Method, system and computer program product for detecting at least one of security threats and undesirable computer files

US 9,055,093 B2
Filed: 12/18/2008
Issued: 06/09/2015
Est. Priority Date: 10/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting security threats in a computer network, the method comprising:

receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers;

specifying one or more legitimate applications;

establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry;

monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and

generating a signal if a security threat is detected;

wherein the metadata contains alert filters that specify sets of alerts to match;

wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and

wherein the whitelist comprises a mapping from the metadata to legitimate applications.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files.

101 Citations

View as Search Results

32 Claims

1. A method of detecting security threats in a computer network, the method comprising:
- receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers;
  
  specifying one or more legitimate applications;
  
  establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry;
  
  monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and
  
  generating a signal if a security threat is detected;
  
  wherein the metadata contains alert filters that specify sets of alerts to match;
  
  wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
  
  wherein the whitelist comprises a mapping from the metadata to legitimate applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as claimed in claim 1 further comprising generating and adding new metadata to the whitelist.
  - 3. The method as claimed in claim 1, wherein the computer applications are implemented inside the network.
  - 4. The method as claimed in claim 1, wherein at least one of the second computer applications is implemented outside of the network.
  - 5. The method as claimed in claim 1, and wherein the whitelist entries associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.
  - 6. The method as claimed in claim 1, wherein one of the alerts is a formatting alert.
  - 7. The method as claimed in claim 6, wherein the formatting alert is an unknown user agent alert.
  - 8. The method as claimed in claim 6, wherein the formatting alert is an unknown header field alert.
  - 9. The method as claimed in claim 6, wherein the formatting alert is a bad header format alert.
  - 10. The method as claimed in claim 1, wherein one of the alerts is a timing alert.
  - 11. The method as claimed in claim 10, wherein the timing alert is a delay time alert.
  - 12. The method as claimed in claim 10, wherein the timing alert is a regularity alert.
  - 13. The method as claimed in claim 10, wherein the timing alert is a time of day alert.
  - 14. The method as claimed in claim 1, wherein one of the alerts is a bandwidth alert.
  - 15. The method as claimed in claim 1, wherein the at least one expected possible characteristic includes at least one of an expected possible timing characteristic, an expected possible volume characteristic, and an expected possible destination characteristic.

16. A system for detecting security threats in a computer network, the system comprising:
- a processor operable to execute computer program instructions;
  
  a memory operable to store computer program instructions accessible by the processor; and
  
  computer program instructions stored in the memory to perform the steps of;
  
  receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers;
  
  specifying one or more legitimate applications;
  
  establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry;
  
  monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and
  
  generating a signal if a security threat is detected;
  
  wherein the metadata contains alert filters that specify sets of alerts to match;
  
  wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
  
  wherein the whitelist comprises a mapping from the metadata to legitimate applications.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system as claimed in claim 16, wherein the computer program instructions include instructions which perform the steps of generating and adding new metadata to the whitelist.
  - 18. The system as claimed in claim 16, wherein the computer applications are implemented inside the network.
  - 19. The system as claimed in claim 16, wherein at least one of the second computer applications is implemented outside of the network.
  - 20. The system as claimed in claim 16, and wherein the whitelist entries which associate the alerts with particular applications and wherein all of the entries for a particular application comprise an application profile for the particular application and wherein each application profile comprises one or more alert filters.
  - 21. The system as claimed in claim 16, wherein one of the alerts is a formatting alert.
  - 22. The system as claimed in claim 21, wherein the formatting alert is an unknown user agent alert.
  - 23. The system as claimed in claim 21, wherein the formatting alert is an unknown header field alert.
  - 24. The system as claimed in claim 21, wherein the formatting alert is a bad header format alert.
  - 25. The system as claimed in claim 16, wherein one of the alerts is a timing alert.
  - 26. The system as claimed in claim 25, wherein the timing alert is a delay time alert.
  - 27. The system as claimed in claim 25, wherein the timing alert is a regularity alert.
  - 28. The system as claimed in claim 25, wherein the timing alert is a time of day alert.
  - 29. The system as claimed in claim 16, wherein one of the alerts is a bandwidth alert.
  - 30. The system as claimed in claim 16, wherein the at least one expected possible characteristic includes at least one of an expected possible timing characteristic, an expected possible volume characteristic, and an expected possible destination characteristic.

31. A computer program product for detecting security threats in a computer network, the product comprising:
- a computer readable non-transitory tangible medium; and
  
  computer program instructions recorded on the medium and executable by a processor for performing the steps of;
  
  receiving a data stream which represents outbound, HTTP messages from a first computer application to at least one second computer application wherein the computer applications are implemented on one or more computers;
  
  specifying one or more legitimate applications;
  
  establishing a behavioral profile whitelist for the one or more legitimate applications, the behavioral profile whitelist having entries containing metadata, the entries describing at least one expected possible characteristic of legitimate messages that may be sent by the one or more legitimate applications, the at least one expected possible characteristic including an expected possible content characteristic, the expected possible content characteristic being determined by processing a message to extract a plurality of message fields, matching each field against patterns specified by the whitelist entries, and indicating the presence of fields that do not match a whitelist entry;
  
  monitoring the data stream to detect a security threat based on the HTTP messages exhibiting behavior not characterized by the expected possible content characteristic in the behavioral profile whitelist; and
  
  generating a signal if a security threat is detected;
  
  wherein the metadata contains alert filters that specify sets of alerts to match;
  
  wherein each whitelist entry includes a matching section which specifies which alert the entry matches and an action which associates alerts that match the entry with a particular application that sent a given HTTP message; and
  
  wherein the whitelist comprises a mapping from the metadata to legitimate applications.
- View Dependent Claims (32)
- - 32. The computer program product as claimed in claim 31, wherein the at least one expected possible characteristic includes at least one of an expected possible timing characteristic, an expected possible volume characteristic, and an expected possible destination characteristic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David R. Syrowik
Original Assignee
David R. Syrowik
Inventors
Borders, Kevin R.
Primary Examiner(s)
Poltorak, Peter

Application Number

US12/317,056
Publication Number

US 20090158430A1
Time in Patent Office

2,364 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

Method, system and computer program product for detecting at least one of security threats and undesirable computer files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and computer program product for detecting at least one of security threats and undesirable computer files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links