GB2507360A - Threat detection through the accumulated detection of threat characteristics - Google Patents

Abstract

Threat detection facility 202 dynamically detects malware through the accumulated identification of threat characteristics, like genes, for targeted computer objects, i.e. run-time processes 210. The facility comprises first database 226 correlating genes to a threat, for example via an inverted threat index, wherein the presence of a plurality of genes confirms the presence of a threat; event capture 212 detecting a change event in run time process 210; characteristic detector 214 extracting genes from the change events; characteristic analyser 218 inserting detections of one of the genes into threat tables 220 in a second database where detected genes for the runtime process are accumulated; and threat analyzer 222 identifying the threat when each one of the genes of the threat appears in the second database. The accumulated identification avoids searching all possible malicious data patterns for all possible threats each time a computer is scanned, increasing performance of the computer.

Description

THREAT DETECTION THROUGH THE ACCUMULATED DETECTION OF

THREAT CHARACTERISTICS

B ACKUROUND

[0001] Field:

[0002] mc present invention is rclated to malwarc threat dctcction in a computer systcm.

[0003] Description of the Related Art:

[0004] Current mcthods and systems for the detcction of malware in a computer system (e.g. the detection software viruses) generally employ signature-based dctcction through systems that search the computer software for data pattcrns that have previously been identified with malicious software. however, since the number of known malicious data patterns can be very large, searching a computer system for all known malicious data patterns can impair the computer's performance. Therefore there is need for methods and systems that are able to identify evidence of malware in a computer system without the need to search all possible malicious data patterns for all possible threals each lime a computer syslem is scanned for malware.

SUMMARY

[0005] This disclosure describes meihods and systems br searching computer sobiware br malware Lhrough the accumiflaled identification of threat characlerislics for Largeted computer ohjecLs (e.g. run-time processes) thai allows For the dynamic deLeclion ob compkx threats in a way ihal scales with the number of Lhreai descriplions and Lhe number ol system objecis tracked.

[0006] In embodiments, the presenL disclosure may provide a meLhod of dynamic Lhreat detection comprising a first daiahase ihat correlates a plurality of threat characteristics to a thrcat, whcrcin a presence of thc plurality of thc thrcat characteristics confirms a presence of the threat; detecting a change event in a computer mn-time process; tcsting the change cvent for a prcscnce of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a sccond databasc that accumulates detected characteristics br the compuler run-lime process; and idenhifying Ihe LhreaL when each one of the pluralihy ob characleristics appears in Ihe second database. The threat may include a maiware Lhreat to a compuler facility, or any oLher like Lhreah such as lisled herein. The Lhreat may include a violahion of an enlerprise security policy. The pluralily of characleristics may include a pluralily of code functionalily, a property of a program, and like, such as referred to herein as genes'. Thc run-time process may include at least one of an access to a file, a process, a mutual cxclusion object, a registry key, and thc like.

The second database may accumulate detected characteristics for each of a plurality of computer run-time processes. The first database may correlate a different plurality of characteristics to each one of a plurality of different threats. The disclosure may provide for creating a new threat characteristic for inclusion into the database when the detected change event is identified as a threat by a threat identification facility hut is not currently in the database.

[0007] These and other systems, methods, objects, features, and advantages of the present invention will he apparent to those skilled in the art from the following detailed description of the preferred embodiment and the drawings. All documents menhioned herein are hereby incorporated in Iheir enhirety by reference.

BRIEF DESCRIPTTON OF TI-IF FIGURES

[0008] The invenlion and ihe following detailed description of cerlain embodiments thereof maybe understood by reference ho the following ligures: [0009] Fig. 1 depicls a Hock diagram of a hhreah management facilihy providing prolechion to an enterprise againsh a plurality of LhreaLs.

[0010] Fig. 2 depicls a Hock diagram ola meihod and system lbr dehechion of Lhreats through accumukihion of Lhreat characherislics.

[0011] Fig. 3 depicls a flow diagram for detection of hhreats through accumulation of threat characteristics.

[0012] While the invention has been described in connection with certain preferred embodiments, other embodimcnts would be understood by one of ordinary skill in the art and are encompassed herein.

[0013] All documents referenced herein are hereby incorporated by reference.

DETAIl ED DESCRIPTION

OO1 4] Fig. I depicis a block diagram oF a threal management facilily providing proieciion to an enterprise againsl a plurality of ihreais. An aspect of Ihe preseni invenlion relates io corporaie policy management and impkmentaLion through a unificd thrcat management facility 100. As will bc explaincd in more dctail below, a threat managcmcnt facility 101) may bc used to protect computcr asscts from many threats, both computer-generated threats and user-generated threats. The threat managcmcnt facility 100 may be multi-dimensional in that it may be dcsigned to protcct corporate assets from a variety of threats and it may he adapted to learn about threats in one dimcnsion (e.g. worm detection) and apply thc knowlcdge in another dimension (c.g.

spam detection). Policy management is one of the dimensions for which the threat management facility can provide a control capability. A corporation or other entity may institute a policy that prevents certain people (e.g. employees, groups of employees, types of employees, guest of the corporation, etc.) from accessing certain types of computer programs. For example, the corporation may &ect to prevent its accounting department Irom using a particular version of an instant messaging service or all such services. Tn Ihis example, Ihe policy managemeni facilily 112 maybe used lo updaie ihe policies oF all corporate computing asseis wiLh a proper policy conirol facility or ii may update a select Ièw. By using the threat management Facifity I 00 to!acililale ihe seiting, updaling and conirol of such poficies the corporation on'y needs Lobe concerned with keeping Ihe Lhreat managemenl Facility I 00 up to dale on such policies. The Lhreat managemenl facility I 00 can take care oF updaiing all of ihe oiher corporate computing assets.

OO15] It should be undersiood thai ihe ihreat managemenl Faciliiy 100 may provide muliiple services, and policy managemenl maybe oflered as one ol Lhe services.

We wifl now lurn lo a description of ceriain capahifities and componenls of the ihreaL managcment system 100.

[0016] Over recent years, malware has become a major problem across the internct 154. From both tcchnical and user perspectives, the categorization of a spccific threat type, whether as virus, worm, spam, phishing exploration, spyware, adware, or the like, is becoming rcduced in significance. the threat, no matter how it is categorized, may need lo he slopped at various poinis of a neiworlced computing environment, such as one ol an enterprise facility 1 02, including al one or more laptops, desktops, servers, galeways, communicalion ports, handheld or mobile devices, firewalls, and the like.

Similarly, Ihere maybe less and less henelil Lo Ihe user in having diftereni solulions br known and unknown ihreais. As such, a consolidaled ihreal managemeni faciliLy 1 00 may need to apply a similar set of technologics and capabilitics for all threats. In certain embodiments, the threat managemcnt facility 100 may provide a single agent on the desktop, and a single scan of any suspect file. This approach may eliminate the incvitablc overlaps and gaps in protection caused by treating viruses and spywarc as separate problems, while simultaneously simplifying administration and minimizing desktop load. As the number and range of typcs of threats has increased, so may havc the level of connectivity available to all If users. This may have lead to a rapid increase in the speed at which threats may move. Today, an unprotected PC connected to the internet 154 may be infected quickly (perhaps within 10 minutes) which may require acceleration for the delivery of threat protection. Where once monthly updates may have been sufficient, the threat management facility 100 may automatically and seamlessly update us produci sd againsi spam and virus threats quickly, for inslance, every five minutes, every minule, continuously, or the like. Analysis and tesling may be increasingly automated, and also maybe performed more frequently; for instance, it may he completed in IS minutes, and may do so withoul compromising quality. The Lhreat managemenl facilily 100 may also exiend techniques that may have been developed for virus and malware protection, and provide them to enlerprise facility 102 network administralors to better contro' their environments. In addition to stopping malicious code, the threat managemeni facility 100 may provide policy management thai may he able to control egiLimate applications, such as VoIP, instant messaging, peer-to-peer file-sharing, and the Ulce, that may undermine productivity and network performance within thc enterprise facility 102.

[0017] The threat management facility 100 may provide an enterprise facility 102 protcction from computcr-based malwarc, including viruses, spyware, adware, Trojans, intrusion, spam, policy abuse, uncontrolled access, and the like, where the enterprise facility 102 may be any entity with a networked computer-based infrastructure.

In an emhodiment, Fig. I may depici a hthck diagram o1 the ihreai managemeni facilily I 00 providing protection to an enlerprise againsi a p'urality of lhreaLs. The enterprise facility 102 maybe corporale, commercial, educational, governmental, or the Uke, and Ihe enlerprise faciliLy's 102 computer neiwork may he disirihuted amongst a plurality of facilities, and in a pluraliLy o1 geographical locaLions, and may indude adminisiralion 134, a fircwall I3SA, an appliance 140A, servcr 142A, nctwork devices I4A-B, clicnts 144A-D, such as protectcd by computer security facilities 152, and the like. Thc threat management facility 100 may include a plurality of functions, such as security managcment facility 122, policy management facility 112, updatc facility 120, dcfinitions facility 114, network access rules facility 124, remedial action facility 128, detection techniques facility 130, testing facility 1 IS, threat research facility 132, and the likc. in embodiments, the threat protection provided by the threat management facility 100 may extend beyond the network boundaries of the enterprise facility 102 to include client facilities 144D that have moved into network connectivity not directly associated or controlled by the enterprise facility 102. Threats to client facilities 144 may come from a plurality of sources, such as from network threats 104, physical proximity threats 110, secondary localion Lhreats 108, and the like. Clienls 144 may he protected Irom LhreaLs even when ihe client 144 is noL located in associaLion wiLh Ihe enlerprise 102, such as when a clienL I 44R-F moves in and oul of the enierprise 102 such as interfacing wiLh an unprotecLed server I 42C through the Internet 154, when a client 1 44F is moving into a secondary localion Lhreat 108 such as interlacing wiLh componenis 136B, 142B, 148C, I 48D LhaL are noL protecled, and Lhe like. Tn embodimenis, ihe ihreai managemenL facility I 00 may provide an enLerprise Facility 102 proLection Irom a pluralily of ihreats to multiplatlorm compuler resources in a pluraliLy oF localions and network conligurations, wilh an integraled syslem approach.

OO18] In embodiments, the ihreai managemenL facilily IOU maybe provided as a stand-alone solution. in other embodimcnts, the threat management facility 100 may he integrated into a third-party product. An application programming interface (e.g. a source code interface) may be provided such that the threat management facility 100 may he integrated. For instance, the threat management facility 100 may be stand-alone in that it provides direct threat protection to an cnterprisc or computcr rcsource, where protection is subscribed to direcUy 100. AlLernatively, the threat management Facility may oiler protection indirectly, Lhrough a third-parly product, where an enterprise may subscribe Lu services through the third-party product, and threat protection to the enterprise maybe provided by the threat managemeni lacilily 100 through the Lhird-parLy pr()ducL [0019] mc security managcmcnt facility 122 may include a plurality of clcmcnts that providc protection from malware to enterprise facility 102 computer resources, including endpoint security and control, email security and control, web sccurity and control, reputation-bascd filtering, control of unauthorized uscrs, control of guest and non-compliant computers, and the like. The security management facility 122 may be a software application that may provide malicious code and malicious application protection to a client facility 144 computing resource. The security management facility 122 may have the ability to scan the client facility 144 files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. In embodiments, scanning the client facility 144 may include scanning some or all of the files stored to the client facility 144 on a periodic basis, may scan applications once the applicaLion has been requesied to execuLe, may scan lies as the flIes are Lransmilted to or Irom Lhe clienL litcihLy 144, or the like.

The scanning of Lhe applications and iiles maybe Lo detect known malicious code or known unwanted applications. In an embodimeni, new malicious code and unwanted apphcations maybe continuafly developed and distrihuLed, and updates to Lhe known code dalahase may he provided on a periodic basis, on a demand basis, on an alert basis, or ihe like.

OO2O] In an emhodimenL, ihe security managemeni facility 1 22 may provide br email security and conirol, where securily management may help Lu efiminaLe spam, viruses, spyware and phishing, control oi email conLeni, and ihe like. The security managcmcnt facility's 122 email sccurity and control may protcet against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtcring, and the like, in an embodimcnt, security management facility 122 may providc for web security and control, where security management may help to detect or block viruses, spyware, malwarc, unwantcd applications, help control web browsing, and the Uke, which may provide comprehensive web access conirol enabling sale, produclive web browsing. Weh security and conirol may provide inlernel use policies, reporling on suspeci devices, securily and content liltering, aclive moniloring of neiworlc fta!iic, URI liltering, and the like. In an embodiment, the securily management faciliLy 122 may provide br neiworlc access conirol, which may provide conlrol over neiworlc conncctions. Network control may stop unauthorized, gucst, or non-compliant systcms from accessing networks, and may control network traffic that may not be bypasscd from the client level. In addition, network access control may control access to virtual private networks (VPN), where VPNs may be a communications nctwork tunneled through another network, establishing a logical connection acting as a virtual network. In embodiments, a VPN may be trcatcd in the samc manner as a physical network.

[0021] In an embodiment, the security management facility 122 may provide for host intrusion prevention through behavioral based protection, which may guard against unknown threats by analyzing behavior before software code executes.

Behavioral based protection may monitor code when it runs and intervene if the code is deemed to be suspicious or malicious. Advantages of behavioral based protection over runlime proteclion may include code being prevented from running, whereas runlime proleclion may only inlerrupi code that has already parlly executed; behavioral protection may idenLify mahcious code al the gateway or on the bile servers and deletes it before reaching end-point computers and the like.

[0022] In an embodimenl, the security managemeni facility 1 22 may provide br repulalion filtering, which may targel or idenlify sources of lcnown malware. For inslance, repulation lillering may include lisis of URIs of know-n sources of malware or known suspicious IP addresses, or domains, say for spam, that when detected may invoke an aclion by ihe threat management laciliLy iOU, such as dropping ihem immediaLely. By dropping the source before any inleracLion can initiale, potential threal sources may be thwarted beforc any exchangc of data can be made.

[0023] In embodiments, information may be sent from the enterprise back to a third party, a vendor, or thc like, which may lead to improved pcrformanec of the threat management facility 100. For example, the types, times, and number of virus interactions that a client experiences may provide useful information for thc preventions of future virus threats. This type of feedback may he useful!or any aspeci of threal detection.

Feedback ol inlormation may also he associaled wiih behaviors of individuals within the enterprise, such as being associaled with mosi common violations 0! policy, neiwork access, unaulborited application loading, unaulhorized external device use, and the like.

In embodiments, this type ol inlormation feedback may enable the evauat1()n orproliling of clicnt actions that are violations of policy that may provide a prcdictive model for the improvement of enterprisc policies.

[0024] In an embodiment, the security management facility 122 may provide for the overall sccurity of thc enterprisc facility 102 network or set of enterprise facility 102 networks, may provide updates of malicious code information to the enterprise facility 102 network, and associatcd clicnt facilitics 144. The updates may be a planncd update, an update in reaction to a threat notice, an update in reaction to a request for an update, an update based on a search of known malicious code information, or the like.

The administration facility 134 may provide control over the security management facility 122 when updates are performed. The updates maybe automatically transmitted without an administration facility's 134 direct control, manually transmitted by the adminisiralion facility 134, or ihe like. The securily management facility 122 may include the management oF receiving malicious code descriptions liom a provider, disirihulion oF malicious code descriptions to enlerprise facilily 102 networks, disirihulion oF malicious code descriptions to client Facifihies 144, or the like. In an embodiment, the managemeni of malicious code ink)rmalion may he provided lo Ihe enterprise faciliLy's 102 neiwork, where Ihe enterprise FaciliLy's 102 network may provide Ihe malicious code iniormalion ihrough the enterprise faciliLy's 102 nelwork distrihulion system.

OO25] The threal management facilily 100 may provide a policy managemenL facility 112 ihal maybe able lo block non-malicious applicalions, such as VoIP 164, instant mcssaging 162, peer-to-pcer file-sharing, and thc like, that may undemüne productivity and network performance within the enterprise facility 102. The policy managcment facility 112 may be a set of rules or policics that may indicate entcrprise facility 102 access permissions for the client facility 144, such as access permissions associatcd with the nctwork, applications, external computer dcvices, and the like. The policy management faciliLy 1 12 may include a dalahase, a lext lile, a combination of databases and Lext files, or ihe like. In an emhodimenL, a policy dalahase may he a block fist, a black lisi, an allowed hsl, a while lisi, or the like ihal may provide a lisi of enterprise faciliLy 102 exLernal network locations/applications thai may or may not he accessed by ihe client laciliLy 144. The policy managemenL faciliLy 112 may include rules that may bc intcrprctcd with respcct to au cnterprise facility 102 network acccss rcquest to detcrminc if the rcquest should be allowed. Thc rules may provide a generic rule for the type of access that may he granted: the rules may be related to the policies of an enterprise facility 102 for access rights for the cnterprise facility's 102 client facility 144. For example, there may be a rule that does not permit access to sporting websites.

When a website is requcsted by the client facility 144, a security facility may access thc rules within a policy facility to determine if the requested access is related to a sporting website. In an embodiment, the security facility may analyze the requested website to determine if the website matches with any of the policy facility rules.

[0026] The policy management facility 112 may be similar to the security management facility 122 hut with the addition of enterprise facility 102 wide access rules and policies ihat may he disirihuted Lo mainLain control of client ladiliiy 144 access Lo enterprise faciliLy 102 neLwork resources. The policies maybe delined for application Lype, suhsei of application capahililies, orgarnzalion hierarchy, computer facility type, user type, network location, Lime of day, connecLion Lype, or Lhe like. Policies may be maintained by ihe administration facility 134, ihrough Ihe LhreaL management faciliLy IOU, in associaLion with a ihird parly, or Lhe like. For example, a policy may restrici TM 162 activily lo only support personnel For communicating wiLh customers. This may aflow communicaLion br departmenls requiring access, hut may mainlain the network handwidLh for oiher acLiviLies by restricting ihe use of TM 162 Lu only ihe personnel Lhal need access 10 TM 1 62 in supporl of Lhe enlerprise Facility I 02. Tn an emhodimenl, ihe policy management facility 112 may be a stand-alone application, may be part of thc network server facility 142, maybe part of the enterprise facility 102 network, maybe part of the client facility 144, or thc like.

[0027] In embodiments, the threat management facility 100 may provide configuration managcmcnt, which may be similar to policy management, but may speci lically examine the conhguration set of applications, operating syslems, hardware, and the like, and managing changes to their conligurations. Assessment ola conliguration maybe made against a standard conliguration policy, detection of conliguration changes, remediation ol improper conliguration, application ol new conligurations, and the like. An enterprise may keep a set oF standard configuration rules and policies which may represent the desired state of the device. For example, a client firewall may be runrnng and installed, but in the disabled state, where remcdiation may he to enable the firewall. In another example, the enterprise may set a rule that disallows the use of IJSB disks, and sends a configuration change to all clients, which turns off USB drive access via a registry.

[0028] In embodiments, the threat management facility 100 may also provide for the removal of applications that may interfere with the operation of the threat management facility 100, such as competitor products that may also be attempting similar threat management functions. The removal of such products may be initiated automatically whenever such products are detected. In the case where such applications are services are provided indirectly though a third-party product, the application may be suspended until aclion is taken to remove or disable Ihe third-parly produci's protection facility.

[0029] Threat managemeni against a sometimes quickly evolving malware environment may require timely updates, and the update management Facility 120 maybe provided by the threat management facility 100. In addition, a policy management facility 112 may also require update management (e.g. as provided by Ihe update Facility herein described), as the enterprise facility 1 02 requirements For policies change enterprise facility 102, cflent Facility 144, server facility 142 enterprise Facility 102. The update management For the security Facility 122 and policy managemeni facility 112 may he provided directly hy the threat management Facility 100, such as hy a hosted system or in conjunction with the administration facility 134. In embodimcnts, the threat management facility 100 may provide for patch management, where a patch may he an update to an operating system, an application, a system tool, or the like, where one of the reasons for the patch is to reduce vulnerability to threats.

OO3O] In embodiments, the securily facilily 1 22 and po icy management facility 112 may push inlormation Lo the enlerprise Facilily I 02 neLwork and/or clieni facility 144, the enterprise facility 102 neiwork and/or client faciliLy 144 may pull inlormaLion from the securily FaciliLy 122 and policy managemeni Facility 112 neLwork server FaciliLies 142, there maybe a comhinaLion ol pushing and pulling olmiormalion bctwccn the sccurity facility 122 and thc policy management facility 112 network servers 142, enterprise facility 102 network, and client facilities 144, or the like. For cxample, the enterprise facility 102 network and/or client facility 144 may puil information from thc security facility 122 and policy managemcnt facility 112 network servcr facility 142 may request the information using the security facility 122 and policy management facility 112 updatc module; the request may be based on a certain time pcriod, by a certain time, by a date, on demand, or the like. In another example, the security facility 122 and policy management facility 112 network servers 142 may push the information to the enterprise facility's 102 network and/or client facility 144 by providing notification that there are updates available for download and then transmitting the information. The combination of the security management 122 network server facility 142 and security update module may luncLion substantially ihe same as the policy management Facifily 12 network server and poficy updaLe module by providing miormation to the enLerprise facility 102 neLwork and ihe clieni FaciliLy 144 in a push or pull method. In an embodiment, the poficy management faciliLy 112 and Lhe securiLy Facility 122 managemeni update modules may work in concerl to provide all ihe needed inlormalion Lu the enLerprise faciliLy' s I 02 neLwork andlor dienL Facilily 144 br control ol apphcaiion execution. In an embodiment, the poficy updaie module and security update module may he combined mb a single update module.

OO31] As threats are idenlified and characieriied, ihe Lhreal managemenb facility I 00 may create debinibion updabes Ihat may he used bo allow the lhreab managcment facility 100 to detect and rcmediate the latest malicious softwarc, unwanted applications, configuration and policy changes, and the like. The threat definition facility 114 may contain thrcat idcntification updatcs, also referred to as definition files. A definition file may he a virus identity file that may include definitions of known or potential malicious code. Thc virus identity (IDE) definition files may provide inlormalion Ihal may identify malicious code within files, applications, or the like. The definition files may he accessed by security managemeni facilily 122 when scanning flies or applicalions within the clieni facifily 144 for Ihe determination ol malicious code that maybe wiihin Ihe file or applicalion. The definition files may conlain a number of commands, definilions, or inslruclions, to he parsed and acted upon, or Ihe like. Tn embodiments, the client facility 144 may be updated with new definition files periodically to provide the client facility 144 with the most recent malicious code definitions; the updating may be performed on a set time period, may he updated on demand from the client facility 144, may be updated on demand from the network, may he updated on a received malicious code alert, or the like. In an embodiment, the client facility 144 may request an update to the definition files from an update facility 120 within the network, may request updated definition files from a computing facility external to the network, updated definition files may be provided to the client facility 114 from within the network, definition files may he provided to the client facility 144 from an external computing facility from an external network, or the like.

[0032] In an embodiment, a definition management facility 114 may provide br the timely updates of definilion files inlormaLion 10 ihe network, clieni facihiies 144, and Lhe like. New-and aiLered mahcious code and malicious applicaLions maybe conlinually created and disirihuied Lo networks worldwide. The definition files Ihat maintain the definilions of the malicious code and malicious applicalion informaLion br Ihe prolecLion of the neiworks and client facihiies 144 may need continual updaLing to provide conLinual defense of Ihe network and clienl facility 144 from the malicious code and malicious applications. The definition files management may provide br automalic and manual meihods of updating the definition files. in emhodimenls, the network may receive debiniLion flies and disirihute the definiLion flies to the neiwork clieni faciliLies 144, the clieni facilities i 44 may receive Lhe definilion files directly, or the network and client facilities 144 may both receive the definition files, or the like, in an embodiment, the definition files may he updated on a fixed periodic basis, on demand by the network and/or the client facility 144, as a result of an alert of a new malicious code or malicious application, or the like. In an embodiment, the definition files may be released as a supplemental file 10 an existing definition flIes to provide br rapid updating of the definition flies.

[0033] In a similar manner, the security management facility 122 may he used Lo scan an outgoing bile and verify thai ihe outgoing bile is permitted to he transmitted per ihe enterprise facility 102 rules and poficies. By checking outgoing flies, the security managcment facility 122 may be able discover malicious code infectcd files that werc not detectcd as incoming files as a result of the client facility 144 having been updated with either new definition files or policy management facility 112 information. The definition files may discover thc malicious code infected file by having received updates of developing malicious code from the administration facility 134, updates from a definition files provider, or the like. The policy management facility 112 may discover the malicious code infected file hy having received new updates from the administration facility 134, from a rules provider, or the like.

[0034] The threat management facility 100 may provide for a way to control access to the enterprise facility 102 networks. For instance, the enterprise facility 102 may want to restrict access to certain applications, networks, files, printers, servers, databases, or the like. In addition, the enterprise faciliiy 1 02 may want to restrict user access under certain conditions, such as the user's location, usage history, need to know, joh position, connection type, lime of day, method of authentication, clieni-sysiem conliguration, or the like. Network access rules may he developed by the enterprise facility I 02, or pre-packaged by a supplier, and managed hy the threai management facility IOU in conjunction with the administration facility 134. Network access ruies and control may he responsible for determining if a client facility 144 appficalion should he granted access to a requested network ocation. The network thcation may he on the same neiwork as the facility or may he on another network. In an embodiment, the network access control may verify access rights for client facilities 144 from within the network or may verify access rights of computer facilities from external networks. When network access for a client facility 144 is denied, the network access control may send an information file to the client facility 144, the information file may contain data or commands that may provide instructions for the remedial action facility 128. The information sent by the network access facility 124 control may be a data file. the data lile may conlain a number ol commands, definitions, instructions, or commands Lo he parsed and acted upon through the remedial action facility 1 28, or ihe like. The inlormalion seni by the neiwork access FaciliLy 124 contr& may he a command or command file Ihat Ihe remedial action Facility 128 may access and take aclion upon.

OO35] In an embodimeni, ihe network access rules 1 24 may provide an information storc to be accessed by the nctwork access control. The network access rules facility 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not he accessed by the client facility 144. Additionally, the network access rules facility 124 may incorporate rule evaluation; the rule evaluation may parse network access requests and apply the parsed information to network access rules. The network access rule facility 124 may have a generic set of rules that may he in support of an enterprise facility's 102 network access policies, such as denying access to certain types of websites 158, controlling instant messenger 162 accesses, or the like. Rule evaluation may include regular expression rule evaluation, or other rule evaluation method for interpreting the network access request and comparing the inLerprelation to the eslabflshed rules For network access. In an embodiment, the neiwork access rules faciliiy 124 may receive a rules evalualion requesl from the neiwork access conirol and may return the rules evalualion Lo Ihe neiwork access conirol.

OO36] Similar lo the threal delinilions Facilily 114, the neiwork access rule facility I 24 may provide updaied rifles and policies to the enterprise Facility I 02. The network access rules Facility 124 may he mainlained by Ihe network adminisiralion facility 134, using neiwork access rules Facilily 124 managemenl. In an embodimenl, ihe network adminisiralion Facility 134 maybe able Lo maintain a set oF access rules manually by adding rules, changing ruks, deleting rules, or Ihe Uke. Additionally, the administration facility 134 may be able to retrieve predefincd rule sets from a provider that may provide a set of rules to be applied to an entire enterprise facility 102. The network administration facility 134 may be able to modify the predcfined rules as needed for a particular enterprise facility 102 using the network access rules management facility 124.

OO37] V/ben a Lhreai or policy violation is detected by the threal managemeni facility IOU, the threat managemeni faciliLy 100 may provide br a remedial acLion facility 128. Remedial action may take a pluralily of forms, such as Lerminating or modibying an ongoing process or interaction, sending a warning to a clieni or administration Facilily 134 o1 an ongoing process or interaction, executing a program or application Lu remediale against a threat or violation, record interactions for subsequent evaluation, or the like.

Remcdial action may be associated with an application that responds to information that a client facility 144 network access request has been denied. In an embodiment, when the data file is reccived, remedial action may parsc thc data file, intcrpret the various aspccts of the data file, and act on the parsed data file information to determine actions to he taken on an application requesting access to a denied nctwork location, in an embodiment, when the data file is received, remedial action may access the threat definitions to parse the data file and determine an action to be taken on an application requesting access to a denied network location. In an embodiment, the information received from the facility may he a command or a command file. The remedial action facility may carry out any commands that are received or parsed from a data file from the facility wiLhouL perlorming any inlerpreLalion of Ihe commands. In an emhodimenL, the remedial action faciliLy may interact with Ihe received information and may perlorm various aclions on a clieni requesting access lo a denied neLwork localion. The acLion maybe one or more ol continuing Lu Hock all requesLs Lu a denied network location, a malicious code scan on the applicaLion, a malicious code scan on Lhe client faciliLy 144, quaranLine oF ihe applicaLion, LerminaLing Lhe application, isolation of ihe applicaLion, isolalion of the clieni bacflity 144 to a locaLion wiLhin ihe network that restrieLs neLwork access, hlocking a neiwork access porl From a cflenL facilily 144, reporLing Lhe appficalion Lo a adminisiralion facility 134, or Lhe Uke.

OO38] Remedial action may he provided as a resuk of a deteclion of a threat or violation. The detcction tcchniques facility 130 may includc monitoring thc entcrprisc facility 102 network or end-point devices, such as by monitoring streaming data through thc gateway, across the network, through routers and hubs, and thc like. Tie dctection techniques facility 130 may include monitoring activity and stored files on computing facilities, such as on scrvcr facilities 142, dcsktop computers, laptop computers, othcr mobile computing devices, and the like. Detection techniques, such as scanning a computer's stored flies, may provide the capahifity of checking flies for stored lhreaLs, either in the active or passive state. Detection techniques, such as streaming file management, may provide the capability of checking files received at the network, gateway facility, client facility 144, and the like. This may provide the capability of not allowing a streaming file or portions of the strcaming file containing malicious code from cntering the client facility 144, gatcway facility, or network. In an embodiment, the streaming file may he broken into blocks of information, and a plurality of virus identities may be used to check each of thc blocks of information for malicious code. In an embodiment, any blocks that are not determined to he clear of malicious code may not he delivered to the client facility 144, gateway facility, or network.

[0039] Verifying that the threat management facility 100 is detecting threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 118 may allow the administration facility 134 to coordinate the testing of the security configurations of client facility 144 computing facilities on a network. The administration facility 134 maybe able 10 send test flies to a set ol client facility 144 computing facilities to test the ability of the client facility 144 to determine acceptability of the test file. Alter the test lile has been transmitted, a recording facility may record the actions taken by the client facility 144 in reaction to the test file. The recording facility may aggregate the testing information from the client facility 144 and report the testing inlormation to the administration facility 134. The administration facility 134 maybe able to determine the level ol preparedness of the client facility 144 computing facilities by the reported information. Remedial action may be taken for any of the client facility 144 computing facilities as determined by the administration facility 134; remedial action maybe taken by the administration facility 134 or by the user of the client facility 144.

[0040] Thc threat research facility 132 may providc a continuously ongoing effort to maintain the threat protection capabilities of the threat management facility 100 in light of continuous generation of new or cvolved forms of malware. threat research may include researchers and analysts working on known and emerging malware, such as viruses, rootkits a spyware, as well as other computer threats such as phishing, spam, scams, and the like. Tn emhodimenLs, lhrough threal research, the lhreai managemeni facility IOU maybe able Lo provide swill, global responses to the lalesi threaLs.

OO41] The threai management faciliiy 100 may provide ihreal protection to Ihe enLerprise faciliLy 102, where the enlerprise faciliiy 102 may include a pluralily of networked componenls, such as client Facility 144, server facility 142, administration facility 134, fircwall 13S, gateway, hubs and routers 148, thrcat managemcnt appliance 140, desktop users, mobile users, and the likc. in embodimcnts, it may be the end-point computer security facility 152, located on a computer's desktop, which may provide threat protcction to a user, and associated entcrprise facility 102. in embodiincnts, the term end-point may refer to a computer system that may source data, receive data, cvaluate data, buffer data, or thc like (such as a user's dcsktop computer as an end-point computer), a firewall as a data evaluation end-point computer system, a laptop as a mobile end-point computer, a PDA as a hand-held end-point computer, a mobile phone as an end-point computer, or the like. In embodiments, end-point may refer to a source or destination for data, including such components where the destination is characterized by an evaluation point for data, and where the data may be sent to a subsequent destination alter evaluation. The end-poini computer security!aciliiy 152 maybe an applicalion thaded onlo the compuLer plalForm or compuLer support componenl, where ihe application may accommodate the pluraliLy ol computer plallorms andlor fttnctional requiremenis of the componenl. For instance, a clieni FaciliLy 144 compuLer may he one of a p'urality of compuler plaiforms, such as Windows, Maciniosh, Linux, and the like, where ihe end-poinL computer security Facifity 152 may he adapted 10 ihe specilic phttlorm, while maintaining a urniorm produeL and produci services across platforms.

Additionally, componenis may have dilTereni functions to serve within the enterprise facility's I 02 neiworked compuLer-hased infrastructure. For insLance, computer support componenls provided as hubs and rouLers 148, server Facility 142, lirewalls 1 3S, and the like, may requirc unique security application softwam to protect their portion of thc system infrastructure, while providing an element in an integrated threat management system that extends out beyond the thrcat managcment facility 100 to incorporatc all computer resources under its protection.

OO42] The enlerprise Facility 102 may include a plurality of clieni Facilily 144 compuling plaiforms on which Ihe end-poini compuler securily faciliLy 152 is adapted. A cfient faciliLy 144 compuLing platform may he a computer system Lhat is ahle to access a service on anoLher compuLer, such as a server VacUity 142, via a neiwork. This client facility 144 server faciliLy 142 model may apply 10 a pluralily of networked applicaLions, such as a clicnt facility 144 connecting to an enterprise facility 102 application scrver facility 142, a web browser client facility 144 connecting to a web server facility 142, an e-mail client facility 144 retrieving e-mail from an internet 154 service provider's mall storage servers 142, and the like. In embodimcnts, traditional large client facility 144 applications maybe switched to websites, which may increase the browser's role as a client facility 144. Clients 144 may be classificd as a function of the extent to which they perform their own processing. For instance, client facilities 144 are sometimes classified as a fat client facility 144 or thin client facility 144. The fat client facility 144, also known as a thick client facility 144 or rich client facility 144, may he a client facility 144 that performs the hulk of data processing operations itself, and does not necessarily rely on the server facility 142. The fat client facility 144 may he most common in the form of a personal computer, where (be personal computer may operate independent of any server facility 142. Programming environmenis br faL clients 144 may include CURT, Delphi, DropleLs, Java, win32, Xli, and Lhe like. Thin clients 144 may oiler minimal processing capahiliLies, For instance, the Lhin clieni FaciliLy 144 may primarily provide a graphical user interface provided by an applicaLion server Facility 142, which may perform the hulk of any required data processing. Programming environmenis br ihin clients 144 may include JavaScripL/AJAX, ASP, JSP, Ruby on Rails, Python's Django, PHP, and the Uke.

The client facility 144 may also he a mix of Lhe two, such as processing dala locally, but relying on a server facility 142 for data storage. As a result, this hybrid clienL Facilily 144 may provide henefiLs from both the ha client Facility 144 type, such as muhimedia support and high performancc, and the thin clicnt facility 144 type, such as high manageability and flexibility. In embodiments, the threat management facility 100, and associatcd end-point computer security facility 152, may provide seamlcss thrcat protection to the plurality of clients 144, and client facility 144 types, across the cnterprisc facility 102.

OO43] The enlerprise Facility 102 may include a plurality of server facilities 142, such as apphcaLion servers, communications servers, File servers, dalahase servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. A server facility I 42, which may also he reFerred to as a server Facility I 42 application, server facility I 42 operating system, server FaciliLy 1 42 compuLer, or Ihe Uke, may he an application program or operating system that accepts client facility 144 connections in order to service rcquests from clients 144. The server facility 142 application may run on the same computer as the client facility 144 using it, or the server facility 142 and the client facility 144 may bc running on different computers and communicating across the network. Server facility 142 applications may he divided among server facility 142 computers, with the dividing depending upon the workload. For instancc, under light load conditions all server facility 142 applications may run on a single computer and under heavy load conditions a single server facility 142 application may run on multiple computers. In embodiments, the threat management facility 100 may provide threat protection to server facilities 142 within the enterprise facility 102 as load conditions and application changes are made.

OO44] A server Facilily 142 may also bean appfiance Facility 140, where Lhe appliance facifity 140 provides specilic services onlo Lhe neiwork. Though ihe appliance facility 140 is a server facility 142 computer, that maybe thaded with a server facility 142 operaLing system and server facility 142 appflcalion, the enterprise facility 102 user may not need to conligure ii, as ihe conliguraLion may have been perFormed by a third party. Tn an emhodimenl, an enlerprise Facility I 02 appliance may he a server faciliLy 142 appliance that has been conligured and adapled for use with the threal managemeni facility I 00, and localed within the Facililies of Ihe enterprise facility 1 02. The enterprise facility's 102 ihreai management appliance may enable the enterprise facilily 102 to adminisler an on-sue local managed Lhreai protection conliguraLion, where Ihe administration facility 134 may acccss the threat rcsourccs through an intcrface, such as a web portal. In an alternate embodiment, the enterprise facility 102 may be managed rcmotcly from a third party, vendor, or the like, without an appliance facility 141) located within the enterprise facility 102. In this instance, the appliance functionality maybe a shared hardware product betwcen pluralities of enterprises 102. In embodiments, the appliance laciHty 140 may he located al the enterprise facility 1 02, where the enterprise facility 102 maintains a degree ol control. In emhodimenls, a hosted service may he provided, where Ihe appliance 140 may still he an on-site black box lo Ihe enterprise facility 102, physically placed Ihere because of infrastructure requirements, hut managed hy a third parly, vendor, or Ihe like.

[0045] Simple server facility 142 appliances may also be utilized across thc cnterprisc facility's 102 network infrastructure, such as switches, routers, wirelcss routers, hubs and routers, gateways, print servers, net modems, and the like. These simple scrvcr facility applianccs may not rcquire configuration by the entcrprisc facility 102, but may require protection from threats via an end-point computer security facility 152. Tlcsc appliances may provide interconnection services within the enterprise facility 102 network, and therefore may advance the spread of a threat if not properly protected.

[0046] One way for a client facility 144 to he protected from threats from within the enterprise facility 102 network may he a personal firewall. A personal firewall may he an application that controls network traffic to and from a client, permitting or denying communications based on a security policy. Personal firewalls may he designed br use by end-users, which may resull in protection br only the compuier on which ii's insialled. Personal lirewalls may he able to control network trafbic by providing prompis each Lime a connection is atiempled and adapling securily policy accordingly. Personal birewalls may also provide some level of intrusion delection, which may allow Ihe software Lo terminaie or block conneciivity where it suspecLs an intrusion is being atiempLed. Other fealures thai maybe provided by a personal lirewall may include alerts about outgoing connection attempts, control ol program access Lo networks, hiding the client from pori scans by not responding to unsolicited neiwork Lrafbic, moniioring ol applications thai may he listening for incoming conneclions, moniloring and reguaLion ol incoming and oulgoing network trafbic, preveniion of unwanted neiwork traffic brom installed applications, reporting applications that make connection attempts, reporting destination servers with which applications may he attempting communications, and the like, in embodiments, the pcrsonal firewall may be providcd by the threat management facility 100.

OO47] Another imporlani component Ihal may he protecled by an end-poini compuler securily facility 152 is a neiwork firewall Facility 138, which may he a hardware or software device thai may he conligured lo permil, deny, or proxy dala lhrough a compuler neiworlc thai has different evels of trusi in its source of dala. For inslance, an internal enterprise facilily 102 network may have a high levd of trusl, because the source of all data has been soureed from within the enterprise facility 102.

An example of a low level of trust is the Internet 154, because the source of data may bc unknown. A zone with an intermediate trust level, situated between the Internet 154 and a trusted internal network, may be referred to as a "perimeter network. Since firewall facilities 138 represent boundaries between threat levels, the end-point computer security facility 152 associated with the firewall facility 138 may providc resourccs that may control the flow of threats at this enterprise facility 102 network entry point. Firewall facilities 138, and associated end-point computer security facility 152, may also be associated with a network node that may he equipped for interfacing between networks that use different protocols. In embodiments, the end-point computer security facility 152 may provide threat protection in a plurality of network infrastructure locations, such as al the enlerprise facility 102 network entry point, i.e. the firewall facilily 138 or gateway; al ihe server facilily 142; at disirihulion poinls within the neiwork, i.e. the hubs and routers 148; at Ihe deskiop ol cheni facility 144 compulers; and the like. In embodiments, the mosi effective location for LhreaL delection may heal Ihe user's compuler deskiop end-poini computer securiLy facility 1 52.

OO48] The interface between ihe threal management faciliLy 1 00 and the enterprise faciliLy 102, and through the appliance facilily 140 Lo embedded end-point compuler securily facilities, may include a sd of lools thai maybe the same for all enterprise implemenlations, hul allow-each enlerprise lo implemeni different conirols. In embodiments, these controls may include both aulomalic aclions and managed actions.

Automatic actions may include downloads of the cnd-point computer security facility 152 to components of the enterprise facility 102, downloads of updates to existing end-point computer sccurity facilities of the enterprisc facility 102, uploaded network interaction requests from enterprise facility 102 components to the threat management facility 100, and the like. In embodiments, automatic interactions between thc enterprisc facility 102 and Ihe Lhrea management facility IOU may he con Ii gured by the threat managemenl facility IOU and an adminisiration Facility 134 in Ihe enlerprise faciliLy 102. The adminisLralion facility 134 may conligure policy ruks IhaL deLermine inleracLions, such as devdoping rules br accessing applicaLions, as in who is auLhoriied and when applications maybe used; eslablishing rules or ethical behavior and activities; ruks govcrning the use of entertainment softwarc such as games, or personal usc software such as IM 162 and VoIP 164; rules for determining access to enterprise facility 102 computing resources, including authentication, levels of access, risk assessment, and usage history tracking; rules for when an action is not allowed, such as whcther an action is completely deigned or lust modified in its execution; and the like. The administration facility 134 may also establish license managcment, which in turn may further determine interactions associated with a licensed application. In embodiments, interactions between the threat management facility 100 and the enterprise facility 102 may provide threat protection to the enterprise facility 102 by managing the flow of network data into and out of the enterprise facility 102 through automatic actions that may be configured by the threat management facility 100 or the administration facility 134.

OO49] Clieni Facilities 144 within Ihe enlerprise facility 102 may he connected 10 Ihe enlerprise facility 102 nelwork hy way of wired network facilities I iSA or wirdess neiwork Facilities 1 48B. Client facilities 144 connecied to the enlerprise facility 102 nelwork via a wired Facility I 48A or wirekss faciliLy 1 48B may receive similar proLecLion, as hoih connection types are ullimately connected to the same enterprise faciliLy 102 neLwork, wiih ihe same end-point compuLer securily Facility 152, and Lhe same Lhreal protecLed enterprise facilily 102 environmenl. Mohile wireless facility clients 1 44B-F, because of their ahiliLy Lo connect to any wireless 1 48B,D network access poinL, may connect to the Iniernel 154 ouLside ihe enterprise Facilily 102, and Lherefore outside Lhe Lhreat-protecLed environment oF the enlerprise Facilily 102. In this instancc the mobile client facility 144B-F, if not for the presencc of thc end-point computer security facility 152 may experience a malware attack or perform actions counter to enterprisc facility 102 establishcd policies. h addition, there may bc a plurality of ways for the threat management facility 100 to protect the out-of-enterprise facility 102 mobile client facility 144D-F that has an embcdded end-point computer security Facilily 152, such as by providing URT lillering in personal routers, using a weh appliance as a DNS proxy, or the like. Mohile clieni Facililies I 44D-F ihal are components of Ihe enterprise Facility 102 hul Lemporarily oulside conneclivity with the enterprise faciliLy 102 neLwork, may he provided with ihe same threal prolecLion and policy control as client FaciliLies 144 inside ihe enlerprise Faciflly 102. In addition, moblic clicnt facilities 144B-F may rcceive thc samc interactions to and from thc threat managcment facility 100 as client facilities 144 inside the enterprise facility 102, where mobile client facilities 144B-F may he considered a virtual extension of the enterprise facility 102, recciving all the samc services via thcir embcdded end-point computer security facility 152.

[00501 Interactions betwcen the thrcat managemcnt facility 100 and thc components of the enterprise facility 102, including mobile client facility 144B-F extensions of the enterprise facility 102, may ultimately he connected through the internet 154. Threat management facility 100 downloads and upgrades to the enterprise facility 102 may be passed from the firewafled networks of the threat management facility 100 through to the end-point computer security facility 152 equipped components of the enterprise faciliLy 102. In Lurn Lhe end-point compuLer securiLy facility 1 52 componenLs oF ihe enLerprise faciliLy 102 may upload policy and access requesLs hack across the inLerneL 1 54 and Lhrough 10 ihe threat management Facility 1 00. The Tnlernet I 54 however, is also the paLh Lhrough which LhreaLs may he transmuted 1mm iheir source.

These neiwork Lhreats may include lhreais Irom a plurality of sources, including websites 158, e-mail 160, TM 162, VoTP 164, applicaLion software, and Lhe Uke. These ihreals may aLLempL Lo atlack a mobile enLerprise dieni Iaciliiy 144B-F equipped wiih an end-point compuLer securiLy facility 152, hut in emhodimenLs, as long as Lhe mobile cfient Facility 14411-F is emhedded wiLh an end-point computer security Facility 1 52, as descrihed ahove, threals may have no belier success Lhan i1 ihe mohile clieni Facifity I 44B-F were inside the enterprise facility 102.

[0051] however, if the mobile client facility 144 were to attempt to connect into an unprotected connection point, such as at a sceondary location lOS that is not a part of the enterprise facility 102, the mobile client facility 144 maybe required to request network intcractions through the threat management facility 100, whcrc contacting the Lhreat managemeni Facility IOU may he perlormed prior to any other neiwork aclion. In embodiments, the client Facility's 144 end-point compuler securily FaciliLy 152 may manage actions in unprotected network environments such as when the cIien faciliLy I 44F is in a secondary location 1 OS or conneeLing wirelessly Lo a non-enterprise Facility 102 wireless inlerneL connection, where Lhe end-poinL compuLer securily FaciliLy 152 may dictate what actions are allowed, blocked, modified, or the like. For instance, if thc clicnt facility's 144 end-point computer security facility 152 is unable to establish a sccured connection to the threat management facility 100, the end-point computer security facility 152 may inform the user of such, and recommend that thc connection not bc madc. In the instance when the user chooses to connect despite the recommendation, the end-point computer sccurity facility 152 may pcrform specific actions during or aftcr the unprotected connection is made, including running scans during the connection period, running scans after the connection is terminated, storing interactions for subsequent threat and policy evaluation, contacting the threat management facility 100 upon first instance of a secured connection for further actions and or scanning, restricting access to network and local resources, or the like. In embodiments, the end-point computer security facility 152 may perlbrm speciflc actions to remediae possible LhreaL incursions or policy violations during or alter the unprotecLed conneclion.

OO52] The secondary locaLion 108 may have no end-poini compuLer securily facilities 152 as a pan of ils computer componenis, such as us lirewafls I 38B, servers 14211, clienis 144(3, huhs and roulers 14SC-D, and the like. As a resulL, Lhe computer componenis of Lhe secondary locaLion I 08 may he open Lo Lhreat atlacks, and hecome polenlial sources of threats, as well as any mobile enlerprise Facility clients I44B-F LhaL maybe connecied Lu Lhe secondary localion's 108 neiwork. In this inslance, ihese compuLer componenis may now unknowingly spread a ihreai to oLher componenis connected lo Lhe neiwork.

[0053] Some thrcats may not comc dircctly from thc lntcrnet 154, such as from non-enterprise facility controlled mobile devices that are physically brought into the cnterprisc facility 102 and connected to the cnterprise facility 102 client facilities 144.

The connection maybe made from direct connection with the enterprise facility's 102 client facility 144, such as through a LJSB port, or in physical proximity with the enterprise facility's 102 client Facility 144 such that a wireless facility connection can he established, such as through a Bluetooth connection. These physical proximity threats I 1 0 may he another mobile compuling device, a portable memory storage device, a mobile communications device, or the like, such as CDs and DVDs 170, memory stick 174, Flash drive 174, external hard drive, cefl phone 178, PDAs ISO, MP3 players, digital cameras, point-to-point dcvices, digital picture frames, digital pens, navigation devices, appliances, and thc like. A physical proximity threat 110 may have been prcviously infiltrated by network threats while connected to an unprotected network connection outside the enterprise facility 102, and whcn connected to thc enterprisc facility 102 client facility 144, pose a threat. Because of their mobile nature, physical proximity threats 110 may infiltrate computing rcsources in any location, such as being physically brought into the enterprise facility 102 site, connected to an enterprise facility 102 client facility 144 while that client facility 144 is mobile, plugged into an unprotected client facility 144 at a secondary location 108, and the like. A mobile device, once connected to an unprotected computer resource, may become a physical proximity threat 110. In embodiments, the end-point computer security facility 152 may provide enterprise facility I 02 computing resources with threat protection against physical proximity threats liD, br inslance, through scanning Ihe device prior Lu allowing data transFers, through security validation certilicates, through establishing a sale tone within the enterprise facility 102 computing resource Lu transfer data into br evaluation, and the like.

[0054] Now that the overall system has been described, we turn towards a sd oF threat detection embodiments utilizing the accumulated detection of threat characteristics. It should he understood thai the following embodiments may he managed Lhrough a threat management Facility I 00 along with other services, such as those described herein.

[0055] Referring to Fig. 2, a system diagram embodiment of a threat detection technique 130 is depicted, where the technique utilizes the accumulation of threat detection charactcristics in identifying a threat to a computing device, such as one of the threats listed herein. In traditional on-access malware detection every on-access sean runs through a full set of threat characteristic identities (also referred to hcrcin as gene' idenlilies), and ihen runs threat-descrihing identities one by one. A threat characterislic, or gene, may be a code strand, litncIionality, properly, and the Uke piece ol inlormalion collected on syslem objects thai maybe reused and combined in dilTerent threat deteclions. A threat maybe identi lied by the presence of a particular set of genes that are indicative of the threaL The tradilional approach is very sequential, where an on-access scan is triggered alter any target computing device object changes, and the system recalculates all the genes and checks all the threat descriptions to find out whether any given threat is active. This approach to threat identification is very inefficient, and does not scale with the number of genes or threat descriptions. For instance, calculating all the genes in each on-access scan includes genes that are likely to not he relevant to the potential of a particular threat, threat environment, computing platform, application, and the like, and running threat identities sequentially falls to preserve knowledge between identities.

[0056] In the present disclosure a threat detection facility 202 is provided that allows dynamic detection of complex threats in a way that scales linearly with the number of threat descriptions and the number of computer system objects tracked. The threat delection facility 202 may provide an algorhhm 10 detect threats in a dynamic deteclion environment, where threats are described as a list of threat characteristics (e.g. genes) thai must he present, and where the threal characteristics may he generated/detecied dynamically through behavioral detection. The threat detection facility 202 may allow br ihe tracking of all known threats ellicienily, and only recalculate genes ihat may potentially provide new informalion. Through this process, processing maybe kept lo a minimum, aflowing increased efficiency. The invention may provide br a scalabk so'ution that is able to cope wiih a arge number of threal descriptions. Benelils of the threat detection Facility 202 may include stopping threats earlier in the deteclion process, an increase in ihe perbormance of ihe target computing device through decreased processing requirements from scanning, reduced memory usage, and the like, all of which may he especially important in mobile and virtualization applications.

[0057] Referring again to Fig. 2, the threat detection facility 202 may be resident in or interfacing with a computing device 204, such as a client 144A, a wireless client I 44B, a server I 42A, a lirewall 1 38A, a gateway, and the like, such as in pan of a compuler securily facility I 52 in associalion with the computing device 204 as described herein. The compuling device 204 may include an operating sysLem 208 running a pluralily of run-lime processes 2! 0 as compuler sysLem objects, such as liles, processes, registry keys, and Ihe Uke. The threat deteclion facilily 202 may monitor, capture, lilier, and the like, system evcnts on the computer objccts through evcnt capture 212 functionality. For instance, a system event may be a changc to a system process that is run by the operating system (e.g. FileOpen, FileWrite, RegistryWrite, and the like). The detection of the event may thcn initiate a process that gcneratcs a list of threat characteristics associated with the object that has experienced the event, where a threat characteristics detector 214 produccs thc list, in embodiments, an anti-virns engine may provide the functionality of the threat characteristics detector 214. The list of threat characteristics associated with the event may then he passed to a threat detection analyzer 218 for creation of or insertion into threat tables 220 that keep an accumulated record of threat characteristics that have been associated with events to objects over time, where there may be a separate threat table 220 for each obiect that has experienced an event. A Lhreat analyzer 222 Ihen monitors the conlent of each threat Lahle 220 Lo see lithe accumulaLed set of ihreat characLeristics detecied in events o1 a panLicular object match a Lhreat index 224 Lhal lisLs whaL lhreat characterisLics constitute a given threat.

OO58] In an example, and reFerring lo Lhe example ihreai index of Tahle 1, a Lhreat TI' maybe comprised of genes Gi', UT, and G3'. That is, when genes (3!, G2, and G3 are detected in the same compuLer object by ihe lhreaL analyzer, the lhreat analyter will have delermined ihat the ihreai Ti has been detected in the object. In embodiments, the ihreat analyier may then updaLe a threaL sLaLus 228, such as with a lisL olideniiliedlhreals, a clean sysLem sLalus', and Ihe like.

Tablc 1: Example threat index Threat Genes GI,G2,U3 T2 (i2,64,G6 T3 G3,G5 OO59] A delailed example ol how the Lhreat characteristics analyzer 218 generales and mainlains LhreaL lahles 220, and linally how ihe Lhreal anayzer 222 identifies ihe presence o1 a ihreai, will now he presented. This example is meant to he illustralive of the process br deleclion of a threat using Ihe threal detection lacilily 202, and is not meant to bc limiting in any way, including the use of thc tcrm gene to rcpresent thc more generic threat characteristic, which includes sequenccs within the code of an object, behavioral characteristics of an object, occurrence of a change event with respect to thc occurrence of another changc event, characteristics that are listed as part of a policy, and the like.

[0060] In this cxample, a first stcp in the process bcgins with the example threat index presented in Table 1 where three threats are listed along with the group of genes that when identified together in a particular obiect, identify that threat as being present in that object. An inverted threat index 226 is then generated, such as provided in Table 2 as a result of inverting' the threat index provided in Table 1. The inverted threat index 226 provides what threats are associated with a particular gene from Table 1, and how many lolal number oF genes are required Lo detect those threats. For instance, Ihe gene Gi in Table 2 shows Ihat ii is associated only with threal TI, and LhaL there are three different genes required lo idenlily ihreai TI. Tn another instance, the gene (33 in Table 2 shows thai it is associated wiLh two ihreats, TI and T3, where again there are three dilTerent genes required lo idenli Fy ihreai TI, and where Ihere are Iwo different genes required 10 idenliiy threaL T3.

Table 2: Example inverLed ihreaL index Gene Threat (total geiies required) (31 TIC) G2 11(3), 12(3) (13 11(3), 13(2) G4 T2(3) (35 T3(2) (16 12(3) [0061] A next step in the process is br the threat characteristics analyíer 218 Lo generaLe a new LhreaL lable 220 br each obje 1 For which an event has been detected.

Table three provides an example of a blank set of lhreat tables, where each row ol' Table 3 represenis a separaLe Lhreat table 220. Tn embodiments, the threat characterisLics analyzer 218 may generate a new threat table 220 as events dictate, or may creatc a set of blank threat tables 220 for a group of objects to be monitored. In this example, threat tables for obiects Fl', F2', and F3' are listed in a blank set of threat tables 220.

Table 3

Object Genes Threats (genes detected, total required) F! P2 P3 [0062] The threat detection facility 202 now waits for an event capture 212.

in this example, suppose that the object Fl is a run-time process that experiences a change. The event is captured 2T2 and the content is passed on to the threat characteristic detector 214. the threat characteristics analyzer 218 than writes to the gene column of the threat table 220 for the object Fl. Referring to Table 4, the threat table for Ill shows that the threat characteristics analyzer 218 has inserted the presence of the gene (IT from the event, where (IT is one of the three genes that constitute the threat TT, hence the nomenclature I'1(1,3) in added as a threat status indicator in the threats column of table 4, where Fl is the threat, and (1,3) indicates that one of the three genes has been detected toward the identification of the threat Fl in the object FT. Note that for the sake of describing this example through the following tables, new threat table entries from new event captures will he shown in ho'd.

Table 4

Object Genes Threats Fl GI T1(1,3) F2 I3 OO63] The following tables will now depica a series of threat table updates resulting from a series of new evenis, where the threat analyzer monitors the threats column of the threat table for conditions that indicate a threat is present, such as in a threat status indicator of 1W(2,2) indicating that two of two genes for threat I# has been found, or I##(3,3) indicating that three of three genes for threat I'## has been found.

[0064] Referring to Table 5, a new event is captured, where the gene 631 is detected in object F2. No entry is entered under the threats column hecause 03! is not relevant to any of the threats listed in Table 1. In embodiments, the threats included in a threat index 224 may he limited to a subset of known threats, include all known threats, limited to threats rekvant to a type of computing device (e.g. laptop, mobile phone, enterprise server), and the like.

TaNe 5 Object Genes Threats Fl (ii 11(1,3) F2 Wi F3 [0065] Referring to fable 6, a new event is captured, where gene G2 is detected in object 13. Gene G2 is relevant to both threat 11 and threat 12, and so threat status indicators are added to the threats column for object J13 to indicate that one of the three genes have been detected for 11, 11(1,3), and similarly that one of the three genes have been detected for 12, 12(1,3).

Tabk 6 Object Genes Threats Fl (ii 11(1,3) F2 G31 F3 G2 T1(1,3), T2(1,3) [0066] Referring to Table 7, a new event is captured, where the gene (110 is detected in object Fl. No additional entry is entered under the threats column of any of the threat tables because (110 is not relevant to any of the threats listed in Table 1.

Table 7

Object Genes Threats El (31, GlO Tl(l,3) F2 G31 f3 (32 T1ft3),T2(!,3) [0067] Referring to Table 8, a new event is captured, where the gene Ellis detected in object F2, and a threat status indicator of Tl(1,3) is entered into the column under threals for the object F2 indicating that one of the three genes required to identify Lhreat TI has been detecled in the object F2

Table 8

Object Genes Threats Fl 01, 010 Tl(j,3) E2 03I,G1 T1(l,3) F3 02 Tl(l,3), T2(1,3) [0068] Referring Lo Table 9, a new event is captured, where gene 09 is detected in object F3. 09 is not relevant to the threats listed in Table 1.

Table 9

Object Genes Threats Fl 01,010 Tl(l,3) F2 (331,01 T1ft3) F3 02, G9 Ti(i,3), T2(i,3) [0069] Referring to Table 10, a new event is captured, where gene 03 has detected object Fl. Gene 03 is relevant to both threat Ti and threat T3. As a result, the threat status indicator for Ti is changed from T1G,3) to Ti(2,3) to indicate that two of Ihe three genes have been detected. Additionally, a threat status indicator for T3 is added to indicate thai one ol the Iwo genes br the threat T3 has been detected in the object Fl -

Table ID

Object Genes Threats El 01, Gil], G3 Ti(2,3), T3(1,2) F2 031,01 T1ft3) F3 02,09 T1ft3),T2(I,3) [0070] Referring to Table Ii, a new event is captured, where gene 03 is now deteeled in objeci F2 Similar to the last event captured in object Fl, Ihe deteclion of gene 03 is addcd to thc threat table for object F2, whcre the threat status indicator for TI is changed from Ti (1,3) to Ti (2,3) to indicate that two of the three genes have been detected, and additionally, a status indicator for T3 is added to indicate that one of the two genes for the threat T3 has been detected in the object Fl -

Table II

Object Genes Threats Fi 01, GiG, 03 Ti(2,3), T3(i,2) E2 031,Gl,G3 Ti(2,3),T3(1,2) F3 02, 09 Ti(i,3), T2(i,3) [0071] Referring to Table 12, a new event is captured, where gene 06 is detected in object F3. Gene 06 is relevant to threat T2, and so the status indicator for threat 12 is incremented to indicate T2(2,3), showing that two of the three genes required to identify the threat T2 have been detected in object F3.

Table 12

Object Genes Threats Fl (ii, (110, (13 T1(2,3), T3(1,2) F2 G31, (31, (33 Ti(2,3),T3(1,2) F3 (12, (19, G6 T1(1,3), T2(2,3) [0072] Referring to Table 13, a new event is captured, where gene G5 is detected in object Fl. Gene 05 is relevant to threat T3, and represents the second of the Iwo required genes to identify threat T3 as being detected in object Fl. The threat analyzer 222, which as been monitoring the threat tables, detects the threat, and updates the threat status 228 to indicate that the threat T3 has been detected in object F! -In embodiments, the threat detection facility may act on this information in a plurality of ways, such as alerting the user of the computer device, alerting administration! 34, alerting security management 122, taking remedial actions 128, and the like.

lable 13 Object Cenes Threats Fl (ii, Gift 03, G5 Ti (2,3), T3(2,2) F2 (131, (11, (13 T1(2,3), T3(1,2) F3 G2, G9, G6 T1(1,3), T2(2,3) [0073] The illustrative example presented in association with tables I -13 are meant to show how an embodiment of the threat detection facility 202 detects a threat through the accumulation of threat characteristics detected in events in processes run on a computing device 204. In this illustrative example, events have been included to provide a fully illustrative example without undue complexity, but with sufficient detail to show how the process may procccd. in embodiments, the number of objects monitored, and the number of threats considered may vary. They may be limited in some manner or they may be comprehensive to the extent of knowledge of the threat management facility 100.

As stated, one of the advantages of the threat detection facility 202 may be the ability for Ihe threal deleclion FaciliLy 202 Lu scale to vanous applications, and Iherehy provide match of Ihe threat protection to the ihreai environmeni of Lhe application, and thus improved perlormance over iraditional Lechniques. For inslance, ihreai proteeLion and perlormance requiremenLs maybe very different heiween a mohfle phone apphealion and a desktop compuler applicalion, and wiLh the threat deleelion 202 as described herein may be optionally scaled to match dcsircd pcrformance and threat detection criteria. In cmbodiments, the thrcat tabics used by the thrcat dctcction facility 202 may be specific to the environment threat landscape, such as for mobile, desktop, server, email server, gateway, centralizcd network nodes, and the like, in embodiments, the threat detection facility 202 may utilize threat tables in a hierarchical manner for improved detection, such as in a hierarchy of desktop, gateway, cntcrprisc, and the likc levels, in embodiments, the threat detection facility 202 may provide for multi-object protection by having the threat analyzer 222 compare across threat tables. For instance, the multi-object detection may require that several objects he infected together in order to detect a threat. In embodiments, a multi-obiect detection may he detected upon the full or partial detection of threats within each of the multiple objects. For instance, the threat analyzer may be provided with an algorithm br delermining Ihe Ukelihood of a muhi-ohjeel ihreai hased on Ihe exlenl to which lhreaLs are complelely deLeeLed. For example, a complete deteclion in one ohjecL, and partial deLeclion in Iwo olher ohj eels. In emhodimenls, Lhe Ihreat delection faciliLy may support Ihe delecLion of Lhreats based on nol-gene' deteclion, where the deleelion of a pluralily ci genes in comhinaLion with a non-deLecLion o1 a pura]ity of genes results in a deLeclion o1 a ihreaL For instance, Ihe deteclion of Ihreat T5 delermined with Ihe delecLion of genes (14, (310, and (342 in combination wiih Ihe absence of Ihe deteclion of gene (314.

110074] Referring lo Fig. 3, an embodimeni how diagram for ihe curreni disclosure is provided. In a birsL step 320, ihe process begins as a meLhod oldynamie threat detcction, wherc thc process may be dynamic due to the ability of the threat detection facility 202 providing threat protection over time as threat characteristics are dctectcd and accumulatcd, to scale the use of thrcat tables 220 for various computing platforms, applications, and threat environments, and the like. In a second step, providing a first database (e.g. the invertcd threat mdcx 226) that corrclates a plurality of Lhreat characteristics Lo a threat, wherein a presence of Lhe plurality of Ihe Lhreat characLeristics conlirms a presence oF the lhreaL. The inverled threat index 226 may he slored in a dalahase, a listing, a LaNe, and Lhe like, where the ihreal analyíer 222 uses Ihe conlenL of Lhe inverted ihreaL index 226 to update the threal Lahles 220 as LhreaL characLeristics (e.g. genes) are deLecled and included mb the threat Lahles from the threat characteristics analyzer. In a third step 308, detecting a change event in a computer run-time process, wherein the detecting is provided by thc event capture 212 in the computing device 204, and the mn-time process is run on the computer device 204, such as where the run-time process is a computer object run by the operating system 208. In a forth step 310, testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event, wherein the threat characteristics detector 214 is extracting threat characteristics from the change event for possible insertion into threat tables 220. In a fifth step 312, storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer mn-time process, where the second database is at least one threat table 220. In embodiments, the threat analyzer 222 may now he utilizing two databases for the detection of a threat, where one dababase is Lhe inverted bhreab index 226 and Lhe second database is ihe at kast one Lhreab Lahle 220 being updaLed by Lhe Lhreat characierisLics anal yier 218 as threat characierisLics are detected in events. In a sixih slep 314, identifying the lhreaL when each one of Lhe pluralily oF characLerislics appears in ihe second daLahase. The Lhreab analyier 222, moniboring the aL leasb one threal Lahle 220, detecis that a Lhreal is presenl when the aL leasi one threat table 220 is updated Lo show a compleLed detected threaL For insLance, where all of Lhe genes required br a threat Lo he presenL have been deLecLed for a given computer object. The Lhreai analyzer may Lhen update the threal status 228, and potentially other aclions upon deLection of a LhreaL, such as described herein.

[0075] The methods and systems described herein may be deployed in part or in whole through a machine that executes computer software, program codes, and/or instructions on a processor. The present invention may be implemented as a method on the machine, as a system or apparatus as part of or in relation to the machine, or as a computer program product embodied in a computer readable medium executing on one or more of Ihe machines. The processor may he part of a server, clieni, neiwork infrasiruclure, mobile computing platlorm, slalionary computing platlorm, or olher compuling plaiform. A processor may he any kind of compulalional or processing device capahk ol execuling program insiruclions, codes, binary insiruclions and the like. The processor may he or include a signal processor, digita' processor, embedded processor, microprocessor or any variant such as a co-proccssor (math co-proccssor, graphic co-processor, communication co-processor and thc likc) and the like that may dircctly or indirectly facilitate execution of program code or program instructions stored thereon. In addition, the processor may cnable cxecution of multiple programs, threads, and codes.

The threads may he executed simultaneously to enhance the performance of the processor and to facilitate simultaneous opcrations of the application. By way of implcmcntation, methods, program codes, program instructions and the like described herein may he implemented in one or more thread. The thread may spawn other threads that may have assigned priorities associated with them: the processor may execute these threads based on priority or any other order based on instructions provided in the program code. The processor may include memory that stores methods, codes, instructions and programs as described herein and elsewhere. The processor may access a slorage medium Lhrough an inlerface that may slore meihods, codes, and instructions as described herein and elsewhere. The slorage medium associaled wiLh Ihe processor for sloring meLhods, programs, codes, program insiruclions or other lype ol instruclions capable olbeing executed by Ihe computing or processing device may indude hul may not he limited to one or more of a CD-ROM, DVD, memory, hard disk, flash drive, RAM, ROM, cache and Ihe like.

[0076] A processor may include one or more cores Ihal may enhance speed and performance of a mulliprocessor. Tn embodimenis, ihe process may he a dual core processor, quad core processors, oLher chipievel multiprocessor and the like ihat combine two or more indepcndent cores (callcd a die).

[0077] The methods and systems described herein may be deployed in part or in whole through a machine that executcs computcr software on a servcr, clicnt, firewall, gateway, huh, router, or other such computer and/or networking hardware. The software program may be associatcd with a server that may include a filc server, print servcr, domain server, internet server, iniranel server and other variants such as secondary server, host server, distributed server and the like. The server may include one or more ol memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other servers, clients, machines, and devices through a wired or a wireless medium, and the Uke. The mcthods, programs or codes as describcd hcmin and elsewhere may be executed by the server, in addition, other devices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the server.

[0078] The server may provide an interface to other devices including, without limitation, clients, other servers, printers, database servers, print servers, file servers, communication servers, distributed servers and the like. Additionally, this coupling and/or connection may facilitate remote execution of program across the network. The networking of some or all of these devices may facilitate parallel processing of a program or method at one or more location without deviating from the scope of the invention. In addition, any of the devices attached to the server through an interface may include at least one storage medium capable of storing methods, programs, code and/or instructions. A central repository may provide program instructions to he executed on dilTerent devices, in this implementation, the remote repository may act as a storage medium br program code, instructions, and programs.

[0079] The software program may he associated with a client thaL may include a file client, prini client, domain chent, internet chent, intranet client and other variants such as secondary client, host client, distributed client and the like. The client may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other clients, servers, machines, and devices through a wired or a wireless medium, and the Uke. The methods, programs or codes as described herein and elsewhere may be executed by the client, in addition, other devices required for execution of methods as described in this application may he considered as a part of the infrastructure associated with the client.

[0080] The client may provide an interface to other devices including, without limitation, servers, other clients, printers, database servers, print servers, file servers, communicalion servers, distrihuled servers and Ihe like. Additionally, Ihis coupling and/or connection may facililale remole execution 0! program across Ihe network. The networking of some or al of Ihese devices may facililale parallel processing of a program or method at one or more location without devialing Irom the scope o1 the invention. Tn addition, any of the devices aliached to the clieni through an inlerface may include at least one storagc medium capable of storing mcthods, programs, applications, code and/or instructions. A ccntral rcpository may provide program instructions to be cxecutcd on different devices. In this implementation, the remote repository may act as a storage medium for program codc, instructions, and programs.

[0081] The methods and systems described herein may be deployed in part or in whole through nctwork infrastructures. the network infrastructurc may include elements such as computing devices, servers, routers, hubs, firewalls, clients, personal computers, communication devices, routing devices and other active and passive devices, modules and/or components as known in the art. The computing and/or non-computing device(s) associated with the network infrastructure may include, apart from other components, a storage medium such as flash memory, buffer, stack, RAM, ROM and the Uke. The processes, methods, program codes, insiruclions described herein and elsewhere may he executed by one or more of ihe network inl'rastructural elemenis.

[0082] The methods, program codes, and instructions described herein and elsewhere may he implemented on a cellular neiwork having mulliple cells. The cellular network may either he frequency division mulliple access (FDMA) neiwork or code division mulLipe access (CDMA) network. The cellular neiwork may include mobile devices, cell sues, base stalions, repealers, antennas, lowers, and the like. The cell network may he a (JSM, (JPRS, 3(3, RYDO, mesh, or oLher neiworks lypes.

[0083] The methods, programs codes, and inslruclions described herein and elsewhere may he implemented on or ihrough mobile devices. The mobile devices may include navigation devices, cell phones, mobile phoncs, mobilc personal digital assistants, laptops, palmtops, netbooks, pagers, electronic books readers, music players and the like. These deviccs may include, apart from othcr components, a storage medium such as a flash memory, buffer, RAM, ROM and one or more computing devices. The computing devices assoeiatcd with mobilc devices may be enabled to execute program codes, methods, and insiruclions siored Ihereon. Alternatively, the mobile devices may he configured Lu execuLe instructions in collaboration with oLher devices. The mobile devices may communicate wiLh base stations interlaced with servers and conligured to execute program codes. The mobile devices may communicate on a peer Lo peer network, mesh neLworlc, or other communications neiwork. The program code may he stored on the storage medium associatcd with the servcr and exccutcd by a computing device cmhcddcd within the server. Ic basc station may include a computing device and a storage medium. The storage device may store program codes and instructions executed by the computing devices associated with thc base station.

[0084] The computer software, program codes, and/or instructions may be stored and/or accessed on machinc readable mcdia that may include: computer components, devices, and recording media that retain digital data used for computing for some interval of time: semiconductor storage known as random access memory (RAM); mass storage typically for more permanent storage, such as optical discs, forms of magnetic storage like hard disks, tapes, drums, cards and other types; processor registers, cache memory, volatile memory, non-volatile memory; optical storage such as CD, DYD; removable media such as flash memory (e.g. USB slicks or keys), Iloppy disks, magnetic Lape, paper tape, punch cards, siandalone RAM disks, Zip drives, removable mass sLorage, oil-line, and the like: other compuler memory such as dynamic memory, slatic memory, readlwrile slorage, mutaffle storage, read only, random access, sequeniial access, location addressable, lile addressable, conlenl addressable, neLwork atLached sLorage, slorage area network, bar codes, magnelic ink, and the like.

[0085] The methods and sysLems described herein may transform physical andlor or inlangible items from one slale lo another. The meLhods and systems described herein may also transform dala representing physical and/or intangible items From one sLaLe Lo anoiher.

[0086] The elements described and depictcd herein, including in flow charts and block diagrams throughout the figures, imply logical boundaries between the clements. Howevcr, according to software or hardwarc cngineering practices, the depicted elements and the functions thereof may he implemented on machines through computer executable mcdia having a processor capable of executing program instructions slored thereon as a monollihic software sirucLure, as slandalone software modules, or as modifies Ihal employ exiernal routines, code, services, and so lorLh, or any combination ol' these, and all such impkmeniaLions may he wiLhin the scope of the present disclosure.

Examples of such machines may include, hut may nol he limited to, personal digital assislanis, laptops, personal computers, mobile phones, oLher handheld computing devices, medical equipment, wired or wireless communication devices, transduccrs, chips, calculators, satellites, tablet PCs, electronic books, gadgets, electronic devices, devices having artificial intelligence, computing devices, networking equipments, servers, routers and the like. Furthermore, the elements depicted in the flow chart and block diagrams or any other logical component may he implemented on a machine capable of executing program instructions. thus, while the foregoing drawings and descriptions set forth functional aspects of the disclosed systems, no particular arrangement of software for implementing these functional aspects should be inferred from these descriptions unless explicitly stated or otherwise clear from the context.

Similarly, it will be appreciated that the various steps identified and described above may he varied, and that the order of steps may be adapted to particular applications of the Lechniques disclosed herein. All such variations and modifications are intended to fail wilhin the scope of this disdosure. As such, the depiclion and/or descriplion ol' an order br various sleps should not he understood to require a particular order of execution for Ihose steps, unless required by a particular applicalion, or explicilly slaled or oiherwise clear from the contexi.

OO87] The methods and/or processes described above, and sleps ihereof, may he realized in hardware, software or any comhinalion of hardware and software suilahle br a parlicular applicalion. The hardware may include a general purpose compuler and/or dedicaled computing device or specific computing device or particular aspect or componeni of a specific computing device. The processes maybe realized in one or more microprocessors, microcontrollers, embedded microcontrollcrs, programmable digital signal processors or other programmable device, along with internal and/or external memory. The processes may also, or instead, be embodied in an application specific integrated circuit, a programmable gate array, programmable array logic, or any other device or combination of devices that may be configured to process electronic signals. It will fttriher he appreciated ihal one or more ol the processes may he realiied as a computer executable code capable ol heing execuled on a machine readable medium.

[0088] The compuler execulable code may he crealed using a siructured programming language such as C, an ohject orienied programming language such as C++, or any other high-level or low--level programming language (including assembly languages, hardwarc description languages, and database programming languages and technologies) that may be stored, compiled or interpreted to run on one of the above devices, as well as heterogeneous combinations of processors, processor architectures, or combinations of different hardware and software, or any other machine capable of executing program instructions.

[0089] thus, in one aspect, each method described abovc and combinations thereof may he embodied in computer executable code that, when executing on one or more computing devices, performs the steps thereof. In another aspect, the methods may be embodied in systems that perform the steps thereof, and may he distributed across devices in a number of ways, or all of the functionality may be integrated into a dedicated, standalone device or other hardware. In another aspect, the means for perlorming Ihe steps associated with the processes described above may include any of Ihe hardware and/or sofiware described above. All such permutalions and combinalions are intended in fall within the scope of Ihe preseni disclosure.

[0090] While ihe invention has been disclosed in connection with the prelerred emhodimenls shown and described in detail, various modilicalions and improvemenis Ihereon wifi become readily appareni lo ihose skilled in Ihe art.

Accordingly, the spiril and scope of the preseni invenlion is not Lobe limited by Lhe loregoing examples, hul is to be understood in the broadesi sense allow-able by law.

[0091] All documenLs referenced herein are hereby incorporated by reference.

Claims (10)

1. CLATMSWhal is claimed is: I. A meihod of dynamic ihreai detection, comprising: providing a first database that corrclates a plurality of thrcat charactcristics to a thrcat, wherein a presencc of the plurality of thc thrcat charactcristics confirms a presence of the threat; dctecting a change event in a computer run-timc process; testing the change event for a presence of one or more of the plurality of characteristics upon dctection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database.
2. 2. The meihod of claim I, wherein the ihreai includes a malware threat Lo a computer facility.
3. 3. The meLhod olclaim I, wherein the threat includes a violation of an enterprise security policy.
4. 4. The meLhod of claim I, wherein the characterislic is a lunclionality oF a compuLer program.
5. 5. the method of claim 1, wherein the characteristic is a property of a computcr program.
6. 6. Ihe method of claim 1, wherein the characteristic is a portion of program code.
7. 7. The meLhod of claim I, wherein the run-lime process indudes al least one 0! an access Lo a File, a process, a muLual exclusion objeeL, and a registry key.
8. 8. The meLhod of claim I, wherein the second datahase accumulates detected characLeristics br each of a pluralily oF computer run-Lime processes.
9. 9. the method of claim 1, whercin the first databasc conelates a different plurality of characteristics to each one of a plurality of different threats.
10. 10. The method of claim 1, further comprising creating a new threat characteristic for inclusion into the database when the detected change cvcnt is identified as a threat by a threat identification facility but is not currently in the database.