WO2003021402A2 - Network security - Google Patents

Network security Download PDF

Info

Publication number
WO2003021402A2
WO2003021402A2 PCT/GB2002/004059 GB0204059W WO03021402A2 WO 2003021402 A2 WO2003021402 A2 WO 2003021402A2 GB 0204059 W GB0204059 W GB 0204059W WO 03021402 A2 WO03021402 A2 WO 03021402A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer
files
file
memory means
engine program
Prior art date
Application number
PCT/GB2002/004059
Other languages
French (fr)
Other versions
WO2003021402A3 (en
Inventor
David John Duke
Original Assignee
Cryptic Software Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cryptic Software Limited filed Critical Cryptic Software Limited
Publication of WO2003021402A2 publication Critical patent/WO2003021402A2/en
Publication of WO2003021402A3 publication Critical patent/WO2003021402A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to an arrangement for monitoring the security of a computer especially computers on a network and particularly individual devices and information contained therein.
  • the present invention is based on a concept whereby a main memory holds a record of all files used by a local computer, is provided with update information on all existing files as well as all new files and determines whether the updated files or new files represent a security threat.
  • events are monitored and collected by an engine program and forwarded to the main memory.
  • the engine program itself consists of a single file which is arranged to run a program in parallel with the normal operating system of the local computer thus making the file easier to hide so that the presence of the engine program will not be noticed either by the user or by a hacker.
  • the engine program has no noticeable effect on the system.
  • the main memory is provided by a central computer (hereafter referred to as the console) and the local computer communicates with the console over a network or in some other convenient manner.
  • the engine program monitors each and every file and by inspecting preselected parts of each file can create a highly compressed accurate image of the file which can then be transmitted to the central database. It will be appreciated that all files can be handled in this way. Consequently, when the term "file” is used we mean all files associated with the operating system, data, registries, directories, hardware, software and such like. In this way, a complete virtual image of a local computer can be stored within the central database and the console can have management software for monitoring changes in the data files, programs or hardware of the local computer and thus warn of tampering with such files, programs and/or hardware.
  • the present invention provides a method of monitoring the security of a computer system comprising monitoring a file as it is created or updated by inspecting preselected portions of the file selected from the whole file, storing information derived from the preselected portions and transmitting the stored information to a main memory location.
  • the main memory location is preferably a central database of a network.
  • the present invention provides a method of improving the security of computer apparatus by providing two copies of a security program and interconnecting them such that as one is switched off, either deliberately or inadvertently, the other is automatically switched on and vice versa. It is to be understood that this aspect is not limited to any particular type of security program and is of general application. However, it has particular application with the present invention where the security program is relatively small and easy to hide.
  • Fig 1 shows a block diagram of a network according to the present invention
  • Fig 2 shows a block diagram representing the main functions of an engine program arranged to be installed on each computer to be protected;
  • Fig 3 is a flow chart for explaining the operation of the engine program of Fig 1.
  • a central server 1 communicates via transmit/receive ports 2 with a number of local computers 3, each of which is provided with a monitoring engine program 4.
  • the central server is provided with a plurality of databases, namely an archive of threats database 5, a virtual image of each computer database 6 and an audit database 7.
  • the basis of the present embodiment is that a virtual copy of a local computer and all its files will be kept in memory at the database to the central server computer with each file having its own individual characteristics stored at the central computer.
  • the virtual copies are created by the small engine programs 4 loaded on the local computers 3 which monitor all files by inspecting preselected portions of the files in order to create a so-called "finge rint" of each file which is in fact a highly compressed version of the file.
  • the fingerprint can then be very speedily forwarded to the central location where the current finge ⁇ rint can be compared with a previous fingerprint and any changes detected.
  • the changes are then evaluated by the central computer 1 in order to determine the level of threat, if any, to the security of the local computer system and an appropriate signal sent back from the central server to the local computer 3 in the event that a particular file should not be opened or a particular program should not be run. Simultaneously, an event is displayed at the central computer and/or forwarded to other programs.
  • the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
  • a virtual copy of the local computer and all its files the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
  • biometric information can be gathered in real time and forwarded to the central database. For example, if an event is detected, a screen shot of the local computer is gathered for evidence and at the same time the engine program can gather biometric information such as a photograph of the user of the local computer.
  • the engine program is shown diagrammatically in Fig 2 where all file data is monitored at monitoring section 11 under the control of a program section 12 which determines which parts of the data will be sampled. The selected parts of the data are then stored as indicated at 14 in order to create a virtual compressed copy of the file data for transmission as indicated at 16.
  • the engine program is arranged to commence running as soon as the computer on which it is loaded is powered up.
  • the program then monitors all files as they are opened and in particular it monitors all changes to a file as indicated by the flow chart shown in Fig 3.
  • Each and every change is inspected in order to determine whether the change is the creation of a new file. It also determines whether the change is a valid change.
  • Each file is also checked by inspecting the file from a plurality of points of view by sampling predetermined portions of the file. This in turn creates a finge ⁇ rint or virtual copy of the file which is then assembled for transmission to a central database either over the network or via some other communications link.
  • the predetermined portions of the file which the engine program inspects is the tag indicating whether or not the file is an executable. It also determines whether the file is a manipulated file, eg a zipped or encrypted file. It looks for the presence of capabilities such as keystroke logging, FTP server capability, IP notification, joystick controls, game libraries, etc
  • the engine program has a memory capability 12 so that it can store instructions received from the central processor as described below and then carry out those instructions in the event that the finge ⁇ rint it has assembled of a file indicates that action is necessary.
  • the engine program can immediately kill the threat in view of the fact that it has the necessary instruction previously received from the central server. In certain circumstances, the file in question can be automatically dealt with.
  • a particular feature of the engine program is that it does not wait to be polled by a central computer. Rather, it itself generates a message for transmission to the central computer.
  • the engine program is immune to attack from a hacker because there is no "listening" port waiting for an incoming transmission. It is not until the engine program has communicated with the central server that a two way communication is possible and only after the engine program's communication with the central server can the central server transmit modified information to the engine program: However, the monitoring and modification of the files on the local computer occur in real time while the local computer is in operation either by being started up or while the local computer is running programs. Further, the engine program can itself run other software in order to transmit and/or record data as a result of the detection of a particular event or change to a file. As an example of this, if the local computer is fitted with a web cam, should particular files be modified, the engine program can take a picture of the user of the machine at the appropriate time and correlate the event with the actual user as evidence for subsequent use.
  • the central server 1 contains a reception port 2 for receiving data transmitted from the local computer.
  • the central computer builds up a virtual picture of each local computer, its hardware, programs and files generally in its database 6.
  • the central server maintains a database 5 of all known security threats and viruses.
  • the central computer can monitor changes to hardware and software using the information in the database 7 and consequently know when a security breach might have taken place.
  • the central computer can log the event in question or signal the local computer to take the necessary action to provide evidence of the possible security breach, eg by taking a web cam pictur as well as recording the user name and password.
  • Another sophisticated ability of the server is to construct a dynamic accurate focused detection formula which can be custom built to detect dynamic changing threats which avoid typical security finge ⁇ rinting techniques.
  • the central server can communicate back to the local computer in the event of a security breach or potential security breach or it can communicate with some other communications device such as a mobile telephone or personal digital assistant by sending an e-mail SMS or fax to indicate the existence of the security breach or potential security breach. In this way, users of portable computers could be warned of security breaches relating to their machine without the need to actually switch it on and establish communications with the central server.

Abstract

A computer network comprises a server computer and a plurality of local computer. Each local computer is provided with an engine program which monitors all file and peripherals and detects changes in the files or configuration. The results f the monitoring are used to create compressed information relating to the files and peripherals which is communicated to the server computer which stores previous s information relating to the files and peripherals of the local computers. The server computer compares the received information with the stored information in order to detect the presence of altered and unwanted files or changes in configuration. In this way both known and unknown viruses can be detected as can un-authorised use of the local computers.

Description

NETWORK SECURITY
The present invention relates to an arrangement for monitoring the security of a computer especially computers on a network and particularly individual devices and information contained therein.
It is well known to provide individual computers with virus checking software but it is also well known that such software consumes resources when it is run and also takes time. Additionally, updating such software is somewhat cumbersome as each individual computer has to be updated separately. Further, it is known to provide firewalls to protect computers and computer systems which are connected to a network or to the outside world but again these firewalls have limitations and they do not provide a completely effective defence to potential hackers.
Both of these methodologies are reactive and only detect threats to a network which have been seen and indexed previously.
It is an object of the present invention to provide an arrangement whereby protection from attack by viruses is improved as well as providing a more effective firewall in the event that the computer or computer system is provided with such. It is a further object that the invention is deployed in such a way that it is itself not vulnerable to attack.
From one aspect, the present invention is based on a concept whereby a main memory holds a record of all files used by a local computer, is provided with update information on all existing files as well as all new files and determines whether the updated files or new files represent a security threat. In a preferred embodiment, as data is created, modified or deleted on the local computer, events are monitored and collected by an engine program and forwarded to the main memory. Preferably, the engine program itself consists of a single file which is arranged to run a program in parallel with the normal operating system of the local computer thus making the file easier to hide so that the presence of the engine program will not be noticed either by the user or by a hacker. Further, as far as the user of the local computer is concerned, the engine program has no noticeable effect on the system. Preferably, the main memory is provided by a central computer (hereafter referred to as the console) and the local computer communicates with the console over a network or in some other convenient manner.
The engine program monitors each and every file and by inspecting preselected parts of each file can create a highly compressed accurate image of the file which can then be transmitted to the central database. It will be appreciated that all files can be handled in this way. Consequently, when the term "file" is used we mean all files associated with the operating system, data, registries, directories, hardware, software and such like. In this way, a complete virtual image of a local computer can be stored within the central database and the console can have management software for monitoring changes in the data files, programs or hardware of the local computer and thus warn of tampering with such files, programs and/or hardware.
From another aspect, the present invention provides a method of monitoring the security of a computer system comprising monitoring a file as it is created or updated by inspecting preselected portions of the file selected from the whole file, storing information derived from the preselected portions and transmitting the stored information to a main memory location. The main memory location is preferably a central database of a network. From a further aspect the present invention provides a method of improving the security of computer apparatus by providing two copies of a security program and interconnecting them such that as one is switched off, either deliberately or inadvertently, the other is automatically switched on and vice versa. It is to be understood that this aspect is not limited to any particular type of security program and is of general application. However, it has particular application with the present invention where the security program is relatively small and easy to hide. In order that the present invention be more readily understood, an embodiment thereof will now be described with reference to the accompanying drawings in which: -
Fig 1 shows a block diagram of a network according to the present invention; Fig 2 shows a block diagram representing the main functions of an engine program arranged to be installed on each computer to be protected; and
Fig 3 is a flow chart for explaining the operation of the engine program of Fig 1.
The present invention will be described in relation to its use for network security but it will be appreciated that the invention can be implemented in a number of different ways independently of any connection technology. In fact, the totality of the invention could be located within a single computer or a local computer could be in communication with a central server over conventional telephone lines rather than utilising any network protocol. As shown in Fig 1, a central server 1 communicates via transmit/receive ports 2 with a number of local computers 3, each of which is provided with a monitoring engine program 4. The central server is provided with a plurality of databases, namely an archive of threats database 5, a virtual image of each computer database 6 and an audit database 7. The basis of the present embodiment is that a virtual copy of a local computer and all its files will be kept in memory at the database to the central server computer with each file having its own individual characteristics stored at the central computer. The virtual copies are created by the small engine programs 4 loaded on the local computers 3 which monitor all files by inspecting preselected portions of the files in order to create a so-called "finge rint" of each file which is in fact a highly compressed version of the file. The fingerprint can then be very speedily forwarded to the central location where the current fingeφrint can be compared with a previous fingerprint and any changes detected. The changes are then evaluated by the central computer 1 in order to determine the level of threat, if any, to the security of the local computer system and an appropriate signal sent back from the central server to the local computer 3 in the event that a particular file should not be opened or a particular program should not be run. Simultaneously, an event is displayed at the central computer and/or forwarded to other programs.
It will be appreciated that by the use of a virtual copy of the local computer and all its files, the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer. As an example of this, one could consider a computer fitted with several pieces of memory. Removal of all or part of this memory is an event which can be detected by the engine program and thus signalled to the central computer which can log the event. In further explanation of the evidential facilities of this invention on the triggering of specified events, biometric information can be gathered in real time and forwarded to the central database. For example, if an event is detected, a screen shot of the local computer is gathered for evidence and at the same time the engine program can gather biometric information such as a photograph of the user of the local computer.
The above description represents a simple brief overall view of the arrangement in accordance with the present invention but for a more detailed description we will now separate the operation of the engine program at the local computer and firstly describe this before we move onto a description of the operation of the monitoring program at the central server.
The engine program is shown diagrammatically in Fig 2 where all file data is monitored at monitoring section 11 under the control of a program section 12 which determines which parts of the data will be sampled. The selected parts of the data are then stored as indicated at 14 in order to create a virtual compressed copy of the file data for transmission as indicated at 16.
The engine program is arranged to commence running as soon as the computer on which it is loaded is powered up. The program then monitors all files as they are opened and in particular it monitors all changes to a file as indicated by the flow chart shown in Fig 3. Each and every change is inspected in order to determine whether the change is the creation of a new file. It also determines whether the change is a valid change. Each file is also checked by inspecting the file from a plurality of points of view by sampling predetermined portions of the file. This in turn creates a fingeφrint or virtual copy of the file which is then assembled for transmission to a central database either over the network or via some other communications link. Among the predetermined portions of the file which the engine program inspects is the tag indicating whether or not the file is an executable. It also determines whether the file is a manipulated file, eg a zipped or encrypted file. It looks for the presence of capabilities such as keystroke logging, FTP server capability, IP notification, joystick controls, game libraries, etc
The engine program has a memory capability 12 so that it can store instructions received from the central processor as described below and then carry out those instructions in the event that the fingeφrint it has assembled of a file indicates that action is necessary. As an example, if a known threat is present in a file as indicated by the fingeφrint, the engine program can immediately kill the threat in view of the fact that it has the necessary instruction previously received from the central server. In certain circumstances, the file in question can be automatically dealt with. A particular feature of the engine program is that it does not wait to be polled by a central computer. Rather, it itself generates a message for transmission to the central computer. This has the advantage that the engine program is immune to attack from a hacker because there is no "listening" port waiting for an incoming transmission. It is not until the engine program has communicated with the central server that a two way communication is possible and only after the engine program's communication with the central server can the central server transmit modified information to the engine program: However, the monitoring and modification of the files on the local computer occur in real time while the local computer is in operation either by being started up or while the local computer is running programs. Further, the engine program can itself run other software in order to transmit and/or record data as a result of the detection of a particular event or change to a file. As an example of this, if the local computer is fitted with a web cam, should particular files be modified, the engine program can take a picture of the user of the machine at the appropriate time and correlate the event with the actual user as evidence for subsequent use.
In an especially secure system, it is possible to provide two identical engine programs which are interlinked with each other so that in the event that one is disabled for any reason, eg being switched off, the other is activated before the first is terminated and vice versa. This ensures security in the event that one of the engine programs is detected by a hacker or other person seeking to tamper with the local computer. Turning now to the central server 1, this contains a reception port 2 for receiving data transmitted from the local computer. As fingeφrints are stored, the central computer builds up a virtual picture of each local computer, its hardware, programs and files generally in its database 6. In addition, the central server maintains a database 5 of all known security threats and viruses. As fingeφrints of files are received these are compared with the information in the threats database 5 so that any threat can be detected instantaneously. Additionally, because the central server maintains an up to date virtual copy of each local computer with which it is in communication, in the event that it identifies a security threat in relation to one computer 3, it can then inspect all other local computers for similar configurations and then be ready to communicate the necessary instruction to another local computer 3 as soon as the other local computer communicates with the central server for any reason. In this way, security threats and the mechanism of deleting files or repairing infected files can be undertaken much more quickly and in fact even before a local computer might have been subjected to attack or infection. In other words, when a new threat is identified, it is added to the server database so that the central processor can check its data relating to the local computers to which it is connected ot identify other infected systems without the need to communicate with them. Therefore even if a laptop is disconnected or machines are powered down, threats can still be identified and remedial action taken once such machines are back in communication with the central server.
In the same way, the central computer can monitor changes to hardware and software using the information in the database 7 and consequently know when a security breach might have taken place. In this case, the central computer can log the event in question or signal the local computer to take the necessary action to provide evidence of the possible security breach, eg by taking a web cam pictur as well as recording the user name and password.
Another sophisticated ability of the server is to construct a dynamic accurate focused detection formula which can be custom built to detect dynamic changing threats which avoid typical security fingeφrinting techniques.
The central server can communicate back to the local computer in the event of a security breach or potential security breach or it can communicate with some other communications device such as a mobile telephone or personal digital assistant by sending an e-mail SMS or fax to indicate the existence of the security breach or potential security breach. In this way, users of portable computers could be warned of security breaches relating to their machine without the need to actually switch it on and establish communications with the central server.

Claims

CLAIMS:
1. A computer arrangement comprising a central processor, first memory means for storing an operating system program for the central processor, further memory means for storing data relating to all files used by the computer arrangement, storage means separate from the first storage memory means for storing an engine program for monitoring files used or created by the computer arrangement, and means for communicating the results of the monitoring to the further memory means.
2. A computer anangement according to claim 1, wherein the engine program is arranged to inspect preselected parts of each file and create a compressed version of the file.
3. A computer arrangement according to claim 1, wherein the further memory means is located remote from the central processor and first memory means.
4. A computer anangement according to claim 3, wherein the means for communicating results to the further memory means comprises a network connection.
5. A computer arrangement according to claim 1, wherein the storage means is arranged to store two engine programs each of which is capable of being switched off and which are interconnected such that as one is switched off, the other is switched on.
6. A computer anangement according to claim 1, wherein the engine program is ananged to monitor peripheral devices connected to the anangement in order to detect the presence of new devices and the absence of previously connected devices.
7. A computer anangement according to claim 6, wherein the engine program is ananged to record data relating to any change in peripheral devices or files.
8. A computer anangement according to claim 3, wherein the further memory means is located in a further computer which is ananged to analyse the results of the monitoring.
9. A computer anangement according to claim 8, wherein the further computer is ananged to transmit instructions to the central processor depending on the results of the analysis.
PCT/GB2002/004059 2001-09-05 2002-09-05 Network security WO2003021402A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0121497.2 2001-09-05
GB0121497A GB0121497D0 (en) 2001-09-05 2001-09-05 Network security

Publications (2)

Publication Number Publication Date
WO2003021402A2 true WO2003021402A2 (en) 2003-03-13
WO2003021402A3 WO2003021402A3 (en) 2004-08-19

Family

ID=9921565

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2002/004059 WO2003021402A2 (en) 2001-09-05 2002-09-05 Network security

Country Status (2)

Country Link
GB (1) GB0121497D0 (en)
WO (1) WO2003021402A2 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005008457A1 (en) * 2003-07-08 2005-01-27 Seventh Knight Automatic regeneration of computer files description
WO2008071620A1 (en) * 2006-12-11 2008-06-19 International Business Machines Corporation Heuristic malware detection
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
US8418250B2 (en) 2005-06-30 2013-04-09 Prevx Limited Methods and apparatus for dealing with malware
US8479174B2 (en) 2006-04-05 2013-07-02 Prevx Limited Method, computer program and computer for analyzing an executable computer file
US8874579B2 (en) 2011-08-18 2014-10-28 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9754117B2 (en) 2014-02-24 2017-09-05 Northcross Group Security management system
US9917811B2 (en) 2015-10-09 2018-03-13 International Business Machines Corporation Security threat identification, isolation, and repairing in a network
US10574630B2 (en) 2011-02-15 2020-02-25 Webroot Inc. Methods and apparatus for malware threat research

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5475625A (en) * 1991-01-16 1995-12-12 Siemens Nixdorf Informationssysteme Aktiengesellschaft Method and arrangement for monitoring computer manipulations
EP0899662A1 (en) * 1997-08-29 1999-03-03 Hewlett-Packard Company Backup and restore system for a computer network
EP0952521A2 (en) * 1998-04-23 1999-10-27 Hewlett-Packard Company Method for tracking configuration changes in networks of computer systems through historical monitoring of configuration status of devices on the network
US6094731A (en) * 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
GB2350704A (en) * 1999-06-02 2000-12-06 Nicholas Peter Carter Security system
WO2002033525A2 (en) * 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5475625A (en) * 1991-01-16 1995-12-12 Siemens Nixdorf Informationssysteme Aktiengesellschaft Method and arrangement for monitoring computer manipulations
EP0899662A1 (en) * 1997-08-29 1999-03-03 Hewlett-Packard Company Backup and restore system for a computer network
US6094731A (en) * 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
EP0952521A2 (en) * 1998-04-23 1999-10-27 Hewlett-Packard Company Method for tracking configuration changes in networks of computer systems through historical monitoring of configuration status of devices on the network
GB2350704A (en) * 1999-06-02 2000-12-06 Nicholas Peter Carter Security system
WO2002033525A2 (en) * 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MCKOSKY R A ET AL: "A FILE INTEGRITY CHECKING SYSTEM TO DETECT AND RECOVER FROM PROGRAMMODIFICATION ATTACKS IN MULTI-USER COMPUTER SYSTEMS" COMPUTERS & SECURITY. INTERNATIONAL JOURNAL DEVOTED TO THE STUDY OF TECHNICAL AND FINANCIAL ASPECTS OF COMPUTER SECURITY, ELSEVIER SCIENCE PUBLISHERS. AMSTERDAM, NL, vol. 9, no. 5, 1 August 1990 (1990-08-01), pages 431-446, XP000147838 ISSN: 0167-4048 *
WILLIAMS R N: "DATA INTEGRITY WITH VERACITY" INTERNET, 12 September 1994 (1994-09-12), XP002096828 Retrieved from the Internet: <URL:ftp://ftp.rocksoft.com/clients/rockso ft/papers/vercty10.ps> [retrieved on 1999-03-16] *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685174B2 (en) 2003-07-08 2010-03-23 Seventh Knight Inc. Automatic regeneration of computer files
WO2005008457A1 (en) * 2003-07-08 2005-01-27 Seventh Knight Automatic regeneration of computer files description
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
EP2629232A2 (en) 2005-06-30 2013-08-21 Prevx Limited Methods and apparatus for dealing with malware
US8418250B2 (en) 2005-06-30 2013-04-09 Prevx Limited Methods and apparatus for dealing with malware
EP2629231A2 (en) 2005-06-30 2013-08-21 Prevx Limited Methods and apparatus for dealing with malware
US8726389B2 (en) 2005-06-30 2014-05-13 Prevx Limited Methods and apparatus for dealing with malware
US8763123B2 (en) 2005-06-30 2014-06-24 Prevx Limited Methods and apparatus for dealing with malware
US11379582B2 (en) 2005-06-30 2022-07-05 Webroot Inc. Methods and apparatus for malware threat research
US10803170B2 (en) 2005-06-30 2020-10-13 Webroot Inc. Methods and apparatus for dealing with malware
US8479174B2 (en) 2006-04-05 2013-07-02 Prevx Limited Method, computer program and computer for analyzing an executable computer file
WO2008071620A1 (en) * 2006-12-11 2008-06-19 International Business Machines Corporation Heuristic malware detection
US8091127B2 (en) 2006-12-11 2012-01-03 International Business Machines Corporation Heuristic malware detection
US10574630B2 (en) 2011-02-15 2020-02-25 Webroot Inc. Methods and apparatus for malware threat research
US9405905B2 (en) 2011-08-18 2016-08-02 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9721099B2 (en) 2011-08-18 2017-08-01 Verisign, Inc. Systems and methods for identifying associations between malware samples
US8874579B2 (en) 2011-08-18 2014-10-28 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9754117B2 (en) 2014-02-24 2017-09-05 Northcross Group Security management system
US9917811B2 (en) 2015-10-09 2018-03-13 International Business Machines Corporation Security threat identification, isolation, and repairing in a network
US9923867B2 (en) 2015-10-09 2018-03-20 International Business Machines Corporation Security threat identification, isolation, and repairing in a network

Also Published As

Publication number Publication date
GB0121497D0 (en) 2001-10-24
WO2003021402A3 (en) 2004-08-19

Similar Documents

Publication Publication Date Title
TWI678616B (en) File detection method, device and system
CA2391701C (en) Method and system for remotely configuring and monitoring a communication device
US6775657B1 (en) Multilayered intrusion detection system and method
CN106411562B (en) Electric power information network safety linkage defense method and system
US8291498B1 (en) Computer virus detection and response in a wide area network
CN1291568C (en) Method for preventing server field from invading and server field
US20030188190A1 (en) System and method of intrusion detection employing broad-scope monitoring
KR20040101490A (en) Detecting and countering malicious code in enterprise networks
WO2001084270A2 (en) Method and system for intrusion detection in a computer network
CA2545916A1 (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
WO2001016664A1 (en) System and method for detecting computer intrusions
KR20120090574A (en) Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded
WO2003021402A2 (en) Network security
US20240045954A1 (en) Analysis of historical network traffic to identify network vulnerabilities
CN100568876C (en) The method and the equipment that is used to handle radio communication that are used for operating data processing system
JP4462849B2 (en) Data protection apparatus, method and program
US20050086512A1 (en) Worm blocking system and method using hardware-based pattern matching
KR20000063357A (en) Remote anti-virus system and method on the wireless network
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
JP2006330926A (en) Virus infection detection device
US20220083646A1 (en) Context Based Authorized External Device Copy Detection
KR100503772B1 (en) A monitoring system and method of auditing performanced work connected to database server by utility method
CA3122328A1 (en) A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space
RU186198U1 (en) Host Level Intrusion Detector
Abimbola et al. NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EE ES FI GB GD GE GH GM HU ID IL IN IS JP KE KG KP KR KZ LK LR LS LT LU LV MA MD MG MK MW MX MZ NO NZ PL PT RO RU SD SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69(1) EPC (EPO FORM 1205A DATED 21-06-2004)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP