System and method of enforcing executable code identity verification over the network
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-009/00
H04L-009/32
출원번호
US-0329873
(2002-12-26)
발명자
/ 주소
Dozortsev, D'mitri
대리인 / 주소
Gifford, Krass, Groh, Sprinkle, Anderson &
인용정보
피인용 횟수 :
81인용 특허 :
14
초록▼
A method and system for identity verification of executable code includes a central computer that is in communication with a computer network. The central computer includes a database that is adapted to store and analyze a plurality of executable code signatures, including signatures of malicious, l
A method and system for identity verification of executable code includes a central computer that is in communication with a computer network. The central computer includes a database that is adapted to store and analyze a plurality of executable code signatures, including signatures of malicious, legitimate, those executable codes identity of which is being investigated and those that have not been received for an investigation. The client computer has monitoring software that is adapted to monitor potentially dangerous events, such as an attempt to send or receive data over the network, receiving an e-mail, creation of a new process and likes. Any executable code on the client's computer in the current system is assumed to be potentially dangerous unless its identity and intent has been determined. In operation, unique signatures that relate to potentially dangerous executable codes are received by the central computer. Upon receipt, the unique signatures are compared with the plurality of executable code signatures in the database. Any executable code signatures of which are not already in the database are forwarded to the central computer for investigation. Once a determination is made regarding the status of the unique executable code (i.e., is it legitimate or malicious) the central computer transmits a command regarding the disposition of the respective executable code.
대표청구항▼
1. A process for monitoring and analyzing executable computer code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through a computer network, said central computer having a database co
1. A process for monitoring and analyzing executable computer code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through a computer network, said central computer having a database comprising a plurality of executable code identity signatures; detecting an event on a client computer by said monitoring application; identifying an executable code associated with an event; creating a unique signature of a said executable code with said monitoring application on said client computer; receiving in said central computer said unique signature; comparing said unique signature with said plurality of executable code identity signatures in said database; forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures; investigating the identity and intent of said executable code if said executable code is unknown; and transmitting from the said central computer to said client computer at least one item selected from the group consisting of: a message and a command to the monitoring application on a said client computer to perform a respective action. 2. The process of claim 1, wherein said computer network comprises a wide area network.3. The process of claim 1, wherein said computer network comprises a local area network.4. The process of claim 1, further comprising a client computer in communication with said central computer through said computer network.5. The process of claim 1, wherein central computer receives for an investigation a file containing said executable code or participating in generation of said executable code.6. The process of claim 1 wherein said monitoring application is adapted to identify said executable code in a stream of data being received/sent over the network.7. The process of claim 1 wherein said monitoring application is also a firewall.8. The process of claim 1 wherein said monitoring application is also an antivirus.9. The process of claim 1, wherein said executable code is disabled during investigation.10. The process of claim 1, wherein said executable code is allowed to operate during investigation.11. The process of claim 9 wherein the user of the client computer overrides the disablement of said executable code.12. The process of claim 1 further comprising the step of storing within said database usage history data of said client computer.13. The process of claim 12 wherein usage history data comprises signatures of executable code previously found on said client computer and previously verified signatures.14. The process of claim 1 wherein said message transmitted is a warning when said unique signature matches a dangerous member of said plurality of executable code identity signatures.15. The process of claim 1, further comprising the step of adding said unique signature to said plurality of executable code identity signatures.16. The process of claim 1, wherein each signature of said plurality of executable code signatures in said database is comprised of: signatures related to legitimate executable code, signatures related to malicious executable code, signatures related to potentially dangerous executable code, signatures related to executable codes identities and intent of which are being investigated and signatures relating to mass mailing executable code.17. The process of claim 1 wherein a second executable code is active in said event.18. The process of claim 1 wherein a said respective action is termination of the process corresponding to the said event.19. The process of claim 1 wherein a said respective action is a termination of a thread.20. The process of claim 1 wherein a respective action is removing said executable code active with said event.21. The process of claim 1 wherein investigation of said executable code comprises the step of analyzing said executable code with a presumed manufacturer protocol.22. A process for monitoring and analyzing executable computer code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures; detecting an event on a client computer by said monitoring application; identifying an executable code associated with an event; creating a unique signature of a said executable code with said monitoring application on said client computer; receiving in said central computer said unique signature; comparing said unique signature with said plurality of executable code identity signatures in said database; forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures; transmitting from the said central computer to said client computer at least one item selected from the group consisting of: a message, a command to the monitoring application on said client computer to perform a respective action, and usage history data of said client computer prior to the working session, wherein said usage history data is stored in a local database; and storing within said database usage history data of said client computer, wherein said client computer receives from the central computer said usage history data prior to the working session and said usage history data is stored in a local database. 23. The process of claim 22, wherein said local database is preferably stored in random access memory.24. The process of claim 22 wherein said unique signature of said executable code is compared to said usage history data in the said local database.25. The process of claim 24 wherein a match between said unique signature and a datum within said usage history data precludes forwarding of said unique signature to said central computer.26. The process of claim 22 further comprising the step of comparing of a status of usage history data signature within said local database is with a central database status for said usage history data signature.27. The process of claim 26 wherein said central database status controls relative to said status of usage history data signature within said local database.28. The process of claim 26 wherein said status of usage history data signature within said local database controls relative to said central database status.29. A process for monitoring and analyzing executable computer code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures; detecting an event on a client computer by said monitoring application; identifying both an executable code and a second executable code associated with an event; creating a unique signature of at least one of said executable code and said second executable code with said monitoring application on said client computer; receiving in said central computer said unique signature; comparing said unique signature with said plurality of executable code identity signatures in said database; forwarding to said central computer for investigation at least one of said executable code and said second executable code when said unique signature is absent from plurality of executable code identity signatures; and transmitting from the said central computer to said client computer at least one item selected from the group consisting of: a message and a command to the monitoring application on a said client computer to perform a respective action; wherein a second executable code is active in said event; and wherein said executable code and second executable code are simultaneously identified. 30. A process for monitoring and analyzing computer executable code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures; detecting an event on a client computer by said monitoring application; identifying an executable code associated with an event; creating a unique signature of a said executable code with said monitoring application on said client computer; receiving in said central computer a unique signature associated with an executable code; comparing said unique signature with said plurality of executable code signatures in said database; matching said unique signature to a malicious executable computer file signature from said plurality of file signatures; and transmitting a message and command to monitoring application regarding said executable code. 31. The process of claim 30, wherein said computer network comprises a wide area network.32. The process of claim 30, wherein said computer network comprises a local area network.33. The process of claim 30, further comprising a client computer in communication with said central computer through said computer network.34. The process of claim 30, wherein said client computer further comprises a monitoring application, said monitoring application being adapted to identify executable code within a data stream received over the network.35. The process of claim 30 further comprising the step of noticing a second client computer having a usage history datum within said database corresponding to said suspect signature matched said malicious executable computer code signature.36. The system of claim 30 wherein each signature of said plurality of identity signatures in said database is selected from a group consisting of: signatures related to legitimate executable code, signatures related to malicious executable code, signatures related to potentially dangerous executable code, and signatures relating to mass mailing executable code.37. A process for monitoring and analyzing an executable code comprising the steps of:providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures; providing a client computer in communication with said central computer through said computer network; detecting an event on a client computer by said monitoring application; identifying an executable code associated with an event; creating a unique signature of a said executable code with said monitoring application on said client computer; receiving in said server a unique signature transmitted from said client computer; investigating said unique signature to determine if it is related to a malicious executable computer code; and transmitting from said central computer a message and a respective command concerning said unique signature to said client computer. 38. The process of claim 37, wherein said computer network comprises a wide area network.39. The process of claim 37, wherein said computer network comprises a local area network.40. The process of claim 37, further comprising a client computer in communication with said central computer through said computer network.41. The process of claim 37, wherein said client computer further comprises a monitoring application, said monitoring application being adapted to identify and forward to the central computer a file containing said executable code or participating in creating said executable code.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (14)
Arnold William C. (Mahopac NY) Chess David M. (Mohegan Lake NY) Kephart Jeffrey O. (Yorktown Heights NY) White Steven R. (New York NY), Automatic immune system for computers and computer networks.
Susaki Seiichi,JPX ; Umeki Hisashi,JPX ; Umezawa Katsuyuki,JPX ; Miyazaki Seiji,JPX ; Matsunaga Kazuo,JPX ; Kitagawa Makoto,JPX, Client-server system for controlling access rights to certain services by a user of a client terminal.
Jackowski Steven J. ; Thomas Christopher N., Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control.
Thomas Christopher N. ; Jackowski Steven J. ; Brock Keven J., Ordering of multiple plugin applications using extensible layered service provider with network traffic filtering.
Chess, David Michael; Kephart, Jeffrey Owen; Morar, John Frederick; Pring, Edward John; White, Steve Richard, System and method for managing files in a distributed system using filtering.
Byrnes, Sean N.; Vanrenen, Gabriel; Scholnick, Dan, Delivering a customized service to a mobile device by parsing metadata to create a device signature.
Obrecht, Mark Eric; Alagna, Michael Anthony; Payne, Charles Andrew, Method and apparatus for detecting malicious code in an information handling system.
Alagna, Michael Tony; Obrecht, Mark; Payne, Andy; Norwood, Peter, Method, computer software, and system for providing end to end security protection of an online transaction.
Obrecht, Mark E.; Myers, Robert P.; Hartmann, Alfred C.; Alagna, Nick F.; Pyle, Kevin N.; Sullivan, Scott D.; Little, Michael W., Monitoring computer process resource usage.
Obrecht, Mark E.; Myers, Robert P.; Hartmann, Alfred C.; Alagna, Nick F.; Pyle, Kevin N.; Sullivan, Scott D.; Little, Michael W., Monitoring computer process resource usage.
Polyakov, Alexey A.; Martynenko, Vladislav V.; Slobodyanuk, Yuri G.; Nazarov, Denis A.; Pavlyushchik, Mikhail A., System and method for detection of complex malware.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.