System and method for network level protection against malicious software

US 9,832,227 B2
Filed: 01/19/2015
Issued: 11/28/2017
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer readable media that include code for execution and when executed by one or more processors causes the one or more processors to:

populate, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host;

receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host;

determine a respective trust status of each program file identified in the inventory;

if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database;

create a rule for the program file using the obtained process traffic information; and

push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

418 Citations

18 Claims

1. One or more non-transitory computer readable media that include code for execution and when executed by one or more processors causes the one or more processors to:
- populate, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host;
  
  receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host;
  
  determine a respective trust status of each program file identified in the inventory;
  
  if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database;
  
  create a rule for the program file using the obtained process traffic information; and
  
  push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more non-transitory computer readable media of claim 1, wherein the inventory is received at predetermined intervals of time.
  - 3. The one or more non-transitory computer readable media of claim 1, wherein the trust status is determined based, at least in part, on one or more whitelists.
  - 4. The one or more non-transitory computer readable media of claim 1, wherein the trust status is determined based, at least in part, on one or more blacklists.
  - 5. The one or more non-transitory computer readable media of claim 1, wherein the trust status is determined based, at least in part, on one or more state changes of the program file.
  - 6. The one or more non-transitory computer readable media of claim 1, wherein the inventory includes identifications of any changed program files on the host.
  - 7. The one or more non-transitory computer readable media of claim 1, wherein the rule includes at least one of restricting network traffic associated with the program file and logging information related to network traffic associated with the program file.
  - 8. The one or more non-transitory computer readable media of claim 1, wherein the code for execution, when executed by the one or more processors, causes the one or more processors to:
    - receive the host event information at the computing device from the host.
  - 9. The one or more non-transitory computer readable media of claim 1, wherein the process traffic information comprises a source address and a destination port number of the network access attempt.
  - 10. The one or more non-transitory computer readable media of claim 1, wherein a process traffic mapping element of the host is queried to determine the plurality of program files mapped to the process in the process traffic mapping element of the host.

11. An apparatus, comprising:
- a protection module;
  
  a memory element comprising instructions associated with the protection module; and
  
  one or more processors operable to execute the instructions to;
  
  populate a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host;
  
  receive an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host;
  
  determine a respective trust status of each program file identified in the inventory;
  
  if a program file identified in the inventory is determined to be untrusted, obtain process traffic information corresponding to the program file from the process traffic mapping database;
  
  create a rule for the program file using the obtained process traffic information; and
  
  push the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the inventory is received at predetermined intervals of time.
  - 13. The apparatus of claim 11, wherein the trust status is determined based on at least one of:
    - one or more whitelists;
      
      one or more blacklists; and
      
      one or more state changes of the program file.
  - 14. The apparatus of claim 11, wherein the inventory includes identifications of any changed program files on the host.
  - 15. The apparatus of claim 11, wherein the one or more processors are operable to execute the instructions to:
    - receive the host event information from the host.
  - 16. The apparatus of claim 15, wherein the process traffic information comprises a source address and a destination port number of the network access attempt, and wherein the process traffic information is mapped to program file information corresponding to the program file in the process traffic mapping database.

17. The method, comprising:
- populating, by a computing device, a process traffic mapping database with host event information associated with a network access attempt initiated by a process executing on a host, wherein the host event information includes process traffic information and program file information corresponding to a plurality of program files on the host, the plurality of program files mapped to the process in the host and including at least one executable file and at least one library module loaded by the process executing on the host;
  
  receiving an inventory of program files stored on the host, wherein the inventory of program files includes identifications of new program files that have been added to the host;
  
  determining a respective trust status of each program file identified in the inventory;
  
  if a program file identified in the inventory is determined to be untrusted, obtaining process traffic information corresponding to the program file from the process traffic mapping database;
  
  creating a rule for the program file using the obtained process traffic information; and
  
  pushing the rule to a network protection device, wherein the rule is configured to allow network traffic associated with the program file to access a server subnet and to block network traffic associated with the program file from accessing a host subnet.
- View Dependent Claims (18)
- - 18. The method of claim 17, further comprising:
    - receiving the host event information at the computing device at the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Bhargava, Rishi, Reese, Jr., David P.
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Johnson, Carlton

Application Number

US14/599,811
Publication Number

US 20150200968A1
Time in Patent Office

1,044 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

System and method for network level protection against malicious software

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

418 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network level protection against malicious software

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

418 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links