USOO9104864B2

(12) United States Patent (10) Patent No.: US 9,104,864 B2

Penton et al. (45) Date of Patent: Aug. 11, 2015
(54) THREAT DETECTION THROUGH THE (56) References Cited
ACCUMULATED DETECTION OF THREAT
CHARACTERISTICS U.S. PATENT DOCUMENTS
6,973,577 B1 12/2005 Kouznetsov
(71) Applicant: Sophos Limited, Abingdon Oxfordshire 8,201,257 B1 * 6/2012 Andres et al. ................... 726/25
2004/0243829 A1 12/2004 Jordan
(GB) 2010, 0169973 A1 7/2010 Kim et al.
2011/0173699 A1* 7/2011 Figlin et al. ..................... T26/23
(72) Inventors: Clifford Penton, Abingdon (GB); Irene 2012/0030767 A1* 2/2012 Rippert et al. .................. 726/25
2012/0192279 A1* 7, 2012 Muttik et al. ................... T26/24
Michlin, Bucks (GB)
FOREIGN PATENT DOCUMENTS
(73) Assignee: Sophos Limited, Abingdon Oxfordshire
(GB) EP 1708114 10, 2006
OTHER PUBLICATIONS
(*) Notice: Subject to any disclaimer, the term of this
patent is extended or adjusted under 35 “UK Application No. 1303928.4, Search and Examination Report
U.S.C. 154(b) by 0 days. dated Sep. 30, 2013', 7 pages.
United Kingdom Patent Office, “UK Application No. 1303928.4.
Office Action dated May 8, 2015”. 4 pages.
(21) Appl. No.: 13/658,977
* cited by examiner
(22) Filed: Oct. 24, 2012 Primary Examiner — Harunur Rashid
(65) Prior Publication Data
Assistant Examiner — Angela Holmes
(74) Attorney, Agent, or Firm — Strategic Patents, P.C.
US 2014/O115703 A1 Apr. 24, 2014
(57) ABSTRACT
(51) Int. Cl. Embodiments of the present disclosure provide for improved
G06F2L/00 (2013.01) capabilities in the detection of malware, where malware
G06F 2/55 (2013.01) threats are detected through the accumulated identification of
GO6F 2 1/56 (2013.01) threat characteristics for targeted computer objects. Methods
HO4L 29/06 (2006.01)
and systems include dynamic threat detection providing a
GO6F 21/60 (2013.01)
first database that correlates a plurality of threat characteris
tics to a threat, wherein a presence of the plurality of the threat
(52) U.S. Cl. characteristics confirms a presence of the threat; detecting a
CPC ............ G06F2I/554 (2013.01); G06F2 1/563 change event in a computer run-time process; testing the
(2013.01); G06F 21/606 (2013.01); H04L 63/12 change event for a presence of one or more of the plurality of
(2013.01); H04L 63/1425 (2013.01) characteristics upon detection of the change event, storing a
(58) Field of Classification Search detection of one of the plurality of characteristics in a second
database that accumulates detected characteristics for the
CPC. H04L 63/1425; H04L 63/12: G06F 21/563: computer run-time process; and identifying the threat when
GO6F 21 F606
each one of the plurality of characteristics appears in the
USPC ................. 726/22–25; 709/223 225: 714/39; second database.
370/254, 252, 241
See application file for complete search history. 10 Claims, 3 Drawing Sheets

A METHOD OF DYNAMIC THREAT DETECTION ) r?

PROWINGAFIRST)AABASEAT CORRELATESA - 304

PLYRALIY or THREACHARACRISTICSOATHREAT,
WHereIMAPRESENCE or the PLYRALITY or the ThreAT
204 CHARACTERISTICS ConrSAPRESenicer The REAT

CCNPTING DETECING ACHANGEEWEN INACOMPUERRUN-TIME - 308

EiE PROCESS

ESING THE CHAMGE WENT FORAPRESENCE of ONE OR / 30

NOR F THE PLURALITY OF CHARACRISTICS FON
ECTION CHCHANGWEN

STORING ADETECTION OF ONE OF THE PLURALITY OF Ir'

CHARACERSTICS INASCON AABASE THAT
ACCUMULASECTE) CARACTERISTICSORTH
COMPUTERRUM-IME PROCSS
228 V
7 ? 34
THREAT NTIFYINETHREAT WHEN EA8HON OF TH
sis - PLURALITY OF CHARACTERISTICS
AABASE
APPEARS IN THE SECOND
U.S. Patent Aug. 11, 2015 Sheet 2 of 3 US 9,104,864 B2

ZOZ 2
U.S. Patent Aug. 11, 2015 Sheet 3 of 3 US 9,104,864 B2

Z09

//
 US 9,104,864 B2
1. 2
THREAT DETECTION THROUGH THE preferred embodiment and the drawings. All documents men
ACCUMULATED DETECTION OF THREAT tioned herein are hereby incorporated in their entirety by
CHARACTERISTICS reference.

BACKGROUND 5 BRIEF DESCRIPTION OF THE FIGURES

1. Field The invention and the following detailed description of

The present invention is related to malware threat detection certain embodiments thereofmay be understood by reference
in a computer system. to the following figures:
2. Description of the Related Art 10 FIG. 1 depicts a block diagram of a threat management
facility
Current methods and systems for the detection of malware ity of threats. providing protection to an enterprise against a plural
in a computer system (e.g. the detection Software viruses) FIG. 2 depicts a block diagram of a method and system for
generally employ signature-based detection through systems detection
that search the computer software for data patterns that have 15 istics. of threats through accumulation of threat character
previously been identified with malicious software. However, FIG. 3 depicts a flow diagram for detection of threats
since the number of known malicious data patterns can be through accumulation of threat characteristics.
very large, searching a computer system for all known mali While the invention has been described in connection with
cious data patterns can impair the computer's performance. certain preferred embodiments, other embodiments would be
Therefore there is need for methods and systems that are able 20 understood by one of ordinary skill in the art and are encom
to identify evidence of malware in a computer system without passed herein.
the need to search all possible malicious data patterns for all All documents referenced herein are hereby incorporated
possible threats each time a computer system is scanned for by reference.
malware.
25 DETAILED DESCRIPTION
SUMMARY
FIG. 1 depicts a block diagram of a threat management
This disclosure describes methods and systems for search facility providing protection to an enterprise against a plural
ing computer Software for malware through the accumulated ity of threats. An aspect of the present invention relates to
identification of threat characteristics for targeted computer 30 corporate policy management and implementation through a
objects (e.g. run-time processes) that allows for the dynamic unified threat management facility 100. As will be explained
detection of complex threats in a way that scales with the in more detail below, a threat management facility 100 may be
number of threat descriptions and the number of system used to protect computer assets from many threats, both com
objects tracked. puter-generated threats and user-generated threats. The threat
In embodiments, the present disclosure may provide a
35 management facility 100 may be multi-dimensional in that it
method of dynamic threat detection comprising a first data may be designed to protect corporate assets from a variety of
base that correlates a plurality of threat characteristics to a threats and it may be adapted to learn about threats in one
dimension (e.g. worm detection) and apply the knowledge in
threat, wherein a presence of the plurality of the threat char another dimension (e.g. spam detection). Policy management
acteristics confirms a presence of the threat; detecting a 4 is one of the dimensions for which the threat management
change event in a computer run-time process; testing the facility can provide a control capability. A corporation or
change event for a presence of one or more of the plurality of other entity may institute a policy that prevents certain people
characteristics upon detection of the change event; storing a (e.g. employees, groups of employees, types of employees,
detection of one of the plurality of characteristics in a second guest of the corporation, etc.) from accessing certain types of
database that accumulates detected characteristics for the 45 computer programs. For example, the corporation may elect
computer run-time process; and identifying the threat when to prevent its accounting department from using a particular
each one of the plurality of characteristics appears in the version of an instant messaging service orall Such services. In
second database. The threat may include a malware threat to this example, the policy management facility 112 may be
a computer facility, or any other like threat Such as listed used to update the policies of all corporate computing assets
herein. The threat may include a violation of an enterprise 50 with a proper policy control facility or it may update a select
security policy. The plurality of characteristics may include a few. By using the threat management facility 100 to facilitate
plurality of code functionality, a property of a program, and the setting, updating and control of Such policies the corpo
like. Such as referred to herein as genes. The run-time pro ration only needs to be concerned with keeping the threat
cess may include at least one of an access to a file, a process, 55 management facility 100 up to date on such policies. The
a mutual exclusion object, a registry key, and the like. The threat management facility 100 can take care of updating all
second database may accumulate detected characteristics for of the other corporate computing assets.
each of a plurality of computer run-time processes. The first It should be understood that the threat management facility
100 may provide multiple services, and policy management
database may correlate a different plurality of characteristics may be offered as one of the services. We will now turn to a
to each one of a plurality of different threats. The disclosure 60 description of certain capabilities and components of the
may provide for creating a new threat characteristic for inclu threat management system 100.
sion into the database when the detected change event is Over recent years, malware has become a major problem
identified as a threat by a threat identification facility but is not across the internet 154. From both technical and userperspec
currently in the database. tives, the categorization of a specific threat type, whether as
These and other systems, methods, objects, features, and 65 virus, worm, spam, phishing exploration, spyware, adware, or
advantages of the present invention will be apparent to those the like, is becoming reduced in significance. The threat, no
skilled in the art from the following detailed description of the matter how it is categorized, may need to be stopped at Vari
 US 9,104,864 B2
3 4
ous points of a networked computing environment, Such as
one of an enterprise facility 102, including at one or more
laptops, desktops, servers, gateways, communication ports,
handheld or mobile devices, firewalls, and the like. Similarly,
there may be less and less benefit to the user in having differ
ent solutions for known and unknown threats. As such, a
consolidated threat management facility 100 may need to
apply a similar set of technologies and capabilities for all
threats. In certain embodiments, the threat management facil
ity 100 may provide a single agent on the desktop, and a single
scan of any Suspect file. This approach may eliminate the
inevitable overlaps and gaps in protection caused by treating
viruses and spyware as separate problems, while simulta
neously simplifying administration and minimizing desktop
load. As the number and range of types of threats has
increased, so may have the level of connectivity available to
all IT users. This may have lead to a rapid increase in the
speed at which threats may move. Today, an unprotected PC
connected to the internet 154 may be infected quickly (per
haps within 10 minutes) which may require acceleration for
the delivery of threat protection. Where once monthly updates
may have been sufficient, the threat management facility 100
may automatically and seamlessly update its product set
against spam and virus threats quickly, for instance, every five
minutes, every minute, continuously, or the like. Analysis and
testing may be increasingly automated, and also may be per
formed more frequently; for instance, it may be completed in
15 minutes, and may do so without compromising quality.
The threat management facility 100 may also extend tech
niques that may have been developed for virus and malware
protection, and provide them to enterprise facility 102 net
work administrators to better control their environments. In
addition to stopping malicious code, the threat management
facility 100 may provide policy management that may be able
to control legitimate applications, such as VoIP, instant mes
saging, peer-to-peer file-sharing, and the like, that may under
mine productivity and network performance within the enter
prise facility 102.
The threat management facility 100 may provide an enter
prise facility 102 protection from computer-based malware,
including viruses, spyware, adware, Trojans, intrusion, spam,
policy abuse, uncontrolled access, and the like, where the
enterprise facility 102 may be any entity with a networked
computer-based infrastructure. In an embodiment, FIG. 1
may depict a block diagram of the threat management facility
100 providing protection to an enterprise againstaplurality of
threats. The enterprise facility 102 may be corporate, com
mercial, educational, governmental, or the like, and the enter
prise facility's 102 computer network may be distributed
amongst a plurality of facilities, and in a plurality of geo
graphical locations, and may include administration 134, a
firewall 138A, an appliance 140A, server 142A, network
devices 148A-B, clients 144A-D, such as protected by com
puter security facilities 152, and the like. The threat manage
ment facility 100 may include a plurality of functions, such as
security management facility 122, policy management facil
ity 112, update facility 120, definitions facility 114, network
access rules facility 124, remedial action facility 128, detec
tion techniques facility 130, testing facility 118, threat
research facility 132, and the like. In embodiments, the threat
protection provided by the threat management facility 100
may extend beyond the network boundaries of the enterprise
facility 102 to include client facilities 144D that have moved
into network connectivity not directly associated or con
trolled by the enterprise facility 102. Threats to client facili
ties 144 may come from a plurality of Sources, such as from
network threats 104, physical proximity threats 110, second
ary location threats 108, and the like. Clients 144 may be
protected from threats even when the client 144 is not located
in association with the enterprise 102, such as when a client
144E-F moves in and out of the enterprise 102 such as inter
facing with an unprotected server 142C through the Internet
154, when a client 144F is moving into a secondary location
threat 108 such as interfacing with components 136B, 142B,
148C, 148D that are not protected, and the like. In embodi
ments, the threat management facility 100 may provide an
10 enterprise facility 102 protection from a plurality of threats to
multiplatform computer resources in a plurality of locations
and network configurations, with an integrated system
approach.
In embodiments, the threat management facility 100 may
15 be provided as a stand-alone solution. In other embodiments,
the threat management facility 100 may be integrated into a
third-party product. An application programming interface
(e.g. a source code interface) may be provided Such that the
threat management facility 100 may be integrated. For
instance, the threat management facility 100 may be stand
alone in that it provides direct threat protection to an enter
prise or computer resource, where protection is Subscribed to
directly 100. Alternatively, the threat management facility
may offer protection indirectly, through a third-party product,
25 where an enterprise may subscribe to services through the
third-party product, and threat protection to the enterprise
may be provided by the threat management facility 100
through the third-party product.
The security management facility 122 may include a plu
30 rality of elements that provide protection from malware to
enterprise facility 102 computer resources, including end
point security and control, email security and control, web
security and control, reputation-based filtering, control of
unauthorized users, control of guest and non-compliant com
35 puters, and the like. The security management facility 122
may be a Software application that may provide malicious
code and malicious application protection to a client facility
144 computing resource. The security management facility
122 may have the ability to scan the client facility 144 files for
40 malicious code, remove or quarantine certain applications
and files, prevent certain actions, perform remedial actions
and perform other security measures. In embodiments, scan
ning the client facility 144 may include Scanning some or all
of the files stored to the client facility 144 on a periodic basis,
45 may scan applications once the application has been
requested to execute, may scan files as the files are transmitted
to or from the client facility 144, or the like. The scanning of
the applications and files may be to detect known malicious
code or known unwanted applications. In an embodiment,
50 new malicious code and unwanted applications may be con
tinually developed and distributed, and updates to the known
code database may be provided on a periodic basis, on a
demand basis, on an alert basis, or the like.
In an embodiment, the security management facility 122
55 may provide for email security and control, where security
management may help to eliminate spam, viruses, spyware
and phishing, control of email content, and the like. The
security management facility’s 122 email security and con
trol may protect against inbound and outbound threats, pro
60 tect email infrastructure, prevent data leakage, provide spam
filtering, and the like. In an embodiment, security manage
ment facility 122 may provide for web security and control,
where security management may help to detect or block
viruses, spyware, malware, unwanted applications, help con
65 trol web browsing, and the like, which may provide compre
hensive web access control enabling safe, productive web
browsing. Web security and control may provide internet use
 US 9,104,864 B2
5 6
policies, reporting on Suspect devices, security and content
filtering, active monitoring of network traffic, URI filtering,
and the like. In an embodiment, the security management
facility 122 may provide for network access control, which
may provide control over network connections. Network con
trol may stop unauthorized, guest, or non-compliant systems
from accessing networks, and may control network traffic that
may not be bypassed from the client level. In addition, net
work access control may control access to virtual private
networks (VPN), where VPNs may be a communications
network tunneled through another network, establishing a
logical connection acting as a virtual network. In embodi
ments, a VPN may be treated in the same manner as a physical
network.
In an embodiment, the security management facility 122
may provide for host intrusion prevention through behavioral
based protection, which may guard against unknown threats
by analyzing behavior before software code executes. Behav
ioral based protection may monitor code when it runs and
intervene if the code is deemed to be suspicious or malicious.
Advantages of behavioral based protection over runtime pro
tection may include code being prevented from running,
whereas runtime protection may only interrupt code that has
already partly executed; behavioral protection may identify
malicious code at the gateway or on the file servers and
deletes it before reaching end-point computers and the like.
In an embodiment, the security management facility 122
may provide for reputation filtering, which may target or
identify sources of known malware. For instance, reputation
filtering may include lists of URIs of known sources of mal
ware or known Suspicious IP addresses, or domains, say for
spam, that when detected may invoke an action by the threat
management facility 100. Such as dropping them immedi
ately. By dropping the source before any interaction can ini
tiate, potential threat sources may be thwarted before any
exchange of data can be made.
In embodiments, information may be sent from the enter
prise back to a third party, a vendor, or the like, which may
lead to improved performance of the threat management
facility 100. For example, the types, times, and number of
virus interactions that a client experiences may provide useful
information for the preventions of future virus threats. This
type offeedback may be useful for any aspect of threat detec
tion. Feedback of information may also be associated with
behaviors of individuals within the enterprise, such as being
associated with most common violations of policy, network
access, unauthorized application loading, unauthorized exter
nal device use, and the like. In embodiments, this type of
information feedback may enable the evaluation or profiling
of client actions that are violations of policy that may provide
a predictive model for the improvement of enterprise policies.
In an embodiment, the security management facility 122
may provide for the overall security of the enterprise facility
102 network or set of enterprise facility 102 networks, may
provide updates of malicious code information to the enter
prise facility 102 network, and associated client facilities 144.
The updates may be a planned update, an update in reaction to
a threat notice, an update in reaction to a request for an update,
an update based on a search of known malicious code infor
mation, or the like. The administration facility 134 may pro
vide control over the security management facility 122 when
updates are performed. The updates may be automatically
transmitted without an administration facility’s 134 direct
control, manually transmitted by the administration facility
134, or the like. The security management facility 122 may
include the management of receiving malicious code descrip
tions from a provider, distribution of malicious code descrip
tions to enterprise facility 102 networks, distribution of mali
cious code descriptions to client facilities 144, or the like. In
an embodiment, the management of malicious code informa
tion may be provided to the enterprise facility's 102 network,
where the enterprise facility’s 102 network may provide the
malicious code information through the enterprise facility’s
102 network distribution system.
The threat management facility 100 may provide a policy
management facility 112 that may be able to block non
10 malicious applications. Such as VoIP 164, instant messaging
162, peer-to-peer file-sharing, and the like, that may under
mine productivity and network performance within the enter
prise facility 102. The policy management facility 112 may be
a set of rules or policies that may indicate enterprise facility
15 102 access permissions for the client facility 144, such as
access permissions associated with the network, applications,
external computer devices, and the like. The policy manage
ment facility 112 may include a database, a text file, a com
bination of databases and text files, or the like. In an embodi
ment, a policy database may be a block list, a black list, an
allowed list, a white list, or the like that may provide a list of
enterprise facility 102 external network locations/applica
tions that may or may not be accessed by the client facility
144. The policy management facility 112 may include rules
25 that may be interpreted with respect to an enterprise facility
102 network access request to determine if the request should
be allowed. The rules may provide a generic rule for the type
of access that may be granted; the rules may be related to the
policies of an enterprise facility 102 for access rights for the
30 enterprise facility’s 102 client facility 144. For example, there
may be a rule that does not permit access to sporting websites.
When a website is requested by the client facility 144, a
security facility may access the rules within a policy facility
to determine if the requested access is related to a sporting
35 website. In an embodiment, the security facility may analyze
the requested website to determine if the website matches
with any of the policy facility rules.
The policy management facility 112 may be similar to the
security management facility 122 but with the addition of
40 enterprise facility 102 wide access rules and policies that may
be distributed to maintain control of client facility 144 access
to enterprise facility 102 network resources. The policies may
be defined for application type, Subset of application capa
bilities, organization hierarchy, computer facility type, user
45 type, network location, time of day, connection type, or the
like. Policies may be maintained by the administration facil
ity 134, through the threat management facility 100, in asso
ciation with a third party, or the like. For example, a policy
may restrict IM 162 activity to only support personnel for
50 communicating with customers. This may allow communi
cation for departments requiring access, but may maintain the
network bandwidth for other activities by restricting the use
of IM 162 to only the personnel that need access to IM 162 in
support of the enterprise facility 102. In an embodiment, the
55 policy management facility 112 may be a stand-alone appli
cation, may be part of the network server facility 142, may be
part of the enterprise facility 102 network, may be part of the
client facility 144, or the like.
In embodiments, the threat management facility 100 may
60 provide configuration management, which may be similar to
policy management, but may specifically examine the con
figuration set of applications, operating systems, hardware,
and the like, and managing changes to their configurations.
Assessment of a configuration may be made against a stan
65 dard configuration policy, detection of configuration changes,
remediation of improper configuration, application of new
configurations, and the like. An enterprise may keep a set of
 US 9,104,864 B2
7 8
standard configuration rules and policies which may repre
sent the desired state of the device. For example, a client
firewall may be running and installed, but in the disabled
state, where remediation may be to enable the firewall. In
another example, the enterprise may set a rule that disallows
the use of USB disks, and sends a configuration change to all
clients, which turns off USB drive access via a registry.
In embodiments, the threat management facility 100 may
also provide for the removal of applications that may interfere
with the operation of the threat management facility 100, such
as competitor products that may also be attempting similar
threat management functions. The removal of such products
may be initiated automatically whenever Such products are
detected. In the case where Such applications are services are
provided indirectly through a third-party product, the appli
cation may be suspended until action is taken to remove or
disable the third-party products protection facility.
Threat management against a Sometimes quickly evolving
malware environment may require timely updates, and the
update management facility 120 may be provided by the
threat management facility 100. In addition, a policy manage
ment facility 112 may also require update management (e.g.
as provided by the update facility 120 herein described), as
the enterprise facility 102 requirements for policies change
enterprise facility 102, client facility 144, server facility 142
enterprise facility 102. The update management for the secu
rity facility 122 and policy management facility 112 may be
provided directly by the threat management facility 100, such
as by a hosted system or in conjunction with the administra
tion facility 134. In embodiments, the threat management
facility 100 may provide for patch management, where a
patch may be an update to an operating system, an applica
tion, a system tool, or the like, where one of the reasons for the
patch is to reduce vulnerability to threats.
In embodiments, the security facility 122 and policy man
agement facility 112 may push information to the enterprise
facility 102 network and/or client facility 144, the enterprise
facility 102 network and/or client facility 144 may pull infor
mation from the security facility 122 and policy management
facility 112 network server facilities 142, there may be a
combination of pushing and pulling of information between
the security facility 122 and the policy management facility
112 network servers 142, enterprise facility 102 network, and
client facilities 144, or the like. For example, the enterprise
facility 102 network and/or client facility 144 may pull infor
mation from the security facility 122 and policy management
facility 112 network server facility 142 may request the infor
mation using the security facility 122 and policy management
facility 112 update module; the request may be based on a
certain time period, by a certain time, by a date, on demand,
or the like. In another example, the security facility 122 and
policy management facility 112 network servers 142 may
push the information to the enterprise facility's 102 network
and/or client facility 144 by providing notification that there
are updates available for download and then transmitting the
information. The combination of the security management
122 network server facility 142 and security update module
may function Substantially the same as the policy manage
ment facility 112 network server and policy update module by
providing information to the enterprise facility 102 network
and the client facility 144 in a push or pull method. In an
embodiment, the policy management facility 112 and the
security facility 122 management update modules may work
in concert to provide all the needed information to the enter
prise facility's 102 network and/or client facility 144 for
control of application execution. In an embodiment, the
policy update module and security update module may be
combined into a single update module.
As threats are identified and characterized, the threat man
agement facility 100 may create definition updates that may
be used to allow the threat management facility 100 to detect
and remediate the latest malicious Software, unwanted appli
cations, configuration and policy changes, and the like. The
threat definition facility 114 may contain threat identification
updates, also referred to as definition files. A definition file
10 may be a virus identity file that may include definitions of
known or potential malicious code. The virus identity (IDE)
definition files may provide information that may identify
malicious code within files, applications, or the like. The
definition files may be accessed by security management
15 facility 122 when scanning files or applications within the
client facility 144 for the determination of malicious code that
may be within the file or application. The definition files may
contain a number of commands, definitions, or instructions,
to be parsed and acted upon, or the like. In embodiments, the
client facility 144 may be updated with new definition files
periodically to provide the client facility 144 with the most
recent malicious code definitions; the updating may be per
formed on a set time period, may be updated on demand from
the client facility 144, may be updated on demand from the
25 network, may be updated on a received malicious code alert,
or the like. In an embodiment, the client facility 144 may
request an update to the definition files from an update facility
120 within the network, may request updated definition files
from a computing facility external to the network, updated
30 definition files may be provided to the client facility 114 from
within the network, definition files may be provided to the
client facility 144 from an external computing facility from an
external network, or the like.
In an embodiment, a definition management facility 114
35 may provide for the timely updates of definition files infor
mation to the network, client facilities 144, and the like. New
and altered malicious code and malicious applications may be
continually created and distributed to networks worldwide.
The definition files that maintain the definitions of the mali
40 cious code and malicious application information for the
protection of the networks and client facilities 144 may need
continual updating to provide continual defense of the net
work and client facility 144 from the malicious code and
malicious applications. The definition files management may
45 provide for automatic and manual methods of updating the
definition files. In embodiments, the network may receive
definition files and distribute the definition files to the net
work client facilities 144, the client facilities 144 may receive
the definition files directly, or the network and client facilities
50 144 may both receive the definition files, or the like. In an
embodiment, the definition files may be updated on a fixed
periodic basis, on demand by the network and/or the client
facility 144, as a result of an alert of a new malicious code or
malicious application, or the like. In an embodiment, the
55 definition files may be released as a Supplemental file to an
existing definition files to provide for rapid updating of the
definition files.
In a similar manner, the security management facility 122
may be used to scan an outgoing file and Verify that the
60 outgoing file is permitted to be transmitted per the enterprise
facility 102 rules and policies. By checking outgoing files, the
security management facility 122 may be able discover mali
cious code infected files that were not detected as incoming
files as a result of the client facility 144 having been updated
65 with either new definition files or policy management facility
112 information. The definition files may discover the mali
cious code infected file by having received updates of devel
 US 9,104,864 B2
9 10
oping malicious code from the administration facility 134,
updates from a definition files provider, or the like. The policy
management facility 112 may discover the malicious code
infected file by having received new updates from the admin
istration facility 134, from a rules provider, or the like.
The threat management facility 100 may provide for a way
to control access to the enterprise facility 102 networks. For
instance, the enterprise facility 102 may want to restrict
access to certain applications, networks, files, printers, serv
ers, databases, or the like. In addition, the enterprise facility
102 may want to restrict user access under certain conditions,
Such as the user's location, usage history, need to know, job
position, connection type, time of day, method of authentica
tion, client-system configuration, or the like. Network access
rules may be developed by the enterprise facility 102, or
pre-packaged by a Supplier, and managed by the threat man
agement facility 100 in conjunction with the administration
facility 134. Network access rules and control may be respon
sible for determining ifa client facility 144 application should
be granted access to a requested network location. The net
work location may be on the same network as the facility or
may be on another network. In an embodiment, the network
access control may verify access rights for client facilities 144
from within the network or may verify access rights of com
puter facilities from external networks. When network access
for a client facility 144 is denied, the network access control
may send an information file to the client facility 144, the
information file may contain data or commands that may
provide instructions for the remedial action facility 128. The
information sent by the network access facility 124 control
may be a data file. The data file may contain a number of
commands, definitions, instructions, or commands to be
parsed and acted upon through the remedial action facility
128, or the like. The information sent by the network access
facility 124 control may be a command or command file that
the remedial action facility 128 may access and take action
upon.
In an embodiment, the network access rules 124 may pro
vide an information store to be accessed by the network
access control. The network access rules facility 124 may
include databases such as a block list, a black list, an allowed
list, a white list, an unacceptable network site database, an
acceptable network site database, a network site reputation
database, or the like of network access locations that may or
may not be accessed by the client facility 144. Additionally,
the network access rules facility 124 may incorporate rule
evaluation; the rule evaluation may parse network access
requests and apply the parsed information to network access
rules. The network access rule facility 124 may have a generic
set of rules that may be in support of an enterprise facility’s
102 network access policies, such as denying access to certain
types of websites 158, controlling instant messenger 162
accesses, or the like. Rule evaluation may include regular
expression rule evaluation, or other rule evaluation method
for interpreting the network access request and comparing the
interpretation to the established rules for network access. In
an embodiment, the network access rules facility 124 may
receive a rules evaluation request from the network access
control and may return the rules evaluation to the network
access control.
Similar to the threat definitions facility 114, the network
access rule facility 124 may provide updated rules and poli
cies to the enterprise facility 102. The network access rules
facility 124 may be maintained by the network administration
facility 134, using network access rules facility 124 manage
ment. In an embodiment, the network administration facility
134 may be able to maintain a set of access rules manually by
adding rules, changing rules, deleting rules, or the like. Addi
tionally, the administration facility 134 may be able to
retrieve predefined rule sets from a provider that may provide
a set of rules to be applied to an entire enterprise facility 102.
The network administration facility 134 may be able to
modify the predefined rules as needed for a particular enter
prise facility 102 using the network access rules management
facility 124.
When a threat or policy violation is detected by the threat
10
management facility 100, the threat management facility 100
may provide for a remedial action facility 128. Remedial
action may take a plurality of forms, such as terminating or
modifying an ongoing processorinteraction, sending a warn
15 ing to a client or administration facility 134 of an ongoing
process or interaction, executing a program or application to
remediate against a threat or violation, record interactions for
Subsequent evaluation, or the like. Remedial action may be
associated with an application that responds to information
that a client facility 144 network access request has been
denied. In an embodiment, when the data file is received,
remedial action may parse the data file, interpret the various
aspects of the data file, and act on the parsed data file infor
mation to determine actions to be taken on an application
25 requesting access to a denied network location. In an embodi
ment, when the data file is received, remedial action may
access the threat definitions to parse the data file and deter
mine an action to be taken on an application requesting access
to a denied network location. In an embodiment, the infor
30 mation received from the facility may be a command or a
command file. The remedial action facility may carry out any
commands that are received or parsed from a data file from the
facility without performing any interpretation of the com
mands. In an embodiment, the remedial action facility may
35 interact with the received information and may perform vari
ous actions on a client requesting access to a denied network
location. The action may be one or more of continuing to
block all requests to a denied network location, a malicious
code scan on the application, a malicious code scan on the
40 client facility 144, quarantine of the application, terminating
the application, isolation of the application, isolation of the
client facility 144 to a location within the network that
restricts network access, blocking a network access port from
a client facility 144, reporting the application to a adminis
45 tration facility 134, or the like.
Remedial action may be provided as a result of a detection
of a threat or violation. The detection techniques facility 130
may include monitoring the enterprise facility 102 network or
end-point devices, such as by monitoring streaming data
50 through the gateway, across the network, through routers and
hubs, and the like. The detection techniques facility 130 may
include monitoring activity and stored files on computing
facilities, such as on server facilities 142, desktop computers,
laptop computers, other mobile computing devices, and the
55 like. Detection techniques, such as scanning a computers
stored files, may provide the capability of checking files for
stored threats, either in the active or passive state. Detection
techniques, such as streaming file management, may provide
the capability of checking files received at the network, gate
60 way facility, client facility 144, and the like. This may provide
the capability of not allowing a streaming file or portions of
the streaming file containing malicious code from entering
the client facility 144, gateway facility, or network. In an
embodiment, the streaming file may be broken into blocks of
65 information, and a plurality of virus identities may be used to
check each of the blocks of information formalicious code. In
an embodiment, any blocks that are not determined to be clear
 US 9,104,864 B2
11
of malicious code may not be delivered to the client facility
144, gateway facility, or network.
Verifying that the threat management facility 100 is detect
ing threats and violations to established policy, may require
the ability to test the system, either at the system level or for
a particular computing component. The testing facility 118
may allow the administration facility 134 to coordinate the
testing of the security configurations of client facility 144
computing facilities on a network. The administration facility
134 may be able to send test files to a set of client facility 144
computing facilities to test the ability of the client facility 144
to determine acceptability of the test file. After the test file has
been transmitted, a recording facility may record the actions
taken by the client facility 144 in reaction to the test file. The
recording facility may aggregate the testing information from
the client facility 144 and report the testing information to the
administration facility 134. The administration facility 134
may be able to determine the level of preparedness of the
client facility 144 computing facilities by the reported infor
mation. Remedial action may be taken for any of the client
facility 144 computing facilities as determined by the admin
istration facility 134; remedial action may be taken by the
administration facility 134 or by the user of the client facility
144.
The threat research facility 132 may provide a continu
ously ongoing effort to maintain the threat protection capa
bilities of the threat management facility 100 in light of con
tinuous generation of new or evolved forms of malware.
Threat research may include researchers and analysts work
ing on known and emerging malware. Such as viruses, root
kits a spyware, as well as other computer threats Such as
phishing, spam, scams, and the like. In embodiments, through
threat research, the threat management facility 100 may be
able to provide swift, global responses to the latest threats.
The threat management facility 100 may provide threat
protection to the enterprise facility 102, where the enterprise
facility 102 may include a plurality of networked compo
nents, such as client facility 144, server facility 142, admin
istration facility 134, firewall 138, gateway, hubs and routers
148, threat management appliance 140, desktop users, mobile
users, and the like. In embodiments, it may be the end-point
computer security facility 152, located on a computer's desk
top, which may provide threat protection to a user, and asso
ciated enterprise facility 102. In embodiments, the term end
point may refer to a computer system that may source data,
receive data, evaluate data, buffer data, or the like (such as a
user's desktop computer as an end-point computer), a firewall
as a data evaluation end-point computer system, a laptop as a
mobile end-point computer, a PDA as a hand-held end-point
computer, a mobile phone as an end-point computer, or the
like. In embodiments, end-point may refer to a source or
destination for data, including Such components where the
destination is characterized by an evaluation point for data,
and where the data may be sent to a Subsequent destination
after evaluation. The end-point computer security facility 152
may be an application loaded onto the computer platform or
computer Support component, where the application may
accommodate the plurality of computer platforms and/or
functional requirements of the component. For instance, a
client facility 144 computer may be one of a plurality of
computer platforms. Such as Windows, Macintosh, Linux,
and the like, where the end-point computer security facility
152 may be adapted to the specific platform, while maintain
ing a uniform product and product services across platforms.
Additionally, components may have different functions to
serve within the enterprise facility’s 102 networked com
puter-based infrastructure. For instance, computer Support
12
components provided as hubs and routers 148, server facility
142, firewalls 138, and the like, may require unique security
application software to protect their portion of the system
infrastructure, while providing an element in an integrated
threat management system that extends out beyond the threat
management facility 100 to incorporate all computer
resources under its protection.
The enterprise facility 102 may include a plurality of client
facility 144 computing platforms on which the end-point
10 computer security facility 152 is adapted. A client facility 144
computing platform may be a computer system that is able to
access a service on another computer. Such as a server facility
142, via a network. This client facility 144 server facility 142
model may apply to a plurality of networked applications,
15 Such as a client facility 144 connecting to an enterprise facil
ity 102 application server facility 142, a web browser client
facility 144 connecting to a web server facility 142, an e-mail
client facility 144 retrieving e-mail from an internet 154 ser
vice provider's mail storage servers 142, and the like. In
embodiments, traditional large client facility 144 applica
tions may be switched to websites, which may increase the
browser's role as a client facility 144. Clients 144 may be
classified as a function of the extent to which they perform
their own processing. For instance, client facilities 144 are
25 sometimes classified as a fat client facility 144 or thin client
facility 144. The fat client facility 144, also known as a thick
client facility 144 or rich client facility 144, may be a client
facility 144 that performs the bulk of data processing opera
tions itself, and does not necessarily rely on the server facility
30 142. The fat client facility 144 may be most common in the
form of a personal computer, where the personal computer
may operate independent of any server facility 142. Program
ming environments for fat clients 144 may include CURI,
Delphi, Droplets, Java, win32, X11, and the like. Thin clients
35 144 may offer minimal processing capabilities, for instance,
the thin client facility 144 may primarily provide a graphical
user interface provided by an application server facility 142,
which may perform the bulk of any required data processing.
Programming environments for thin clients 144 may include
40 JavaScript/AJAX, ASP, JSP. Ruby on Rails, Python's Django,
PHP, and the like. The client facility 144 may also be a mix of
the two. Such as processing data locally, but relying on a
server facility 142 for data storage. As a result, this hybrid
client facility 144 may provide benefits from both the fat
45 client facility 144 type. Such as multimedia Support and high
performance, and the thin client facility 144 type, such as high
manageability and flexibility. In embodiments, the threat
management facility 100, and associated end-point computer
security facility 152, may provide seamless threat protection
50 to the plurality of clients 144, and client facility 144 types,
across the enterprise facility 102.
The enterprise facility 102 may include a plurality of server
facilities 142. Such as application servers, communications
servers, file servers, database servers, proxy servers, mail
55 servers, fax servers, game servers, web servers, and the like.
A server facility 142, which may also be referred to as a server
facility 142 application, server facility 142 operating system,
server facility 142 computer, or the like, may be an applica
tion program or operating system that accepts client facility
60 144 connections in order to service requests from clients 144.
The server facility 142 application may run on the same
computer as the client facility 144 using it, or the server
facility 142 and the client facility 144 may be running on
different computers and communicating across the network.
65 Server facility 142 applications may be divided among server
facility 142 computers, with the dividing depending upon the
workload. For instance, under light load conditions all server
 US 9,104,864 B2
13
facility 142 applications may run on a single computer and
under heavy load conditions a single server facility 142 appli
cation may run on multiple computers. In embodiments, the
threat management facility 100 may provide threat protection
to server facilities 142 within the enterprise facility 102 as
load conditions and application changes are made.
A server facility 142 may also be an appliance facility 140,
where the appliance facility 140 provides specific services
onto the network. Though the appliance facility 140 is a
server facility 142 computer, that may be loaded with a server
facility 142 operating system and server facility 142 applica
tion, the enterprise facility 102 user may not need to configure
it, as the configuration may have been performed by a third
party. In an embodiment, an enterprise facility 102 appliance
may be a server facility 142 appliance that has been config
ured and adapted for use with the threat management facility
100, and located within the facilities of the enterprise facility
102. The enterprise facility's 102 threat management appli
ance may enable the enterprise facility 102 to administer an
on-site local managed threat protection configuration, where
the administration facility 134 may access the threat
resources through an interface. Such as a web portal. In an
alternate embodiment, the enterprise facility 102 may be
managed remotely from a third party, Vendor, or the like,
without an appliance facility 140 located within the enterprise
facility 102. In this instance, the appliance functionality may
be a shared hardware product between pluralities of enter
prises 102. In embodiments, the appliance facility 140 may be
located at the enterprise facility 102, where the enterprise
facility 102 maintains a degree of control. In embodiments, a
hosted service may be provided, where the appliance 140 may
still be an on-site black box to the enterprise facility 102,
physically placed there because of infrastructure require
ments, but managed by a third party, Vendor, or the like.
Simple server facility 142 appliances may also be utilized
across the enterprise facility's 102 network infrastructure,
Such as Switches, routers, wireless routers, hubs and routers,
gateways, print servers, net modems, and the like. These
simple server facility appliances may not require configura
tion by the enterprise facility 102, but may require protection
from threats via an end-point computer security facility 152.
These appliances may provide interconnection services
within the enterprise facility 102 network, and therefore may
advance the spread of a threat if not properly protected.
One way for a client facility 144 to be protected from
threats from within the enterprise facility 102 network may be
a personal firewall. A personal firewall may be an application
that controls network traffic to and from a client, permitting or
denying communications based on a security policy. Personal
firewalls may be designed for use by end-users, which may
result in protection for only the computer on which its
installed. Personal firewalls may be able to control network
traffic by providing prompts each time a connection is
attempted and adapting security policy accordingly. Personal
firewalls may also provide some level of intrusion detection,
which may allow the software to terminate or block connec
tivity where it Suspects an intrusion is being attempted. Other
features that may be provided by a personal firewall may
include alerts about outgoing connection attempts, control of
program access to networks, hiding the client from port scans
by not responding to unsolicited network traffic, monitoring
of applications that may be listening for incoming connec
tions, monitoring and regulation of incoming and outgoing
network traffic, prevention of unwanted network traffic from
installed applications, reporting applications that make con
nection attempts, reporting destination servers with which
applications may be attempting communications, and the
14
like. In embodiments, the personal firewall may be provided
by the threat management facility 100.
Another important component that may be protected by an
end-point computer security facility 152 is a network firewall
5 facility 138, which may be a hardware or software device that
may be configured to permit, deny, or proxy data through a
computer network that has different levels of trust in its
source of data. For instance, an internal enterprise facility 102
network may have a high level of trust, because the source of
10 all data has been sourced from within the enterprise facility
102. An example of a low level of trust is the Internet 154,
because the Source of data may be unknown. A Zone with an
intermediate trust level, situated between the Internet 154 and
a trusted internal network, may be referred to as a “perimeter
15 network”. Since firewall facilities 138 represent boundaries
between threat levels, the end-point computer security facil
ity 152 associated with the firewall facility 138 may provide
resources that may control the flow of threats at this enterprise
facility 102 network entry point. Firewall facilities 138, and
associated end-point computer security facility 152, may also
be associated with a network node that may be equipped for
interfacing between networks that use different protocols. In
embodiments, the end-point computer security facility 152
may provide threat protection in a plurality of network infra
25 structure locations, such as at the enterprise facility 102 net
work entry point, i.e. the firewall facility 138 or gateway; at
the server facility 142; at distribution points within the net
work, i.e. the hubs and routers 148; at the desktop of client
facility 144 computers; and the like. In embodiments, the
30 most effective location for threat detection may be at the
user's computer desktop end-point computersecurity facility
152.
The interface between the threat management facility 100
and the enterprise facility 102, and through the appliance
35 facility 140 to embedded end-point computer security facili
ties, may include a set of tools that may be the same for all
enterprise implementations, but allow each enterprise to
implement different controls. In embodiments, these controls
may include both automatic actions and managed actions.
40 Automatic actions may include downloads of the end-point
computer security facility 152 to components of the enter
prise facility 102, downloads of updates to existing end-point
computer security facilities of the enterprise facility 102,
uploaded network interaction requests from enterprise facil
45 ity 102 components to the threat management facility 100,
and the like. In embodiments, automatic interactions between
the enterprise facility 102 and the threat management facility
100 may be configured by the threat management facility 100
and an administration facility 134 in the enterprise facility
50 102. The administration facility 134 may configure policy
rules that determine interactions. Such as developing rules for
accessing applications, as in who is authorized and when
applications may be used; establishing rules for ethical
behavior and activities; rules governing the use of entertain
55 ment software such as games, or personal use Software Such
as IM 162 and VoIP 164; rules for determining access to
enterprise facility 102 computing resources, including
authentication, levels of access, risk assessment, and usage
history tracking; rules for when an action is not allowed, Such
60 as whetheran action is completely deigned or just modified in
its execution; and the like. The administration facility 134
may also establish license management, which in turn may
further determine interactions associated with a licensed
application. In embodiments, interactions between the threat
65 management facility 100 and the enterprise facility 102 may
provide threat protection to the enterprise facility 102 by
managing the flow of network data into and out of the enter
 US 9,104,864 B2
15
prise facility 102 through automatic actions that may be con
figured by the threat management facility 100 or the admin
istration facility 134.
Client facilities 144 within the enterprise facility 102 may
be connected to the enterprise facility 102 network by way of
wired network facilities 148A or wireless network facilities
148B. Client facilities 144 connected to the enterprise facility
102 network via a wired facility 148A or wireless facility
148B may receive similar protection, as both connection
types are ultimately connected to the same enterprise facility
102 network, with the same end-point computer security
facility 152, and the same threat protected enterprise facility
102 environment. Mobile wireless facility clients 144B-F,
because of their ability to connect to any wireless 148B.D
network access point, may connect to the Internet 154 outside
the enterprise facility 102, and therefore outside the threat
protected environment of the enterprise facility 102. In this
instance the mobile client facility 144B-F, if not for the pres
ence of the end-point computer security facility 152 may
experience a malware attack or perform actions counter to
enterprise facility 102 established policies. In addition, there
may be a plurality of ways for the threat management facility
100 to protect the out-of-enterprise facility 102 mobile client
facility 144D-F that has an embedded end-point computer
security facility 152, such as by providing URI filtering in
personal routers, using a web appliance as a DNS proxy, or
the like. Mobile client facilities 144D-F that are components
of the enterprise facility 102 but temporarily outside connec
tivity with the enterprise facility 102 network, may be pro
vided with the same threat protection and policy control as
client facilities 144 inside the enterprise facility 102. In addi
tion, mobile client facilities 144B-F may receive the same
interactions to and from the threat management facility 100 as
client facilities 144 inside the enterprise facility 102, where
mobile client facilities 144B-F may be considered a virtual
extension of the enterprise facility 102, receiving all the same
services via their embedded end-point computer security
facility 152.
Interactions between the threat management facility 100
and the components of the enterprise facility 102, including
mobile client facility 144B-F extensions of the enterprise
facility 102, may ultimately be connected through the internet
154. Threat management facility 100 downloads and
upgrades to the enterprise facility 102 may be passed from the
firewalled networks of the threat management facility 100
through to the end-point computer security facility 152
equipped components of the enterprise facility 102. In turn
the end-point computer security facility 152 components of
the enterprise facility 102 may upload policy and access
requests back across the internet 154 and through to the threat
management facility 100. The Internet 154 however, is also
the path through which threats may be transmitted from their
source. These network threats may include threats from a
plurality of sources, including websites 158, e-mail 160, IM
162, VoIP 164, application software, and the like. These
threats may attempt to attack a mobile enterprise client facil
ity 144B-F equipped with an end-point computer security
facility 152, but in embodiments, as long as the mobile client
facility 144B-F is embedded with an end-point computer
security facility 152, as described above, threats may have no
better success than if the mobile client facility 144B-F were
inside the enterprise facility 102.
However, if the mobile client facility 144 were to attempt to
connect into an unprotected connection point, Such as at a
secondary location 108 that is not a part of the enterprise
facility 102, the mobile client facility 144 may be required to
request network interactions through the threat management
16
facility 100, where contacting the threat management facility
100 may be performed prior to any other network action. In
embodiments, the client facility’s 144 end-point computer
security facility 152 may manage actions in unprotected net
5 work environments such as when the client facility 144F is in
a secondary location 108 or connecting wirelessly to a non
enterprise facility 102 wireless internet connection, where the
end-point computer security facility 152 may dictate what
actions are allowed, blocked, modified, or the like. For
10 instance, if the client facility's 144 end-point computer Secu
rity facility 152 is unable to establish a secured connection to
the threat management facility 100, the end-point computer
security facility 152 may inform the user of such, and recom
mend that the connection not be made. In the instance when
15 the user chooses to connect despite the recommendation, the
end-point computer security facility 152 may perform spe
cific actions during or after the unprotected connection is
made, including running scans during the connection period,
running scans after the connection is terminated, storing
interactions for Subsequent threat and policy evaluation, con
tacting the threat management facility 100 upon first instance
of a secured connection for further actions and or scanning,
restricting access to network and local resources, or the like.
In embodiments, the end-point computer security facility 152
25 may perform specific actions to remediate possible threat
incursions or policy violations during or after the unprotected
connection.
The secondary location 108 may have no end-point com
puter security facilities 152 as a part of its computer compo
30 nents, such as its firewalls 138B, servers 142B, clients 144G,
hubs and routers 148C-D, and the like. As a result, the com
puter components of the secondary location 108 may be open
to threat attacks, and become potential sources of threats, as
well as any mobile enterprise facility clients 144B-F that may
35 be connected to the secondary location's 108 network. In this
instance, these computer components may now unknowingly
spread a threat to other components connected to the network.
Some threats may not come directly from the Internet 154,
such as from non-enterprise facility controlled mobile
40 devices that are physically brought into the enterprise facility
102 and connected to the enterprise facility 102 client facili
ties 144. The connection may be made from direct connection
with the enterprise facility’s 102 client facility 144, such as
through a USB port, or in physical proximity with the enter
45 prise facility’s 102 client facility 144 such that a wireless
facility connection can be established. Such as through a
Bluetooth connection. These physical proximity threats 110
may be another mobile computing device, a portable memory
storage device, a mobile communications device, or the like,
50 such as CDs and DVDs 170, memory stick 174, flash drive
174, external hard drive, cell phone 178, PDAs 180, MP3
players, digital cameras, point-to-point devices, digital pic
ture frames, digital pens, navigation devices, appliances, and
the like. A physical proximity threat 110 may have been
55 previously infiltrated by network threats while connected to
an unprotected network connection outside the enterprise
facility 102, and when connected to the enterprise facility 102
client facility 144, pose a threat. Because of their mobile
nature, physical proximity threats 110 may infiltrate comput
60 ing resources in any location, Such as being physically
brought into the enterprise facility 102 site, connected to an
enterprise facility 102 client facility 144 while that client
facility 144 is mobile, plugged into an unprotected client
facility 144 at a secondary location 108, and the like. A
65 mobile device, once connected to an unprotected computer
resource, may become a physical proximity threat 110. In
embodiments, the end-point computer security facility 152
 US 9,104,864 B2
17
may provide enterprise facility 102 computing resources with
threat protection against physical proximity threats 110, for
instance, through scanning the device prior to allowing data
transfers, through security validation certificates, through
establishing a safe Zone within the enterprise facility 102
computing resource to transfer data into for evaluation, and
the like.
Now that the overall system has been described, we turn
towards a set of threat detection embodiments utilizing the
accumulated detection of threat characteristics. It should be
understood that the following embodiments may be managed
through a threat management facility 100 along with other
services, such as those described herein.
Referring to FIG. 2, a system diagram embodiment of a
threat detection technique 130 is depicted, where the tech
nique utilizes the accumulation of threat detection character
istics in identifying a threat to a computing device, such as
one of the threats listed herein. In traditional on-access mal
ware detection every on-access scan runs through a full set of
threat characteristic identities (also referred to herein as
geneidentities), and then runs threat-describing identities
one by one. A threat characteristic, or gene, may be a code
Strand, functionality, property, and the like piece of informa
tion collected on system objects that may be reused and
combined in different threat detections. A threat may be iden
tified by the presence of a particular set of genes that are
indicative of the threat. The traditional approach is very
sequential, where an on-access Scan is triggered after any
target computing device object changes, and the system recal
culates all the genes and checks all the threat descriptions to
find out whether any given threat is active. This approach to
threat identification is very inefficient, and does not scale with
the number of genes or threat descriptions. For instance,
calculating all the genes in each on-access Scan includes
genes that are likely to not be relevant to the potential of a
particular threat, threat environment, computing platform,
application, and the like, and running threat identities sequen
tially fails to preserve knowledge between identities.
In the present disclosure a threat detection facility 202 is
provided that allows dynamic detection of complex threats in
a way that scales linearly with the number of threat descrip
tions and the number of computer system objects tracked. The
threat detection facility 202 may provide an algorithm to
detect threats in a dynamic detection environment, where
threats are described as a list of threat characteristics (e.g.
genes) that must be present, and where the threat character
istics may be generated/detected dynamically through behav
ioral detection. The threat detection facility 202 may allow for
the tracking of all known threats efficiently, and only recal
culate genes that may potentially provide new information.
Through this process, processing may be kept to a minimum,
allowing increased efficiency. The invention may provide for
a scalable solution that is able to cope with a large number of
threat descriptions. Benefits of the threat detection facility
202 may include stopping threats earlier in the detection
process, an increase in the performance of the target comput
ing device through decreased processing requirements from
scanning, reduced memory usage, and the like, all of which
may be especially important in mobile and virtualization
applications.
Referring again to FIG. 2, the threat detection facility 202
may be resident in or interfacing with a computing device
204, such as a client 144A, a wireless client 144B, a server
142A, a firewall 138A, a gateway, and the like, such as in part
of a computer security facility 152 in association with the
computing device 204 as described herein. The computing
device 204 may include an operating system 208 running a
18
plurality of run-time processes 210 as computer system
objects, such as files, processes, registry keys, and the like.
The threat detection facility 202 may monitor, capture, filter,
and the like, system events on the computer objects through
event capture 212 functionality. For instance, a system event
may be a change to a system process that is run by the
operating system (e.g. FileOpen, FileWrite, Registry Write,
and the like). The detection of the event may then initiate a
process that generates a list of threat characteristics associ
10 ated with the object that has experienced the event, where a
threat characteristics detector 214 produces the list. In
embodiments, an anti-virus engine may provide the function
ality of the threat characteristics detector 214. The list of
threat characteristics associated with the event may then be
15 passed to a threat detection analyzer 218 for creation of or
insertion into threat tables 220 that keep an accumulated
record of threat characteristics that have been associated with
events to objects over time, where there may be a separate
threat table 220 for each object that has experienced an event.
A threat analyzer 222 then monitors the content of each threat
table 220 to see if the accumulated set of threat characteristics
detected in events of a particular object match a threat index
224 that lists what threat characteristics constitute a given
threat.
25 In an example, and referring to the example threat index of
Table 1, a threat T1 may be comprised of genes G1, G2.
and G3. That is, when genes G1, G2, and G3 are detected in
the same computer object by the threat analyzer, the threat
analyzer will have determined that the threat T1 has been
30 detected in the object. In embodiments, the threat analyzer
may then update a threat status 228, such as with a list of
identified threats, a clean system status, and the like.
TABLE 1
35
Example threat index
Threat Genes
40
A detailed example of how the threat characteristics ana
lyzer 218 generates and maintains threat tables 220, and
45 finally how the threat analyzer 222 identifies the presence of
a threat, will now be presented. This example is meant to be
illustrative of the process for detection of a threat using the
threat detection facility 202, and is not meant to be limiting in
any way, including the use of the term gene to represent the
50 more generic threat characteristic, which includes sequences
within the code of an object, behavioral characteristics of an
object, occurrence of a change event with respect to the occur
rence of another change event, characteristics that are listed as
part of a policy, and the like.
55 In this example, a first step in the process begins with the
example threat index presented in Table 1 where three threats
are listed along with the group of genes that when identified
together in a particular object, identify that threat as being
present in that object. An inverted threat index 226 is then
60 generated, such as provided in Table 2 as a result of inverting
the threat index provided in Table 1. The inverted threat index
226 provides what threats are associated with a particular
gene from Table 1, and how many total number of genes are
required to detect those threats. For instance, the gene G1 in
65 Table 2 shows that it is associated only with threat T1, and that
there are three different genes required to identify threat T1.
In another instance, the gene G3 in Table 2 shows that it is
 US 9,104,864 B2
19 20
associated with two threats, T1 and T3, where again there are threats listed in Table 1. In embodiments, the threats included
three different genes required to identify threat T1, and where in a threat index 224 may be limited to a subset of known
there are two different genes required to identify threat T3. threats, include all known threats, limited to threats relevant
to a type of computing device (e.g. laptop, mobile phone,
TABLE 2 5 enterprise server), and the like.
Example inverted threat index TABLE 5
Gene Threat (total genes required) Object Genes Threats
G1 T1(3) 10 F1 G1 T1 (1,3)
G2 T1(3), T2(3) F2 G31
G3 T1(3), T3(2) F3
G4 T2(3)
G5 T3(2)
G6 T2(3) Referring to Table 6, a new event is captured, where gene
15 G2 is detected in object F3. Gene G2 is relevant to both threat
A next step in the process is for the threat characteristics T1 and threat T2, and so threat status indicators are added to
analyzer 218 to generate a new threat table 220 for each object the threats column for object F3 to indicate that one of the
for which an event has been detected. Table three provides an three genes have been detected for T1, T1 (1.3), and similarly
example of a blank set of threat tables, where each row of that one of the three genes have been detected for T2, T2(1,3).
Table 3 represents a separate threat table 220. In embodi- 20
ments, the threat characteristics analyzer 218 may generate a TABLE 6
new threat table 220 as events dictate, or may create a set of
blank threat tables 220 for a group of objects to be monitored. Object Genes Threats
In this example, threat tables for objects F1, F2, and F3 F1 G1 T1(1,3)
are listed in a blank set of threat tables 220. 25 F2 G31
F3 G2 T1(1,3), T2(1,3)
TABLE 3
Referring to Table 7, a new event is captured, where the
Object Genes Threats (genes detected, total required) gene G10 is detected in object F1. No additional entry is
F1 30 entered under the threats column of any of the threat tables
F2 because G10 is not relevant to any of the threats listed in Table
F3 1.

The threat detection facility 202 now waits for an event TABLE 7
capture 212. In this example, suppose that the object F1 is a 35 Object Genes Threats
run-time process that experiences a change. The event is
captured 212 and the content is passed on to the threat char- F1 G1, G10 T1(1,3)
acteristic detector 214. The threat characteristics analyzer F2 G31
218 than writes to the gene column of the threat table 220 for F3 G2 T1(1,3), T2(1,3)
the object F1. Referring to Table 4, the threat table for F1 40
shows that the threat characteristics analyzer 218 has inserted Referring to Table 8, a new event is captured, where the
the presence of the gene G1 from the event, where G1 is one gene G1 is detected in object F2, and a threat status indicator
of the three genes that constitute the threat T1, hence the of T1 (1.3) is entered into the column under threats for the
nomenclature T1 (1.3) in added as a threat status indicator in object F2 indicating that one of the three genes required to
the- threats column of table 4, where T1 is the threat, and (1.3) 45 identify threat T1 has been detected in the object F2.
indicates that one of the three genes has been detected toward
the identification of the threat T1 in the object F1. Note that TABLE 8
for the sake of describing this example through the following
tables, new threat table entries from new event captures will Object Genes Threats
be shown in bold.
50 F1 G1, G10 T1(1,3)
F2 G31, G1 T1(1,3)
TABLE 4 F3 G2 T1(1,3), T2(1,3)
Object Genes Threats
F1 G1 T1 (1,3)
Referring to Table 9, a new event is captured, where gene
F2 s 55 G9 is detected in object F3. G9 is not relevant to the threats
F3 listed in Table 1.

The following tables will now depict a series of threat table TABLE 9
updates resulting from a series of new events, where the threat Object Genes Threats
analyzer monitors the threats column of the threat table for "
conditions that indicate a threat is present, Such as in a threat f 3. . E.
status indicator of TH(2.2) indicating that two of two genes for F3 G2G9 E3 T2(1,3)
threat Tit has been found, or Titi (3.3) indicating that three of s 3~ 3 - a w-.
three genes for threat Titi has been found.
Referring to Table 5, a new event is captured, where the 65 Referring to Table 10, a new event is captured, where gene
gene G31 is detected in object F2. No entry is entered under G3 has detected object F1. Gene G3 is relevant to both threat
the threats column because G31 is not relevant to any of the T1 and threat T3. As a result, the threat status indicator for T1
 US 9,104,864 B2
21 22
is changed from T1 (1.3) to T1 (2.3) to indicate that two of the trative example without undue complexity, but with sufficient
three genes have been detected. Additionally, a threat status detail to show how the process may proceed. In embodiments,
indicator for T3 is added to indicate that one of the two genes the number of objects monitored, and the number of threats
for the threat T3 has been detected in the object F1. considered may vary. They may be limited in Some manner or
they may be comprehensive to the extent of knowledge of the
TABLE 10 threat management facility 100. As stated, one of the advan
tages of the threat detection facility 202 may be the ability for
Object Genes Threats the threat detection facility 202 to scale to various applica
F1 G1, G10, G3 T1 (2.3), T3 (1,2) tions, and thereby provide match of the threat protection to
F2 G31, G1 T1(1,3) 10 the threat environment of the application, and thus improved
F3 G2, G9 T1(1,3), T2(1,3) performance over traditional techniques. For instance, threat
protection and performance requirements may be very differ
Referring to Table 11, a new event is captured, where gene ent between a mobile phone application and a desktop com
G3 is now detected in object F2. Similar to the last event puter application, and with the threat detection 202 as
captured in object F1, the detection of gene G3 is added to the 15 described herein may be optionally scaled to match desired
threat table for object F2, where the threat status indicator for performance and threat detection criteria. In embodiments,
T1 is changed from T1 (1.3) to T1 (2.3) to indicate that two of the threat tables used by the threat detection facility 202 may
the three genes have been detected, and additionally, a status be specific to the environment threat landscape, such as for
indicator for T3 is added to indicate that one of the two genes mobile, desktop, server, email server, gateway, centralized
for the threat T3 has been detected in the object F1. network nodes, and the like. In embodiments, the threat
detection facility 202 may utilize threat tables in a hierarchi
TABLE 11 cal manner for improved detection, such as in a hierarchy of
desktop, gateway, enterprise, and the like levels. In embodi
Object Genes Threats ments, the threat detection facility 202 may provide for multi
25 object protection by having the threat analyzer 222 compare
F1 G1, G10, G3 T1(2,3), T3 (1,2) across threat tables. For instance, the multi-object detection
F2 G31, G1, G3 T1 (2.3), T3 (1,2)
F3 G2, G9 T1(1,3), T2(1,3) may require that several objects be infected together in order
to detect a threat. In embodiments, a multi-object detection
Referring to Table 12, a new event is captured, where gene may be detected upon the full or partial detection of threats
30 within each of the multiple objects. For instance, the threat
G6 is detected in object F3. Gene G6 is relevant to threat T2, analyzer may be provided with an algorithm for determining
and so the status indicator for threat T2 is incremented to
indicate T202.3), showing that two of the three genes required the likelihood of a multi-object threat based on the extent to
to identify the threat T2 have been detected in object F3. which threats are completely detected. For example, a com
plete detection in one object, and partial detection in two
TABLE 12
35 other objects. In embodiments, the threat detection facility
may support the detection of threats based on not-gene’
Object Genes Threats detection, where the detection of a plurality of genes in com
bination with a non-detection of a plurality of genes results in
F1 G1, G10, G3 T1(2,3), T3 (1,2) a detection of a threat. For instance, the detection of threat T5
F2 G31, G1, G3 T1(2,3), T3 (1,2)
F3 G2, G9, G6 T1(1,3), T2(2.3)
40 determined with the detection of genes G4, G10, and G42 in
combination with the absence of the detection of gene G14.
Referring to FIG. 3, an embodiment flow diagram for the
Referring to Table 13, a new event is captured, where gene current disclosure is provided. In a first step 320, the process
G5 is detected in object F1. Gene G5 is relevant to threat T3, begins as a method of dynamic threat detection, where the
and represents the second of the two required genes to iden 45 process may be dynamic due to the ability of the threat detec
tify threat T3 as being detected in object F1. The threat ana tion facility 202 providing threat protection over time as
lyzer 222, which as been monitoring the threat tables, detects threat characteristics are detected and accumulated, to scale
the threat, and updates the threat status 228 to indicate that the the use of threat tables 220 for various computing platforms,
threat T3 has been detected in object F1. In embodiments, the applications, and threat environments, and the like. In a sec
threat detection facility may act on this information in a 50 ond step, providing a first database (e.g. the inverted threat
plurality of ways, such as alerting the user of the computer index 226) that correlates a plurality of threat characteristics
device, alerting administration 134, alerting security manage to a threat, wherein a presence of the plurality of the threat
ment 122, taking remedial actions 128, and the like. characteristics confirms a presence of the threat. The inverted
threat index 226 may be stored in a database, a listing, a table,
TABLE 13 55 and the like, where the threat analyzer 222 uses the content of
Object Genes Threats the inverted threat index 226 to update the threat tables 220 as
threat characteristics (e.g. genes) are detected and included
F1 G1, G10, G3, G5 T1 (2.3), T3 (2.2 into the threat tables from the threat characteristics analyzer.
F2 G31, G1, G3 T1(2,3), T3 (1,2) In a third step 308, detecting a change event in a computer
F3 G2, G9, G6 T1(1,3), T2(2,3) 60 run-time process, wherein the detecting is provided by the
event capture 212 in the computing device 204, and the run
The illustrative example presented in association with time process is run on the computer device 204, Such as where
tables 1-13 are meant to show how an embodiment of the the run-time process is a computer object run by the operating
threat detection facility 202 detects a threat through the accu system 208. In a forth step 310, testing the change event for a
mulation of threat characteristics detected in events in pro 65 presence of one or more of the plurality of characteristics
cesses run on a computing device 204. In this illustrative upon detection of the change event, wherein the threat char
example, events have been included to provide a fully illus acteristics detector 214 is extracting threat characteristics
 US 9,104,864 B2
23
from the change event for possible insertion into threat tables
220. In a fifth step 312, storing a detection of one of the
plurality of characteristics in a second database that accumu
lates detected characteristics for the computer run-time pro
cess, where the second database is at least one threat table
220. In embodiments, the threat analyzer 222 may now be
utilizing two databases for the detection of a threat, where one
database is the inverted threat index 226 and the second
database is the at least one threat table 220 being updated by
the threat characteristics analyzer 218 as threat characteristics
are detected in events. In a sixth step 314, identifying the
threat when each one of the plurality of characteristics
appears in the second database. The threat analyzer 222,
monitoring the at least one threat table 220, detects that a
threat is present when the at least one threat table 220 is
updated to show a completed detected threat. For instance,
where all of the genes required for a threat to be present have
been detected for a given computer object. The threat ana
lyzer may then update the threat status 228, and potentially
other actions upon detection of a threat, Such as described
herein.
The methods and systems described herein may be
deployed in part or in whole through a machine that executes
computer Software, program codes, and/or instructions on a
processor. The present invention may be implemented as a
method on the machine, as a system or apparatus as part of or
in relation to the machine, or as a computer program product
embodied in a computer readable medium executing on one
or more of the machines. The processor may be part of a
server, client, network infrastructure, mobile computing plat
form, stationary computing platform, or other computing
platform. A processor may be any kind of computational or
processing device capable of executing program instructions,
codes, binary instructions and the like. The processor may be
or include a signal processor, digital processor, embedded
processor, microprocessor or any variant Such as a co-proces
Sor (math co-processor, graphic co-processor, communica
tion co-processor and the like) and the like that may directly
or indirectly facilitate execution of program code or program
instructions stored thereon. In addition, the processor may
enable execution of multiple programs, threads, and codes.
The threads may be executed simultaneously to enhance the
performance of the processor and to facilitate simultaneous
operations of the application. By way of implementation,
methods, program codes, program instructions and the like
described herein may be implemented in one or more thread.
The thread may spawn other threads that may have assigned
priorities associated with them; the processor may execute
these threads based on priority or any other order based on
instructions provided in the program code. The processor
may include memory that stores methods, codes, instructions
and programs as described herein and elsewhere. The proces
Sor may access a storage medium through an interface that
may store methods, codes, and instructions as described
herein and elsewhere. The storage medium associated with
the processor for storing methods, programs, codes, program
instructions or other type of instructions capable of being
executed by the computing or processing device may include
but may not be limited to one or more of a CD-ROM, DVD,
memory, hard disk, flash drive, RAM, ROM, cache and the
like.
A processor may include one or more cores that may
enhance speed and performance of a multiprocessor. In
embodiments, the process may be a dual core processor, quad
core processors, other chip-level multiprocessor and the like
that combine two or more independent cores (called a die).
24
The methods and systems described herein may be
deployed in part or in whole through a machine that executes
computer software on a server, client, firewall, gateway, hub,
router, or other Such computer and/or networking hardware.
The Software program may be associated with a server that
may include a file server, print server, domain server, internet
server, intranet server and other variants such as secondary
server, host server, distributed server and the like. The server
may include one or more of memories, processors, computer
10 readable media, Storage media, ports (physical and virtual),
communication devices, and interfaces capable of accessing
other servers, clients, machines, and devices through a wired
or a wireless medium, and the like. The methods, programs or
codes as described herein and elsewhere may be executed by
15 the server. In addition, other devices required for execution of
methods as described in this application may be considered as
a part of the infrastructure associated with the server.
The server may provide an interface to other devices
including, without limitation, clients, other servers, printers,
database servers, print servers, file servers, communication
servers, distributed servers and the like. Additionally, this
coupling and/or connection may facilitate remote execution
of program across the network. The networking of some orall
of these devices may facilitate parallel processing of a pro
25 gram or method at one or more location without deviating
from the scope of the invention. In addition, any of the devices
attached to the server through an interface may include at
least one storage medium capable of storing methods, pro
grams, code and/or instructions. A central repository may
30 provide program instructions to be executed on different
devices. In this implementation, the remote repository may
act as a storage medium for program code, instructions, and
programs.
The software program may be associated with a client that
35 may include a file client, print client, domain client, internet
client, intranet client and other variants such as secondary
client, host client, distributed client and the like. The client
may include one or more of memories, processors, computer
readable media, Storage media, ports (physical and virtual),
40 communication devices, and interfaces capable of accessing
other clients, servers, machines, and devices through a wired
or a wireless medium, and the like. The methods, programs or
codes as described herein and elsewhere may be executed by
the client. In addition, other devices required for execution of
45 methods as described in this application may be considered as
a part of the infrastructure associated with the client.
The client may provide an interface to other devices includ
ing, without limitation, servers, other clients, printers, data
base servers, print servers, file servers, communication serv
50 ers, distributed servers and the like. Additionally, this
coupling and/or connection may facilitate remote execution
of program across the network. The networking of some orall
of these devices may facilitate parallel processing of a pro
gram or method at one or more location without deviating
55 from the scope of the invention. In addition, any of the devices
attached to the client through an interface may include at least
one storage medium capable of storing methods, programs,
applications, code and/or instructions. A central repository
may provide program instructions to be executed on different
60 devices. In this implementation, the remote repository may
act as a storage medium for program code, instructions, and
programs.
The methods and systems described herein may be
deployed in part or in whole through network infrastructures.
65 The network infrastructure may include elements such as
computing devices, servers, routers, hubs, firewalls, clients,
personal computers, communication devices, routing devices
 US 9,104,864 B2
25
and other active and passive devices, modules and/or compo
nents as known in the art. The computing and/or non-com
puting device(s) associated with the network infrastructure
may include, apart from other components, a storage medium
such as flash memory, buffer, stack, RAM, ROM and the like.
The processes, methods, program codes, instructions
described herein and elsewhere may be executed by one or
more of the network infrastructural elements.
The methods, program codes, and instructions described
herein and elsewhere may be implemented on a cellular net
work having multiple cells. The cellular network may either
be frequency division multiple access (FDMA) network or
code division multiple access (CDMA) network. The cellular
network may include mobile devices, cell sites, base stations,
repeaters, antennas, towers, and the like. The cell network
may be a GSM, GPRS, 3G, EVDO, mesh, or other networks
types.
The methods, programs codes, and instructions described
herein and elsewhere may be implemented on or through
mobile devices. The mobile devices may include navigation
devices, cell phones, mobile phones, mobile personal digital
assistants, laptops, palmtops, netbooks, pagers, electronic
books readers, music players and the like. These devices may
include, apart from other components, a storage medium Such
as a flash memory, buffer, RAM, ROM and one or more
computing devices. The computing devices associated with
mobile devices may be enabled to execute program codes,
methods, and instructions stored thereon. Alternatively, the
mobile devices may be configured to execute instructions in
collaboration with other devices. The mobile devices may
communicate with base stations interfaced with servers and
configured to execute program codes. The mobile devices
may communicate on a peer to peer network, mesh network,
or other communications network. The program code may be
stored on the storage medium associated with the server and
executed by a computing device embedded within the server.
The base station may include a computing device and a stor
age medium. The storage device may store program codes
and instructions executed by the computing devices associ
ated with the base station.
The computer Software, program codes, and/or instruc
tions may be stored and/or accessed on machine readable
media that may include: computer components, devices, and
recording media that retain digital data used for computing
for some interval of time; semiconductor storage known as
random access memory (RAM); mass storage typically for
more permanent storage, such as optical discs, forms of mag
netic storage like hard disks, tapes, drums, cards and other
types; processor registers, cache memory, Volatile memory,
non-volatile memory; optical storage such as CD, DVD:
removable media such as flash memory (e.g. USB sticks or
keys), floppy disks, magnetic tape, paper tape, punch cards,
standalone RAM disks, Zip drives, removable mass storage,
off-line, and the like; other computer memory Such as
dynamic memory, static memory, read/write storage, mutable
storage, read only, random access, sequential access, location
addressable, file addressable, content addressable, network
attached storage, storage area network, bar codes, magnetic
ink, and the like.
The methods and systems described herein may transform
physical and/or or intangible items from one state to another.
The methods and systems described herein may also trans
form data representing physical and/or intangible items from
one state to another.
The elements described and depicted herein, including in
flow charts and block diagrams throughout the figures, imply
logical boundaries between the elements. However, accord
26
ing to software or hardware engineering practices, the
depicted elements and the functions thereof may be imple
mented on machines through computer executable media
having a processor capable of executing program instructions
stored thereon as a monolithic Software structure, as standa
lone software modules, or as modules that employ external
routines, code, services, and so forth, or any combination of
these, and all Such implementations may be within the scope
of the present disclosure. Examples of Such machines may
10 include, but may not be limited to, personal digital assistants,
laptops, personal computers, mobile phones, other handheld
computing devices, medical equipment, wired or wireless
communication devices, transducers, chips, calculators, sat
ellites, tablet PCs, electronic books, gadgets, electronic
15 devices, devices having artificial intelligence, computing
devices, networking equipments, servers, routers and the like.
Furthermore, the elements depicted in the flow chart and
block diagrams or any other logical component may be imple
mented on a machine capable of executing program instruc
tions. Thus, while the foregoing drawings and descriptions set
forth functional aspects of the disclosed systems, no particu
lar arrangement of Software for implementing these func
tional aspects should be inferred from these descriptions
unless explicitly stated or otherwise clear from the context.
25 Similarly, it will be appreciated that the various steps identi
fied and described above may be varied, and that the order of
steps may be adapted to particular applications of the tech
niques disclosed herein. All Such variations and modifications
are intended to fall within the scope of this disclosure. As
30 Such, the depiction and/or description of an order for various
steps should not be understood to require a particular order of
execution for those steps, unless required by a particular
application, or explicitly stated or otherwise clear from the
COInteXt.
35 The methods and/or processes described above, and steps
thereof, may be realized in hardware, Software or any com
bination of hardware and software suitable for a particular
application. The hardware may include a general purpose
computer and/or dedicated computing device or specific
40 computing device or particular aspect or component of a
specific computing device. The processes may be realized in
one or more microprocessors, microcontrollers, embedded
microcontrollers, programmable digital signal processors or
other programmable device, along with internal and/or exter
45 nal memory. The processes may also, or instead, be embodied
in an application specific integrated circuit, a programmable
gate array, programmable array logic, or any other device or
combination of devices that may be configured to process
electronic signals. It will further be appreciated that one or
50 more of the processes may be realized as a computer execut
able code capable of being executed on a machine readable
medium.
The computer executable code may be created using a
structured programming language such as C, an object ori
55 ented programming language Such as C++, or any other high
level or low-level programming language (including assem
bly languages, hardware description languages, and database
programming languages and technologies) that may be
stored, compiled or interpreted to run on one of the above
60 devices, as well as heterogeneous combinations of proces
sors, processor architectures, or combinations of different
hardware and Software, or any other machine capable of
executing program instructions.
Thus, in one aspect, each method described above and
65 combinations thereof may be embodied in computer execut
able code that, when executing on one or more computing
devices, performs the steps thereof. In another aspect, the
 US 9,104,864 B2
27
methods may be embodied in Systems that perform the steps
thereof, and may be distributed across devices in a number of
ways, or all of the functionality may be integrated into a
dedicated, standalone device or other hardware. In another
aspect, the means for performing the steps associated with the
processes described above may include any of the hardware
and/or software described above. All such permutations and
combinations are intended to fall within the scope of the
present disclosure.
While the invention has been disclosed in connection with
the preferred embodiments shown and described in detail,
various modifications and improvements thereon will
become readily apparent to those skilled in the art. Accord
ingly, the spirit and scope of the present invention is not to be
limited by the foregoing examples, but is to be understood in
the broadest sense allowable by law.
All documents referenced herein are hereby incorporated
by reference.
What is claimed is:
1. A computer program product embodied in a non-transi
tory computer readable medium that, when executing on one
or more computers, performs the steps of
providing a first database that correlates a plurality of threat
characteristics to a threat, wherein a presence of the
plurality of the threat characteristics confirms a presence
of the threat;
detecting a change event in a computer run-time process;
testing the change event for a presence of one or more of the
plurality of threat characteristics upon detection of the
change event;
storing a detection of one of the plurality of threat charac
teristics in a second database that accumulates detected
characteristics for the computer run-time process;
scaling the plurality of threat characteristics in the first
database to a number of relevant threat characteristics
based upon accumulated detected characteristics in the
second database using an inverted threat index that asso
28
ciates each of a number of particular characteristics with
one or more particular threats, and for each one of the
one or more particular threats, further specifies how
many particular characteristics are used to identify the
one of the one or more particular threats, thereby updat
ing the first database as threat characteristics are
detected in change events; and
identifying the threat when the number of relevant threat
characteristics appear in the second database.
10 2. The computer program product of claim 1, wherein the
threat includes a malware threat to a computer facility.
3. The computer program product of claim 1, wherein the
threat includes a violation of an enterprise security policy.
4. The computer program product of claim 1, wherein the
15 characteristic is a functionality of a computer program.
5. The computer program product of claim 1, wherein one
of the threat characteristics is a property of a computer pro
gram.
6. The computer program product of claim 1, wherein one
of the threat characteristics is a portion of program code.
7. The computer program product of claim 1, wherein the
computer run-time process includes at least one of an access
to a file, a process, a mutual exclusion object, and a registry
key.
25 8. The computer program product of claim 1, wherein the
second database accumulates detected characteristics for
each of a plurality of computer run-time processes.
9. The computer program product of claim 1, wherein the
first database correlates a different plurality of characteristics
30 to each one of a plurality of different threats.
10. The computer program product of claim 1, further
comprising code that performs the step of creating a new
threat characteristic for inclusion into the first database when
the detected change event is identified as a new threat by a
threat identification facility but is not currently in the first
35
database.