System, method, and computer program product for dynamically adjusting a level of security applied to a system

US 8,955,121 B2
Filed: 12/05/2013
Issued: 02/10/2015
Est. Priority Date: 04/29/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium on which are stored instructions comprising instructions that when executed by a programmable device, cause the programmable device to:

determine, utilizing a first level of monitoring of the programmable device, an absence of an activity on the programmable device associated with an increased vulnerability of a programmable device to malware; and

dynamically adjust to a second level of monitoring of the programmable device responsive to the determination,wherein the second level of monitoring monitors fewer types of accesses performed by the activity than the first level of monitoring.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity.

45 Citations

20 Claims

1. A non-transitory machine readable medium on which are stored instructions comprising instructions that when executed by a programmable device, cause the programmable device to:
- determine, utilizing a first level of monitoring of the programmable device, an absence of an activity on the programmable device associated with an increased vulnerability of a programmable device to malware; and
  
  dynamically adjust to a second level of monitoring of the programmable device responsive to the determination,wherein the second level of monitoring monitors fewer types of accesses performed by the activity than the first level of monitoring.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The machine readable medium of claim 1, wherein the instructions further comprise instructions that when executed cause the programmable device to:
    - dynamically adjust from a first level of scanning for the malware to a second level of scanning for the malware responsive to an identification of the activity,wherein the first level of scanning and the second level of scanning scan different subsets of a memory local to the programmable device.
  - 3. The machine readable medium of claim 1, wherein the instructions further comprise instructions that when executed cause the programmable device to:
    - identify a suspect activity on the device that is predetermined to be associated with an increased vulnerability of the device to unwanted data, the suspect activity identified utilizing the second level of monitoring;
      
      dynamically adjust to a third level of monitoring of the device in response to the identification of the suspect activity, wherein the third level of monitoring of the device comprises monitoring for one or more additional types of accesses performed by the suspect activity;
      
      determine an absence of the suspect activity on the device, wherein the absence is determined utilizing the third level of monitoring of the device; and
      
      dynamically adjust to the second level of monitoring of the device in response to the determination of the absence of the suspect activity.
  - 4. The machine readable medium of claim 3, wherein the instructions that when executed cause the programmable device to identify the suspect activity comprise instructions that when executed cause the programmable device to identify a process connecting to an external network.
  - 5. The machine readable medium of claim 3, wherein the instructions that when executed cause the programmable device to identify the suspect activity comprise instructions that when executed cause the programmable device to identify a loading of an executable excluded from a predefined list of known non-malicious executables.
  - 6. The machine readable medium of claim 3, wherein the instructions that when executed cause the programmable device to identify the suspect activity comprise instructions that when executed cause the programmable device to identify an attempt to access a website excluded from a predefined list of known non-malicious websites.
  - 7. The machine readable medium of claim 3, wherein the instructions that when executed cause the programmable device to identify the suspect activity comprise instructions that when executed cause the programmable device to identify a change of privileges by a process.
  - 8. The machine readable medium of claim 3, wherein the instructions that when executed cause the programmable device to utilize the second level of scanning comprise instructions that when executed cause the programmable device to scan at least a portion of data associated with the suspect activity for the malware.
  - 9. The machine readable medium of claim 1, wherein the first level of monitoring and the second level of monitoring comprise instructions that when executed cause the programmable device to monitor input and output operations of the device utilizing filter drivers.
  - 10. The machine readable medium of claim 1, wherein the first level of monitoring and the second level of monitoring comprise instructions that when executed cause the programmable device to implement host environment callbacks functions.
  - 11. The machine readable medium of claim 1, wherein the first level of monitoring and the second level of monitoring comprise instructions that when executed cause the programmable device to redirect an interface invocation to a monitoring callback function utilizing a hook.
  - 12. The machine readable medium of claim 1, wherein the instructions that when executed cause the programmable device to dynamically adjust to the second level of monitoring comprise instructions that when executed cause the programmable device to adjust to the second level of monitoring based on a behavioral analysis of the activity and a history of collected events of a predetermined type.

13. A method, comprising:
- determining, utilizing a first level of monitoring of a programmable device, an absence of an activity on the programmable device associated with an increased vulnerability of a programmable device to malware; and
  
  adjusting dynamically to a second level of monitoring of the programmable device responsive to the determination,wherein the second level of monitoring monitors fewer types of accesses performed by the activity than the first level of monitoring.
- View Dependent Claims (14)
- - 14. The method of claim 13, further comprising:
    - identifying a suspect activity on the programmable device that is predetermined to be associated with an increased vulnerability of the device to malware, the suspect activity identified utilizing the second level of monitoring;
      
      dynamically adjusting to a third level of monitoring of the programmable device in response to the identification of the suspect activity, wherein the third level of monitoring of the programmable device comprises monitoring for one or more additional types of accesses performed by the suspect activity;
      
      determining an absence of the suspect activity on the programmable device, wherein the absence is determined utilizing the third level of monitoring of the programmable device; and
      
      dynamically adjusting to the second level of monitoring of the programmable device in response to the determination of the absence of the suspect activity.

15. A programmable device, comprising:
- a memory; and
  
  a processing device operatively communicatively coupled to the memory,wherein instructions are stored in the memory, comprising instructions that when executed cause the processing device to;
  
  determine, utilizing a first level of monitoring of the programmable device, an absence of an activity on the programmable device associated with an increased vulnerability of a programmable device to malware; and
  
  dynamically adjust to a second level of monitoring of the programmable device responsive to the determination,wherein the second level of monitoring monitors fewer types of accesses performed by the activity than the first level of monitoring.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The programmable device of claim 15, further comprising:
    - a network connection communicatively coupled to the memory and configured to receive data from a network.
  - 17. The programmable device of claim 15, further comprising:
    - a user interface adapter communicatively coupled to the memory and configured to receive input from a user.
  - 18. The programmable device of claim 15, wherein the instructions further comprise instructions that when executed cause the programmable device to:
    - dynamically adjust from a first level of scanning for the malware to a second level of scanning for the malware responsive to an identification of the activity,wherein the first level of scanning and the second level of scanning scan different subsets of the memory.
  - 19. The programmable device of claim 15, wherein the instructions further comprise instructions that when executed cause the programmable device to:
    - identify a suspect activity on the programmable device that is predetermined to be associated with an increased vulnerability of the programmable to malware, the suspect activity identified utilizing the second level of monitoring;
      
      dynamically adjust from the second level of monitoring to a third level of monitoring of the programmable device in response to the identification of the suspect activity, wherein the third level of monitoring of the device comprises monitoring for one or more additional types of accesses performed by the suspect activity;
      
      determine an absence of the suspect activity on the programmable device, wherein the absence is determined utilizing the third level of monitoring of the device; and
      
      dynamically adjust from the third level of monitoring to the second level of monitoring of the device in response to the determination of the absence of the suspect activity.
  - 20. The programmable device of claim 19, wherein the instructions that when executed cause the programmable device to identify the suspect activity comprise instructions that when executed cause the programmable device to identify a process connecting to an external network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Gregory W.
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US14/098,274
Publication Number

US 20140096252A1
Time in Patent Office

432 Days
Field of Search

726 22- 25, 713187-188
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

System, method, and computer program product for dynamically adjusting a level of security applied to a system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for dynamically adjusting a level of security applied to a system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links