time for a particular process, and determining that the process is an unauthorized process comprises determining that an actual time the user system takes to execute the particular process is longer than the threshold time.
  - 18. The method of claim 14, wherein determining that the process is an unauthorized process comprises matching stored program data for the process to a signature of at least one unauthorized process specified in the auditing data.
  - 19. The method of claim 14, wherein determining that the process is an unauthorized process comprises detecting network traffic initiated by the process, and matching patterns in the network traffic to patterns associated with unauthorized processes in the auditing data.
  - 20. The method of claim 14, wherein monitoring processes on the system include monitoring one or more of:
    - process tables, physical memory allocations, virtual memory allocations, kernel code, process code, disk drives, cache data, or BIOS data stored on the user computer storage device.
  - 21. The method of claim 14, wherein performing one or more security processes on the unauthorized process comprises terminating the unauthorized process.
  - 22. The method of claim 21, wherein terminating the unauthorized process comprises:
    - determining an appropriate command using an application programming interface for an operating system on the user system, wherein the command instructs the operating system to terminate the unauthorized process; and
      
      sending the command to the operating system.
  - 23. The method of claim 21, wherein terminating the unauthorized process comprises modifying, by the auditor processor, data stored in a process table on the user computer storage device to remove the unauthorized process from the process table.
  - 24. The method of claim 21, wherein terminating the unauthorized process comprises storing in the user system, by the second processor, data identifying a region of the user computer storage device used by the unauthorized process, the data indicating that instructions stored in the region of the user computer storage device should not be executed by the first processor.
  - 25. The method of claim 24, wherein the data is stored in one or more registers in the user system, wherein the registers are read-write registers for the auditor system and are read-only registers for the user system.
  - 26. The method of claim 14, wherein performing one or more security processes comprises halting execution of the first processor.
  - 27. The method of claim 14, wherein the method further comprises mutually authenticating the remote source with the auditor system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Fredericksen, Robin Eric
Primary Examiner(s)
ARMOUCHE, HADI S

Application Number

US12/641,092
Time in Patent Office

1,321 Days
Field of Search

726 22- 27, 717127-128, 709223-225, 714 10- 11
US Class Current

726/24
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

Isolated security monitoring system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Isolated security monitoring system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links