EP1410129A2 - Rechnersicherheitssystem zur identifizierung verdächtigen verhaltens - Google Patents

Rechnersicherheitssystem zur identifizierung verdächtigen verhaltens

Info

Publication number
EP1410129A2
EP1410129A2 EP01912701A EP01912701A EP1410129A2 EP 1410129 A2 EP1410129 A2 EP 1410129A2 EP 01912701 A EP01912701 A EP 01912701A EP 01912701 A EP01912701 A EP 01912701A EP 1410129 A2 EP1410129 A2 EP 1410129A2
Authority
EP
European Patent Office
Prior art keywords
request
data processing
processing system
approach
prohibited operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01912701A
Other languages
English (en)
French (fr)
Inventor
Kelly M. Jones
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panacya Inc
Original Assignee
Panacya Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Panacya Inc filed Critical Panacya Inc
Publication of EP1410129A2 publication Critical patent/EP1410129A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • This invention relates to a system and method for providing security for a computer system. Specifically, this invention relates to protecting a data processing system from operations that degrade the data processing system.
  • Existing computer security systems generally require prior knowledge of a potentially degrading virus (or other harmful computer program, command or instruction) in order to protect against the virus.
  • this prior knowledge takes the form of a signature that identifies the program, command or instruction as a harmful behavior.
  • the security system is substantially constantly updated with the newest signatures. Thereafter, the security system monitors all files, including incoming files and resident files, for any identified signatures, and when, the system identifies the files, it destroys them.
  • the data processing system includes an operating system.
  • the method preferably requires substantially continually monitoring the operating system for any request from any processor subsystem, determining whether the request involves a prohibited operation, and, if the request involves a prohibited operation, adhering to a predetermined reaction protocol to protect the data processing system from the request. If the request is determined not to involve a prohibited operation, the method then determines whether the request indicates an approach to a prohibited operation — i.e., the request is not consistent with the current chain of events, or is inappropriate for in view of the current chain of events, and the request may potentially degrade the data processing system. If the request indicates an approach to a prohibited operation, the method preferably requires assessing on a scale whether the approach potentially degrades the data processing system. If the approach is assessed as sufficiently potentially degrading to the data processing system, then the method requires adhering to a predetermined reaction protocol to protect the data processing system from the request.
  • FIG. 1 is a block diagram of a preferred embodiment of a system according to the invention.
  • FIG. 2 is block diagram of the behavioral subsystem of system of FIG. 1 according to the invention.
  • FIG. 2 A is a block diagram a preferred embodiment of the adapative heuristic algorithm within the behavioral subsystem of FIG. 2 according to the invention
  • FIG. 3 is a block diagram of a preferred embodiment of the environmental integrity subsystem of the system of FIG. 1 according to the invention
  • FIG. 4 is a block diagram of a preferred embodiment of the access control subsystem of the system of FIG. 1 according to the invention.
  • FIG. 5 is a block diagram of a preferred embodiment of the external connectivity subsystem of the system of FIG. 1 according to the invention.
  • FIG. 6 is a block diagram of a preferred embodiment of the man-machine interface (MMI) subsystem of the system of FIG. 1 according to the invention
  • FIG. 7 is a block diagram of a preferred embodiment of the file-activity request subsystem of the system of FIG. 1 according to the invention.
  • MMI man-machine interface
  • the system and method according to the invention that protects the computer system from known and unknown viruses as well as other unauthorized intrusions and disruptions is provided.
  • the system utilizes a behavioral subsystem that operates by safeguarding against a certain baseline of known prohibited behavior.
  • This baseline hereinafter referred to as the behavior set
  • the behavioral subsystem also has an ability to modify its database of prohibited behavior by experience in order to adapt to new or unusual circumstances, thereby safeguarding against heretofore unrecognized, yet potentially degrading behavior, while continuing to safeguard against the baseline of known prohibited behavior.
  • Any new learned behavior is added to the then current behavior view to yield an advanced behavior view, hereafter referred to as a world view.
  • the behavioral subsystem employs an adaptive heuristic algorithm.
  • the system according to the invention operates as follows: First, the requests that are received by a system according to the invention are referred to individual subsystems.
  • the specific subsystem to which a request is referred depends on the origination of the request -- e.g., a request for a file operation is referred to the file-activity subsystem.
  • the individual subsystem preferably screens the incoming requests to determine whether the requests are directed toward a protected resource. If they are directed toward a protected resource, the subsystems pass the request to the behavioral subsystem for analysis.
  • the behavioral subsystem uses the adaptive heuristic algorithm to monitor and analyze potentially system-degrading input requests.
  • the adaptive heuristic algorithm weights the request according to the operation requested — e.g., write, read, modify, create etc. — and analyzes those requests in order to determine whether the requests represent an approach to prohibited behavior.
  • the algorithm preferably uses a modality of the behavioral subsystem -- i.e., a determination of the current circumstances which provides a threshold of what activity is permitted — together with the weight of the request to determine whether the request should be allowed to pass to the operating system, or be terminated.
  • the modality of the system is set by monitoring the most recent user actions to determine whether the present request is appropriate in light of the current user status.
  • an unrecognized request may preferably be terminated when it is either unsolicited by the user, or otherwise inconsistent with the current pattern of events.
  • FIG. 1 shows a block diagram of a preferred embodiment of a data-processing system 100 according to the invention.
  • Each subsystem (environmental integrity subsystem 300, access control subsystem 400, external connectivity subsystem 500, man-machine subsystem 600 and file-activity subsystem 700) provides requests to the operating system 900.
  • each of the subsystems may also provide selected requests to the behavioral subsystem 200.
  • the requests are passed to behavioral subsystem 200 when the subsystem determines that the requests are directed to a protected resource — e.g., the win.ini file, the autoexec.bat file, and similarly other files that are required for configuring or maintaining the system.
  • Behavioral subsystem 200 continually monitors and analyzes any request that it receives using adaptive heuristic algorithm 250.
  • FIG. 2 shows the process of analysis used by behavioral subsystem 200 to determine the nature of request 202.
  • behavioral subsystem 200 analyzes each request 202 to determine whether it is a request that exists in the behavior set 203.
  • This set contains known prohibited operations — i.e., operations that contradict basic system requirements for either sustainability or integrity — e.g., operations that degrade or destroy a protected resource, as described above. Such operations represent a danger to data-processing system 100 that is constant over time and is considered static in nature.
  • request 202 is determined to be for a known prohibited operation, then behavioral subsystem 200 requires adherence to a predetermined reaction protocol 205 to protect data-processing system 100 from request 202.
  • reactions in such a reaction protocol preferably include terminating any files with a parent-child relationship to the requesting file — i.e., terminating any files associated with producing such a request, and, preferably, also, where applicable, any files that communicated with the requesting file.
  • behavioral subsystem 200 analyzes request 202 to determine whether it is for an operation that is part of the world model 204.
  • the world model includes a program, process or series of processes that is determined during the present user session to be a prohibited operation).
  • behavioral subsystem 200 analyzes whether there is an indication in the request of an approach to a prohibited operation 206. If there is such an indication, behavioral subsystem 200 then determines whether request 202 potentially degrades data processing system 100. This process will be explained in greater detail with respect to FIG. 2A in which adaptive heuristic algorithm 250 used by behavioral subsystem 200 is described.
  • behavioral subsystem 200 adheres to a predefined behavioral reaction 208 as in the case of a known prohibited behavior, and preferably terminates the request and deletes the file that requested it. Thereafter, behavioral subsystem 200 preferably updates the world model to include the terminated request as representative of a prohibited behavior 210.
  • behavioral subsystem 200 allows the activity to continue, preferably under a heightened monitoring status.
  • One example of such a command would be the execution of a word processing program which initiates a call to open a template.
  • the template may be considered a protected resource and, therefore, executing the word processing program affects a protected resource, but does not necessarily approach a prohibited operation.
  • the heightened monitoring status requires tracking the request to the protected resource. Thus, if necessary, changes or modifications to the protected resource can be reversed.
  • FIG. 2A shows in greater detail the operation of the adaptive heuristic algorithm 250 within behavioral subsystem 200.
  • Modality 201 provides header information for incoming system request 202.
  • the header information contained in modality 201 provides the threshold information for determination of whether there is an indication of an approach to a known prohibited operation in request 202.
  • the modality preferably exists in three different states: home, stay and away.
  • Stay mode may be to permit internal movement, but to prohibit external-to-internal movement.
  • the final burglar alarm mode which provides the highest level of awareness is Away. In this mode, all movements are preferably prohibited, whether external-to-internal or solely internal.
  • Home mode defines a level of awareness of behavioral subsystem 200 that indicates a software modification or software installation process. While in this state, behavioral subsystem 200 allows the user to install or update system software. Behavioral subsystem 200 continues to safeguard system resources that should not be affected by a standard install/update process. Behavioral subsystem 200 can be informed of this state by a direct user command or by some other suitable process.
  • the state of heightened awareness may be implemented by tracking any changes made to a template by a user. If the user destroys the template, or modifies it in some undesirable fashion, or in the alternative, if a macro virus destroyed a template, the tracking function of the heightened awareness may be used to reverse the effects of the undesirable behavior.
  • Stay mode defines a level of awareness of behavioral subsystem 200 that may preferably indicate standard user activity. Specifically, this level of awareness is designed to protect the system when the user is connected to an external resource -- e.g., the Internet. During this state, a heightened awareness preferably surrounds all critical system resources as well as user-specified files. In this state, behavioral subsystem 200 pays particular attention to behavior that is considered inappropriate or inconsistent.
  • Away mode defines a level of awareness of behavioral subsystem 200 that may preferably indicate a condition of non-user activity. This mode represents behavioral subsystem 200's highest state of awareness. While in this mode, behavioral subsystem 200 lowers the threshold of determination of prohibited behavior in order to prevent system modifications that would lead to a degradation of system integrity.
  • FIG. 2 A shows a flow chart depicting the operation of the adaptive heuristic algorithm 250 within behavioral subsystem 200.
  • the algorithm is used by behavioral subsystem 200 to determine whether a request indicates an approach to prohibited behavior.
  • This algorithm operates to classify incoming requests based on the subsystem from which the request came, the weight — i.e., the particular nature -- of the request 253 and the present modality 254.
  • the algorithm then employs delimiters of significance, as known to those skilled in the art, or other suitable processes, such as the S-curve to determine whether the request represents an approach to prohibited behavior.
  • the modality sets the threshold for determining at what point on the S- curve an approach to prohibited behavior is determined to have occurred 256.
  • certain requests e.g., certain registry requests required by a software install/update — will be permitted while during away mode those same requests will be terminated. If an approach to a prohibited operation is indicated, the request is terminated and the world model is preferably updated 257. If the request is determined not to approach a prohibited operation, the activity is permitted 258.
  • FIG. 3 shows the environmental integrity subsystem 300. This subsystem monitors registry action request 301 and passes the request to the behavioral subsystem 200 preferably only if the request is to perform an action that affects a protected resource 302. Otherwise, the request is passed through environmental integrity subsystem 300 and the activity is continued 305.
  • behavioral subsystem 200 When environmental integrity subsystem 300 passes a request to the behavioral subsystem 200, the behavioral subsystem 200 performs the analysis described above with reference to FIGS. 2 and 2 A. A portion of the analysis performed by behavioral subsystem 200 includes assigning a weight to the requested operation based on the nature of the operation — e.g., open, read, write, modify and create. This weight is used by behavioral subsystem 200 as one of the criteria in the 'assessment whether the request approaches a prohibited behavior.
  • a weight to the requested operation based on the nature of the operation — e.g., open, read, write, modify and create. This weight is used by behavioral subsystem 200 as one of the criteria in the 'assessment whether the request approaches a prohibited behavior.
  • the environmental integrity subsystem monitors registry action requests 301 and passes the information to the behavioral subsystem as required.
  • Behavioral subsystem 200 receives the registry action request along with the modality 304 preferably only if the action request affects a protected resource 302, Behavioral subsystem 200 then assigns an associate "weight" to the requested activity on the registry including: open, read, write, modify and create. If the action request does not affect a protected resource, then the action is permitted to continue 303.
  • FIG. 4 shows the access control subsystem 400.
  • Access control subsystem 400 monitors access control action requests 402 — e.g., a request to change modalities or a request to change configuration settings — and passes the information to behavioral subsystem 200 (along with the modality 201) preferably only if the action request affects a protected resource 403. The behavioral subsystem then assigns a weight to the requested activity including: open, read, write, modify and create. If the request does not affect a protected resource, then the action request is permitted to continue 404.
  • access control action requests 402 e.g., a request to change modalities or a request to change configuration settings — and passes the information to behavioral subsystem 200 (along with the modality 201) preferably only if the action request affects a protected resource 403.
  • the behavioral subsystem assigns a weight to the requested activity including: open, read, write, modify and create. If the request does not affect a protected resource, then the action request is permitted to continue 404.
  • FIG. 5 shows the external connectivity subsystem 500.
  • External connectivity subsystem 500 monitors external connectivity action requests 502 -- e.g., an example of an internal to external request is a user request to access a web-page; and an example of an external to internal request is a web-page trying to access the "cookie" or other information from the user system — and assesses whether the action request is internally or externally generated 503. If the subsystem determines the action request to be externally generated, the subsystem preferably then assesses whether the external request is an answer to an internal connectivity action request 504. If the external connectivity subsystem determines the external request is not in response to an internal request, the subsystem then preferably updates the world model to include the behavior as a prohibited operation and terminates the activity 506. If the external request is in response to an internal request, the activity is continued.
  • external connectivity action requests 502 e.g., an example of an internal to external request is a user request to access a web-page; and an example of an external to internal request is a web-page
  • the external connectivity subsystem passes the information to behavioral subsystem 200 which assigns a weight to the requested socket communications including: socket listen, set local socket, remote socket connect open/close requests and local socket connect open/close requests and allows the activity to continue.
  • FIG. 6 shows the Man-Machine Interface (MM1) subsystem 600.
  • MMI subsystem 600 preferably is configured to receive input from a Keyboard 601, Mouse 602, removable media 603, microphone 604, stylus or touch-screen 605 or other input device — e.g., Joystick -- 615, or any combination of these devices.
  • MMI subsystem 600 monitors the current user input in order to determine user activity/inactivity via a timing mechanism 607. If MMI subsystem 600 determines that there has been no recent user activity 609, it adjusts the modality of behavioral subsystem 200 to away 610.
  • MMI subsystem 600 In away mode, when MMI subsystem 600 detects external stimuli 611, it preferably demands user authentication 612. If the authentification fails 613, the system remains in away mode. If the demand is answered correctly 614, behavioral subsystem 200's modality is then shifted to stay 606 and standard user activity is permitted.
  • subsystem timing mechanism 607 senses external stimuli 608, it preferably maintains the modality at stay 606. It then passes the information to behavioral subsystem 200, which monitors user activity.
  • FIG. 7 shows the file-activity request 700 subsystem.
  • File-activity request subsystem 700 receives a properly gated request 702 in the form of a file resource request 702 ⁇ e.g., for opening, modifying, creating or deleting a file -- and passes the information to behavioral subsystem 200 as required 706.
  • Behavioral subsystem 200 receives the file resource request along with modality 201 and, when appropriate, allows the file resource to execute, thus becoming an active process 704.
  • An example of an inappropriate file resource request is erasing win.ini and replacing it with a new win.ini.
  • Behavioral subsystem 200 watches the currently running, spawning ⁇ i.e., creating of files by the currently running file — and terminating processes and assigns a weight to the request. The possible weight may include spawn and terminate process. If the additional resource request is assessed to be potentially degrading by behavioral subsystem 200, the request is denied and the parent process (including children) is terminated 711. If behavioral subsystem 200 determines that no potential system degradation exists in the request, it allows continued activity 710, to including spawning and termination of processes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)
EP01912701A 2000-02-07 2001-02-07 Rechnersicherheitssystem zur identifizierung verdächtigen verhaltens Withdrawn EP1410129A2 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US49949400A 2000-02-07 2000-02-07
US499494 2000-02-07
PCT/US2001/003842 WO2001057629A2 (en) 2000-02-07 2001-02-07 Computer security system indentifying suspect behaviour

Publications (1)

Publication Number Publication Date
EP1410129A2 true EP1410129A2 (de) 2004-04-21

Family

ID=23985471

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01912701A Withdrawn EP1410129A2 (de) 2000-02-07 2001-02-07 Rechnersicherheitssystem zur identifizierung verdächtigen verhaltens

Country Status (3)

Country Link
EP (1) EP1410129A2 (de)
AU (1) AU2001241454A1 (de)
WO (1) WO2001057629A2 (de)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7552473B2 (en) * 2003-08-12 2009-06-23 Symantec Corporation Detecting and blocking drive sharing worms
KR100897849B1 (ko) * 2007-09-07 2009-05-15 한국전자통신연구원 비정상 프로세스 탐지 방법 및 장치

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5748964A (en) * 1994-12-20 1998-05-05 Sun Microsystems, Inc. Bytecode program interpreter apparatus and method with pre-verification of data type restrictions
AU6279896A (en) * 1995-06-15 1997-01-15 Fraudetect, L.L.C. Process and apparatus for detecting fraud
IL120632A0 (en) * 1997-04-08 1997-08-14 Zuta Marc Multiprocessor system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0157629A3 *

Also Published As

Publication number Publication date
WO2001057629A3 (en) 2002-03-21
WO2001057629A9 (en) 2002-10-31
AU2001241454A1 (en) 2001-08-14
WO2001057629A2 (en) 2001-08-09

Similar Documents

Publication Publication Date Title
US7516477B2 (en) Method and system for ensuring that computer programs are trustworthy
US9774568B2 (en) Computer security architecture and related computing method
US6275942B1 (en) System, method and computer program product for automatic response to computer system misuse using active response modules
JP5030578B2 (ja) 人工ニューラル・ネットワーク・エキスパート・システムでリスクを制御する方法、データ処理システム、およびプログラム
US7565549B2 (en) System and method for the managed security control of processes on a computer system
US8286254B2 (en) Behavioral learning for interactive user security
Jamrozik et al. Mining sandboxes
US20110239306A1 (en) Data leak protection application
US8239947B1 (en) Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system
EP0325776A2 (de) Ein Sicherheitswegmechanismus für ein Betriebssystem
MX2011000019A (es) Sistema y metodo de cognicion de datos incorporando proteccion de seguridad autonoma.
MXPA06001211A (es) Activacion de datos del usuario final.
CN102208004B (zh) 一种基于最小化特权原则的软件行为控制方法
US20230308460A1 (en) Behavior detection and verification
KR20040056998A (ko) 위험도 산정을 통한 악성실행코드 탐지 장치 및 그 방법
Kandukuru et al. Android malicious application detection using permission vector and network traffic analysis
US7721281B1 (en) Methods and apparatus for securing local application execution
Huang et al. A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android
US8230116B2 (en) Resumption of execution of a requested function command
CN109791588A (zh) 缓解与图形用户界面元素相关联的恶意动作
EP1410129A2 (de) Rechnersicherheitssystem zur identifizierung verdächtigen verhaltens
CN115292693A (zh) 增强node.js程序安全的方法
JP4638494B2 (ja) コンピュータのデータ保護方法
Filman et al. SafeBots: a paradigm for software security controls
US8788845B1 (en) Data access security

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20030203

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

R17P Request for examination filed (corrected)

Effective date: 20030127

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20050901