System and method for protecting cloud services from unauthorized access and malware attacks

US 8,819,774 B2
Filed: 02/01/2014
Issued: 08/26/2014
Est. Priority Date: 12/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for processing queries from a user device by a server, comprising:

receiving, by the server, one or more queries from a security software of the user device directed to one or more cloud services provided by the server, wherein the security software is configured to follow different procedures for contacting one or more different cloud services;

analyzing the one or more queries received from the security software to determine whether the security software followed a correct procedure for contacting the one or more services, including determining a time difference between two consecutive queries of a cloud service by the security software, and, when the time difference is shorter than a predefined time period, determining that the user device did not comply with the correct procedure;

based on the determination of whether the security software followed a correct or incorrect procedure for contacting the server, determining whether to update or not update a level of trust associated with the user device;

determining, based on the level of trust, how to process the one or more queries; and

providing different responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

39 Citations

View as Search Results

20 Claims

1. A method for processing queries from a user device by a server, comprising:
- receiving, by the server, one or more queries from a security software of the user device directed to one or more cloud services provided by the server, wherein the security software is configured to follow different procedures for contacting one or more different cloud services;
  
  analyzing the one or more queries received from the security software to determine whether the security software followed a correct procedure for contacting the one or more services, including determining a time difference between two consecutive queries of a cloud service by the security software, and, when the time difference is shorter than a predefined time period, determining that the user device did not comply with the correct procedure;
  
  based on the determination of whether the security software followed a correct or incorrect procedure for contacting the server, determining whether to update or not update a level of trust associated with the user device;
  
  determining, based on the level of trust, how to process the one or more queries; and
  
  providing different responses to the one or more queries from the security software based on the determination of how to process the one or more queries.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising analyzing a system state and configuration information of the user device to determine the level of trust associated with the user device, the analyzing including checking for one or more of:
    - execution of various OS processes and services on the user device;
      
      periodic rebooting or updating of the OS of the user device;
      
      installation, execution or deletion of programs on the user device;
      
      Internet browsing activity on the user device;
      
      installations and updates of the security software of the user device;
      
      keystrokes, mouse clicks and mouse movements on the user device; and
      
      movements of a user via a webcam of the user device.
  - 3. The method of claim 1, wherein analyzing the one or more queries received from the security software further includes checking for changes in the state and configuration of the user device in a predefined time period since the last system state and configuration analysis of the user device to determine whether to update or not the level of trust of the user device.
  - 4. The method of claim 1, wherein analyzing the one or more queries received from the security further includes checking for changes in the location of the user device in a predefined time period to determine whether to update or not the level of trust of the user device.
  - 5. The method of claim 1, wherein analyzing the one or more queries received from the security software further includes:
    - assigning a unique identifier to the user device with security software deployed thereon;
      
      checking whether a query from the security software includes an encrypted unique identifier associated with the user device and a hash sum of the data contained in the query;
      
      decrypting the unique identifier and verifying that the decrypted unique identifier is associated with the user device from which the query was received;
      
      computing a hash sum of the data contained in the received query and comparing the computed hash sum of the received data with the hash sum included in the received query to determine whether the data contained in the query was modified; and
      
      determining based on the results of the verification of the unique identifier and comparison of the hash sums whether to update or not the level of trust of the user device.
  - 6. The method of claim 1, wherein determining, based on the level of trust, how to process the one or more queries includes performing one or more of:
    - rejecting one or more queries from the security software;
      
      processing the data contained in a query using a file reputation service and sending a response with the results of file reputation analysis to the security software;
      
      processing the data contained in a query using a whitelist service and sending a response with the results of whitelist analysis to the security software;
      
      processing the data contained in a query using a statistics service and sending a response with the results of statistics analysis to the security software;
      
      processing the data contained in a query using an anti-spam service and sending a response with the results of anti-spam analysis to the security software; and
      
      providing an update to the security software of the user device.
  - 7. The method of claim 1, wherein the correct procedure includes contacting different services in a specific order.

8. A system for processing queries from a user device by a server, the system comprising:
- a hardware processor configured to;
  
  receive one or more queries from a security software of the user device directed to one or more cloud services provided by the server, wherein the security software is configured to follow different procedures for contacting one or more different cloud services;
  
  analyze the one or more queries received from the security software to determine whether the security software followed a correct procedure for contacting the one or more services, including determining a time difference between two consecutive queries of a cloud service by the security software, and, when the time difference is shorter than a predefined time period, determining that the user device did not comply with the correct procedure;
  
  based on the determination of whether the security software followed a correct or incorrect procedure for contacting the server, determine whether to update or not update a level of trust associated with the user device;
  
  determine, based on the level of trust, how to process the one or more queries; and
  
  provide different responses to the one or more queries from the security software based on the determination of how to process the one or more queries.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the hardware processor is further configured to analyze a system state and configuration information of the user device to determine the level of trust associated with the user device, the processor further configured to check for one or more of:
    - execution of various OS processes and services on the user device;
      
      periodic rebooting or updating of the OS of the user device;
      
      installation, execution or deletion of programs on the user device;
      
      Internet browsing activity on the user device;
      
      installations and updates of the security software of the user device;
      
      keystrokes, mouse clicks and mouse movements on the user device; and
      
      movements of a user via a webcam of the user device.
  - 10. The system of claim 8, wherein to analyze the one or more queries received from the security software, the processor further configured to check for changes in the state and configuration of the user device in a predefined time period since the last system state and configuration analysis of the user device to determine whether to update or not the level of trust of the user device.
  - 11. The system of claim 8, to analyze the one or more queries received from the security software, the processor further configured to check for changes in the location of the user device in a predefined time period to determine whether to update or not the level of trust of the user device.
  - 12. The system of claim 8, to analyze the one or more queries received from the security, the processor further configured to:
    - assign a unique identifier to the user device with security software deployed thereon;
      
      check whether a query from the security software includes an encrypted unique identifier associated with the user device and a hash sum of the data contained in the query;
      
      decrypt the unique identifier and verify that the decrypted unique identifier is associated with the user device from which the query was received;
      
      compute a hash sum of the data contained in the received query and compare the computed hash sum of the received data with the hash sum included in the received query to determine whether the data contained in the query was modified; and
      
      determine based on the results of the verification of the unique identifier and comparison of the hash sums whether to update or not the level of trust of the user device.
  - 13. The system of claim 8, wherein to determine, based on the level of trust, how to process the one or more queries, the processor configured to performing one or more of:
    - reject one or more queries from the security software;
      
      process the data contained in a query using a file reputation service and send a response with the results of file reputation analysis to the security software;
      
      process the data contained in a query using a whitelist service and send a response with the results of whitelist analysis to the security software;
      
      process the data contained in a query using a statistics service and send a response with the results of statistics analysis to the security software;
      
      process the data contained in a query using an anti-spam service and send a response with the results of anti-spam analysis to the security software; and
      
      provide an update to the security software of the user device.
  - 14. The system of claim 8, wherein the correct procedure includes contacting different services in a specific order.

15. A computer program product embodied in a non-transitory computer-readable storage medium, the computer program product comprising computer-executable instructions for processing queries from a user device by a server, including instructions for:
- receiving, by the server, one or more queries from a security software of the user device directed to one or more cloud services provided by the server, wherein the security software is configured to follow different procedures for contacting one or more different cloud services;
  
  analyzing the one or more queries received from the security software to determine whether the security software followed a correct procedure for contacting the one or more services, including determining a time difference between two consecutive queries of a cloud service by the security software, and, when the time difference is shorter than a predefined time period determining that the user device did not comply with the correct procedure;
  
  based on the determination of whether the security software followed a correct or incorrect procedure for contacting the server, determining whether to update or not update a level of trust associated with the user device;
  
  determining, based on the level of trust, how to process the one or more queries; and
  
  providing different responses to the one or more queries from the security software based on the determination of how to process the one or more queries.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, further comprising instructions for analyzing a system state and configuration information of the user device to determine the level of trust associated with the user device, the instructions for analyzing include instructions for checking for one or more of:
    - execution of various OS processes and services on the user device;
      
      periodic rebooting or updating of the OS of the user device;
      
      installation, execution or deletion of programs on the user device;
      
      Internet browsing activity on the user device;
      
      installations and updates of the security software of the user device;
      
      keystrokes, mouse clicks and mouse movements on the user device; and
      
      movements of a user via a webcam of the user device.
  - 17. The computer program product of claim 15, wherein instructions for analyzing the one or more queries received from the security software further include instructions for checking for changes in the state and configuration of the user device in a predefined time period since the last system state and configuration analysis of the user device to determine whether to update or not the level of trust of the user device.
  - 18. The computer program product of claim 15, wherein instructions for analyzing the one or more queries received from the security software further include instructions for checking for changes in the location of the user device in a predefined time period to determine whether to update or not the level of trust of the user device.
  - 19. The computer program product of claim 15, wherein instructions for determining, based on the level of trust, how to process the one or more queries, include instructions for one or more of:
    - rejecting one or more queries from the security software;
      
      processing the data contained in a query using a file reputation service and sending a response with the results of file reputation analysis to the security software;
      
      processing the data contained in a query using a whitelist service and sending a response with the results of whitelist analysis to the security software;
      
      processing the data contained in a query using a statistics service and sending a response with the results of statistics analysis to the security software;
      
      processing the data contained in a query using an anti-spam service and sending a response with the results of anti-spam analysis to the security software; and
      
      providing an update to the security software of the user device.
  - 20. The computer program product of claim 15, wherein the correct procedure includes contacting different services in a specific order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Kononov, Eldar M., Lapushkin, Anton S., Efremov, Andrey A.
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US14/170,592
Publication Number

US 20140181530A1
Time in Patent Office

206 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

System and method for protecting cloud services from unauthorized access and malware attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting cloud services from unauthorized access and malware attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links