Threat protection network
Abstract
Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.
Claims
exact text as granted — not AI-modified1 - 40 . (canceled)
41 . A threat protection network for detecting and analyzing suspicious files in real-time, comprising:
at least one client computer connected to a network; a server that stores threat definition data and is connected to the network; an expert system in communication with the server; at least one test computer connected to the expert system; wherein the client computer is configured to identify a suspicious file on the client computer; wherein the client computer is configured to automatically notify the server of the suspicious file; wherein the server is configured to send the suspicious file to the expert system; wherein the expert system is configured to determine whether the suspicious file is an actual threat by exposing the at least one test computer to the suspicious file and analyzing the behavior of the suspicious file on the at least one test computer; and wherein the expert system or the server is configured to isolate the expert system and the at least one test computer from the network prior to exposing the at least one test computer to the suspicious file.
42 . The threat protection network of claim 41 , wherein the client is configured to generate a signature for the suspicious file.
43 . The threat protection network of claim 42 , wherein the signature includes two or more check sums generated using the suspicious file.
44 . The threat protection network of claim 41 , wherein the server is configured to update the threat definition data based upon determinations made by the expert system.
45 . The threat protection network of claim 44 , wherein the server is configured to notify clients that updated threat definition data is available.
46 . The threat protection network of claim 41 , wherein the server is configured to:
receive a signature of the suspicious file from the client computer; compare the signature with threat definition data comprising signatures of known threat files; compare the signature with data comprising signatures of suspicious files reported from other client computers; and if the signature is not found in the signatures of suspicious files reported from other client computers:
request a copy of the suspicious file; and
receive the suspicious file.
47 . The threat protection network of claim 41 :
wherein the at least one test computer includes multiple test computers; wherein at least two of the test computers use different operating systems.
48 . The threat protection network of claim 48 , wherein at least two of the test computers use different versions of the same operating system.
49 . The threat protection network of claim 41 , wherein the expert system is configured to assign a score to a potential threat.
50 . The threat protection network of claim 49 , wherein a score above a first threshold is indicative of an actual threat.
51 . The threat protection network of claim 41 , wherein the determination of whether the suspicious file is an actual threat by the expert system is automatic.
52 . A method for responding in real-time to requests for analysis of suspicious files, the method comprising:
receiving, at a server, a signature of a suspicious file from a client computer; comparing, at the server, the signature with threat definition data comprising signatures of known threat files; comparing, at the server, the signature with signatures of suspicious files reported from other client computers; and sending information to the client computer indicative of whether the suspicious file is safe or is a threat.
53 . The method of claim 52 , further comprising:
receiving a request from the client computer for updated threat definition data; providing a list identifying a number of client computers on which the updated threat definition data is stored; and adding the client computer to the list.
54 . The method of claim 53 , wherein the adding the client computer to the list comprises adding the client computer to the list and removing another client computer from the list.
55 . The method of claim 54 , further comprising:
providing, upon request, information indicative of a validity of the updated threat definition data.
56 . The method of claim 55 , further comprising determining the validity of the updated threat definition data by applying a predetermined algorithm to the threat definition data.
57 . The method of claim 52 , further comprising providing the updated threat definition data to a requesting client computer.
58 . The method of claim 52 , further comprising receiving, from the client computer, a copy of the suspicious file for analysis.
59 . A threat identification system configured to evaluate suspicious files discovered on a remote computer system, comprising:
an expert system installed on a host computer; at least one test computer connected to the host computer; wherein the expert system is configured to receive a suspicious file; wherein the expert system is configured to expose the at least one test computer to the suspicious file; wherein the expert system is configured to analyze the behavior of the suspicious file on the at least one test computer; and wherein the expert system is configured to determine a score based upon the analyzed behavior and a set of predetermined criteria.
60 . The threat identification system of claim 59 , wherein the expert system determines whether the suspicious file is an actual threat based upon the score.
61 . The threat identification system of claim 59 , wherein the expert system is configured to determine that:
a score above a first threshold constitutes a threat; and a score below a second threshold constitutes no threat.
62 . The threat identification system of claim 61 , wherein the first threshold and second threshold have the same value.
63 . The threat identification system of claim 59 , wherein at least two of the test computers use different operating systems.
64 . The threat identification system of claim 59 , wherein at least two of the test computers use different versions of the same operating system.
65 . A method for generating requests for real-time analysis of suspicious files, the method comprising:
detecting, at a client computer, a suspicious event; identifying, at the client computer, a file having caused the suspicious event; generating, at the client computer, a signature for the file having caused the suspicious event; comparing, at the client computer, the signature with threat definition data comprising signatures of known threat files; and if the signature was not found in the threat definition data:
sending, to a server, the signature for analysis; and
receiving a result of the analysis from the server.
66 . The method of claim 65 , further comprising:
if the result indicate that the server found the signature within an updated threat definition data stored at the server:
requesting a list of other client computers having the updated threat definition data; and
requesting the updated threat definition data from a client computer on the list.
67 . The method of claim 65 , further comprising:
requesting, at the server, a copy of the file having caused the suspicious event; and forwarding, from the server, the file having caused the suspicious event to an expert system for analysis; isolating the expert system from the server; allowing, on at least one test computer coupled to the expert system, the file having caused the suspicious event to run; analyzing, at the expert system, the behavior of the at least one test computer; and reporting the results of the analysis by the expert system.
68 . The method of claim 65 , wherein:
the file having caused the suspicious event includes a header; and the signature includes a checksum generated using at least one bit from the file header.
69 . The method of claim 65 , wherein:
the file having caused the suspicious event includes a header and a body; and the signature includes a checksum generated using at least one bit from a location within the file body.
70 . The method of claim 65 , further comprising:
obtaining, at the client computer, updated threat definition data via a secure peer-to-peer network.
71 . The method of claim 65 , further comprising:
providing, at the client computer, the threat definition data to peer computers upon request.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.