Reporting and processing controller security information
Abstract
In one implementation, a method for providing security on externally connected controllers includes receiving, at a reporting agent that is part of a security middleware layer operating on a controller, an indication that a process has been blocked; obtaining, by the reporting agent, trace information for the blocked process; determining, by the reporting agent, a code portion in an operating system of the controller that served as an exploit for the blocked process; obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process; generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, and (iii) the copy of the malware; and providing, by the reporting agent, the alert to a network interface on the controller for immediate transmission to a backend computer system.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A method for providing security on an externally connected controller, the method comprising:
detecting, based on a custom security policy, malware at the externally connected controller, the custom security policy being generated based on analysis of software on the externally connected controller; generating an alert for the malware that includes at least two of: malware trace information of the malware, a controller identifier, or controller context information; providing the alert to a network interface associated with the externally connected controller; and transmitting the alert from the network interface to a device remote from the externally connected controller.
22 . The method of claim 21 , further comprising blocking the malware.
23 . The method of claim 21 , further comprising determining a current status of the externally connected controller, wherein the current status is identified in the alert.
24 . The method of claim 23 , wherein the current status includes at least one of:
a current level of use for one or more resources associated with the externally connected controller; current network connections that are established for the externally connected controller through the network interface; or a snapshot of a software stack that identifies process calls on the externally connected controller.
25 . The method of claim 21 , wherein the externally connected controller is in data communication with other controllers.
26 . The method of claim 21 , wherein the alert includes controller context information comprising a current operation state for a device or system of which the externally connected controller is a part.
27 . The method of claim 21 , wherein the custom security policy identifies permitted entities.
28 . The method of claim 27 , wherein the permitted entities include at least one of a program binary, a process, a function, a script, network behavior, a network port, an Internet Protocol (IP) address, or a device other than the externally connected controller.
29 . The method of claim 21 , wherein detecting the malware at the externally connected controller comprises detecting operating behavior of the controller outside of permitted controller operating behavior.
30 . The method of claim 21 , wherein the controller context information is determined based on calling a kernel of the externally connected controller.
31 . The method of claim 21 , wherein the generated alert comprises at least one of:
a unique controller identifier; a timestamp; packet transmission information associated with the malware; or a copy of a blocked packet.
32 . A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform processor operations for providing security on an externally connected controller, comprising:
detecting, based on a custom security policy, malware at the externally connected controller, the custom security policy being generated based on analysis of software on the externally connected controller; generating an alert for the malware that includes at least two of: malware trace information of the malware, a controller identifier, or controller context information; providing the alert to a network interface associated with the externally connected controller; and transmitting the alert from the network interface to a device remote from the externally connected controller.
33 . The non-transitory computer readable medium of claim 32 , the operations further comprising blocking the malware.
34 . The non-transitory computer readable medium of claim 32 , the operations further comprising determining a current status of the externally connected controller, wherein the current status is identified in the alert.
35 . The non-transitory computer readable medium of claim 34 , wherein the current status includes at least one of:
a current level of use for one or more resources associated with the externally connected controller; current network connections that are established for the externally connected controller through the network interface; or a snapshot of a software stack that identifies process calls on the externally connected controller.
36 . The non-transitory computer readable medium of claim 32 , wherein the externally connected controller is in data communication with other controllers.
37 . The non-transitory computer readable medium of claim 32 , wherein the alert includes controller context information comprising a current operation state for a device or system of which the externally connected controller is a part.
38 . The non-transitory computer readable medium of claim 32 , wherein the custom security policy identifies permitted entities.
39 . The non-transitory computer readable medium of claim 38 , wherein the permitted entities include at least one of a program binary, a process, a function, a script, network behavior, a network port, an Internet Protocol (IP) address, or a device other than the externally connected controller.
40 . The non-transitory computer readable medium of claim 32 , wherein detecting the malware at the externally connected controller comprises detecting operating behavior of the controller outside of permitted controller operating behavior.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.