GB2424291A - Blocking network attacks based on device vulnerability - Google Patents

Blocking network attacks based on device vulnerability Download PDF

Info

Publication number
GB2424291A
GB2424291A GB0505511A GB0505511A GB2424291A GB 2424291 A GB2424291 A GB 2424291A GB 0505511 A GB0505511 A GB 0505511A GB 0505511 A GB0505511 A GB 0505511A GB 2424291 A GB2424291 A GB 2424291A
Authority
GB
United Kingdom
Prior art keywords
attack
data
attacks
network
vulnerable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB0505511A
Other versions
GB0505511D0 (en
Inventor
Kevin Whelan
Tom Millar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ITC INTERNETWISE Ltd
Original Assignee
ITC INTERNETWISE Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ITC INTERNETWISE Ltd filed Critical ITC INTERNETWISE Ltd
Priority to GB0505511A priority Critical patent/GB2424291A/en
Publication of GB0505511D0 publication Critical patent/GB0505511D0/en
Publication of GB2424291A publication Critical patent/GB2424291A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system for preventing software based attacks on one or more devices 5a-5c on a network 1 comprises a scanner 11, an attack prevention device 13 and a data blocker 15 e.g. firewall. The scanner periodically monitors the devices to determine the extent to which each device is vulnerable to attacks. The attack prevention device receives the data from the scanner and stores it in a database. The data blocker detects attacks contained in data being transmitted to the network and selectively blocks the data according to the information stored in the database. If an attack is not effective on the device to which it is addressed the data is allowed to pass. In one embodiment detected attacks may be assigned different priority levels, e.g. an attack which is addressed to a vulnerable device may be assigned a higher priority level than an attack which is addressed to a device which is only partly vulnerable to the attack. The system may issue warnings to a user when an effective attack is detected. This relieves the user from having to deal with spurious warnings.

Description

ATTACK PREVENTION
The present invention relates to network based systems for detecting and preventing software attacks to devices on the network.
A typical network comprises a plurality of inter-connected device, often known as host devices, which may communicate with one another over the network. One problem associated with networks is that of hacking in which a hacker in control of one device on the network attempts to gain unauthorised access to or control of another device on the network for illegitimate or malicious reasons. For example, a hacker may attempt to access sensitive data such as secret banking information and passwords on a personal computer. The problem of hacking is particularly acute on the internet as a hacker connected to the internet could potentially gain access to any other devices also connected to the internet. One technique used by hackers is to upload small computer programs such as Trojans onto the network which are then inadvertently downloaded by other devices on the network. The programs then allow the hacker to access data on the device onto which the program is loaded or allow the hacker to remotely control the device. The techniques used by hackers often rely on weaknesses or faults in software such as operating systems executed by host devices. Such attempts to gain unauthorised access to host devices are often referred to as attacks.
In order to prevent attacks on host devices, a number of systems have been developed to detect such attacks and to block them. For example, in order to protect one or more host devices from attacks, a monitoring program known as a firewall may be employed. A firewall is designed to monitor the data flowing to and from one or more devices in order to detect the presence of attacks and to block the data flow if an attack is detected. For example, a firewall may be arranged to block data if the source address of the data is one of a predetermined list of addresses known to be the source of attacks. Firewalls may also block data based on other characteristics such as the destination address of the data, port numbers or transport layer protocols. Another means to detect attacks in network data flow is to analyse the data for the presence of characteristic signatures. These signatures consist of strings of characters which occur in known attacks. When a signature of a known attack is detected in the data flow, the data flow may be blocked. Other attack detection systems are known to those skilled in the art including systems based on detecting unusual network behaviour, for example port scanning or other behaviour which is atypical under normal network conditions. When an attack is detected, the attack detection system may issue a warning or notification to a user so that steps can be taken to deal with the attack.
One problem with known attack detection and prevention systems is that they are unreliable and often generate warnings when genuine attacks do not actually exist. Usually, an attack in the form of malicious software is designed to attack a device executing software that is of a particular type. For example, an attack may CRTh4) be designed to exploit a weakness in the Windows operating system used by a device. This particular attack would therefore be ineffective on a device using the (-#Tt1) UNIX operating system. In known systems, when the attack is detected, a warning to the user would be generated, even though the attack may actually be ineffective and not require action. This results in a large number of false positive results and so a large amount of time is required by a user to sort through the attack warnings to decide which of these are legitimate and to reconfigure the system. What often occurs in practice is that a user will simply allow the data flow for alt attack warnings, anticipating that they are simply false results, running the risk of allowing data flow when a genuine attack exists. In some cases, what would be a genuine attack for one device may actually be a legitimate process for another device. In this case, data flow may be blocked when an attack is detected even though the data flow represents legitimate processes.
A further problem with existing attack detection and prevention systems is that they require a considerable amount of time to initially configure and to reconfigure when new attacks are discovered. Typically, a user has to manually configure a system to take all known attacks into account. Where there are a large number of attacks as is usually the case this can be extremely laborious and time consuming. When new attacks are frequently discovered it can be extremely inconvenient to manually reconfigure the system for each new attack. In practice the system may be reconfigured only occasionally so that the system does not provide protection for the most recent attacks until reconfiguration takes place, which may be some time after the attack is first known.
We have appreciated the need to provide an attack detection and prevention system which is reliable and in which the number of spurious detections of attacks is minimised. We have also appreciated the need for an attack detection system which is convenient to configure and to update to take into account new attacks.
Preferred embodiments of the invention will now be described with reference to the accompanying Figure which is a schematic diagram of a system embodying the invention.
The system shown in Figure 1 may be used to protect a first sub-network 1 from attacks originating from a second sub-network 3. Attacks include processes initiated by hackers to attempt to illegitimately gain access to or control devices on a network. For example, an attack may attempt to exploit a weakness or flaw in a particular operating system or other software executed by a device. The first sub-network 1 may comprise, for example, an intranet in an office and the second sub-network 3 may comprise, for example, the internet. The first sub-network 1 comprises one or more devices 5 which are connected together via a series of communication links (not shown) arranged so that data may be transmitted between the devices 5. The second sub-network 3 similarly comprises one or more devices 7 which are connected together via a series of communication links (not shown). The devices 5 or the devices 7 may be remotely located from each other. The first sub-network 1 and the second sub-network 3 are connected together via a single communication link 9. The communication link 9 is the only route through which data may be transmitted between the first sub-network 1 and the second sub-network 3. In this way, the network traffic originating from and destined to the first sub-network 1 may be more easily monitored.
The system comprises a scanner 11, an attack prevention device 13 and a data blocker 15. The scanner 11 is arranged to automatically scan or monitor each of the devices 5 in the first sub-network 1 to determine whether any of the devices 5 are vulnerable to any known attack. A device 5 may be said to be vulnerable to a particular attack if the attack is effective on the device 5. For example, a device 5 which uses the Windows operating system is vulnerable to attacks designed to exploit weaknesses in the Windows operating system. However, a device 5 using the UNIX operating system would not be vulnerable to these attacks. In another example, an attack designed for a Windows operating system without a patch P may be ineffective on a Windows operating system having the patch P. When a device is vulnerable to an attack, this may be referred to as being a vulnerability of the device.
The scanner 11 is arranged to store and execute one or more software scanning routines, in the form of plug-ins for example, each routine designed to test whether a device 5 or the software running on a device 5 is vulnerable to a particular attack. For example, one routine may be used to test whether a device is vulnerable to a particular attack designed for the Windows operating system.
A second routine may be used to test whether a device 5 is vulnerable to an attack designed for the UNIX operating system. A routine may be programmed to communicate with a device 5 and to determine which operating system the device 5 is using by means of one or more operating system identification parameters that form part of the operating system. The routine then compares the identifications with one or more predetermined identifications to enable the operating system being used to be identified. A routine may also be programmed to perform one or more test functions to test whether a particular attack is effective on a device 5. The test functions may mimic a real attack, but without adversely affecting the device, and analyse the device's response. Other techniques for determining whether a device or software running on a device is vulnerable to aparticular attack are known to those skilled in the art.
In order to monitor the devices 5, the scanner 11 communicates with each device via a series of communication links 17. Each routine stored in the scanner 11 is executed for each device 5 in the first sub-network 1. In this way, the extent to which each device 5 is vulnerable to each known attack may be determined. Any required data exchange between the scanner 11 and a device 5 during the scanning process may be performed using the appropriate communication link 17. To initially configure the scanner 11 it is necessary to store the scanning routine for each known attack in the scanner 11. This process may be carried out manually. However, preferably the process of configuring the scanner 11 is automatic. This may be achieved by means of an automatic start-up configuration routine in which the scanner accesses an existing database of known attacks, and downloads the appropriate scanning routine for each attack. When a new attack is discovered, the appropriate new scanning routine may be stored in the scanner. As with the initial configuration of the scanner 11, this may be performed manually although it is preferably performed automatically. This may be achieved by means of an automatic update feature in which new scanning routines, for example those periodically released by operating system designers or specialist attack prevention services, are automatically transmitted to and stored in the scanner. The scanner 11 may also periodically access the database of known attacks to download any new scanning routines that are not already stored in the scanner 11.
The scanning process described above is repeated periodically so that the extent to which any of the devices are vulnerable to any new attacks is determined as soon as possible. This reduces the risk of a new attack not being detected because the system is not yet configured to take the new attack into account.
Preferably, the scanning process and scanner updating is performed continuously so as maximise the effectiveness of the system.
The attack prevention device 13 is arranged to store a database containing information relating to the extent to which each of the devices is vulnerable to each known attack. For example, the database in the attack prevention device 13 comprises a list of the devices 5 in the first sub-network 1 together with information relating to which attacks each device is vulnerable to. When the scanner 11 has determined that a particular device 5 is vulnerable to a particular attack, the scanner 11 transmits this information via a communication link 19 to the attack prevention device 13 which updates the database accordingly. In this way, the database stored in the attack prevention device 13 will contain entries of the form device X is vulnerable to attack A'. The identification of devices and attacks in the entries stored in the database may be made in any suitable manner, for example using predefined identification codes.
Since the devices 5 are continually monitored by the scanner 11 for vulnerabilities, entries in the database may be continually added or deleted by the attack prevention device 13 based on information received from the scanner 11.
For example, if the operating system used by a particular device X is upgraded or modified to rectify a weakness exploited by an attack A so that attack A is no longer effective on device X, the scanner 11 will detect this change on the next scan. This information is then transmitted from the scanner 11 to the attack prevention device 13 resulting in the entry device X is vulnerable to attack A' being deleted. If a new attack B is discovered and the scanner 11 determines that a device Y is vulnerable to that attack, then a new entry device Y is vulnerable to attack B' is added to the database.
When a vulnerability has been detected for a particular device, the system may be arranged to attempt to eliminate the vulnerability. For example, when a vulnerability to an attack is discovered, the system may be arranged to search for and download any appropriate software upgrades or patches. Preferably, this process is performed automatically. Alternatively, when a vulnerability is detected, a warning may be communicated to a user indicating which device is vulnerable to which attack to allow the user to manually upgrade the device or the software used by the device. In one embodiment, where a vulnerability cannot be eliminated, for example if no appropriate software upgrade is available, the system may cause the device which is susceptible to the attack to be temporarily shut down until a suitable upgrade is available.
The data blocker 15 intercepts the communication link 9 connecting the first sub- network 1 and the second sub-network 3 and is arranged to selectively block data transmitted along the communication link 9 according to a set of predetermined criteria. In particular, the data blocker 15 is arranged to block data according to the contents of the database maintained by the attack prevention device 13. For example, if the data blocker detects that data being transmitted from the second sub-network 3 to the first sub-network 1 contains an attack A and the data is due to be transmitted to a device X in the first sub-network 1, the data blocker 15 will access information contained in the database maintained by the attack prevention device 13. If the database contains an entry indicating that the device X is vulnerable to attack A, then the data blocker blocks the data. Conversely, if the database does not contain an entry indicating that the device X is vulnerable to attack A then the data blocker allows the data transfer. In this latter case, the data transfer is allowed even though an attack has been detected because the attack is not effective on the device to which it is addressed. This relieves the user from having to deal with a spurious warning.
The data blocker may determine the identity of the device to which the data is due to be transmitted for example by analysing an IP address and/or device port number associated with the data. The data blocker may identify attacks using any suitable method including those described above such as signature recognition.
When an effective attack (meaning an attack that is addressed to a device which is vulnerable to the attack) has been detected, the data blocker may be arranged to issue a warning to the user so that the user is aware of the attack. The system may provide the option to examine the details of the attack so that the user can confirm that the attack should be blocked or to override the system and allow the data flow in which the attack was detected. Since the number of spurious warnings is minimised due to the fact that the destination of the attack is taken into account, the number of warnings issued to a user is significantly reduced.
The system shown in figure 1 monitors the data transmitted along communication link 9. Since this is the only route through which the first sub-network I may be accessed, all data transmitted to the first sub-network 1 is monitored. If further communication links are provided to access the first sub-network 1, to ensure maximum security, each communication link should be monitored by a system similar to the system shown in Figure 1. Alternatively, a single system may be arranged to monitor several different communication links. What is important is that all data routes between the first sub-network 1 and other parts of a network, such as the second sub-network 3, are intercepted by a data blocker 15 controlled in a manner described above.
In one embodiment, detected attacks may be assigned different levels of priority.
For example, a detected attack which is addressed to a device which is vulnerable to that particular attack may be assigned the highest priority level. An attack which is addressed to a device which is partly vulnerable to the attack may be assigned a lower priority. An attack which is addressed to a device which is not vulnerable to that attack at all may be assigned the lowest priority. The system may then be configured to issue a warning to the user if a detected attack has a priority greater than or equal to a predetermined user-set level, If the predetermined level is set to the lowest priority level, then all attacks, regardless of their destination, will result in the issue of a warning in a similar way as occurs with known systems. However, by increasing the priority level at which a warning is issued, attacks of low suspicion may be filtered so that only highly suspicious or effective attacks result in a warning being issued. In this way, the present invention provides an attack filter whose sensitivity can be modified.
The scanner 11, attack prevention device 13 and data blocker 15 each comprise a memory (not shown) for storing the appropriate computer executable code necessary to perform their functions, and a processor (not shown) for executing the code. When the system is used, the computer executable code is retrieved from the memories and executed by the processors according to the functioning of the system.

Claims (21)

1. A system for preventing software based attacks on one or more devices on a network comprising: - a scanner arranged to monitor the devices to determine the extent to which each device on the network is vulnerable to one or more attacks; - an attack prevention device arranged to receive data from the scanner relating to the extent to which each device on the network is vulnerable to the one or more attacks and to store the data in a database; and a data blocker arranged to detect attacks contained in data being transmitted to the network and to selectively block the data according to the information stored in the database in the attack prevention device.
2. The system of claim 1 in which the data blocker is arranged to block data if the data contains an attack A, if the data is due to be transmitted to a device X on the network, and if the information contained in the database indicates that the device X is vulnerable to the attack A.
3. The system of claim 1 or 2 in which the system is arranged to issue a warning message to a user only when an effective attack is detected.
4. The system of claim 1, 2 or 3 in which the scanner is further arranged to periodically monitor each of the devices.
5. The system of claim 4 in which the database in the attack prevention device is updated each time a device is monitored.
6. The system of any preceding claim in which the scanner determines the extent to which a device is vulnerable to an attack A by executing a scanning routine associated with the attack A.
7. The system of claim 6 in which one or more scanning routines are automatically loaded into the scanner upon initialisation of the system.
8. The system of claim 6 or 7 in which new scanning routines are automatically loaded into the scanner when new attacks become known.
9. The system of any preceding claim in which an attack detected by the data blocker is assigned a priority level according to the extent to which the detected attack is effective on the device to which the attack was destined.
10. The system of any preceding claim in which the data blocker is a firewall.
11. A method for preventing software based attacks on one or more devices on a network comprising the steps of: - monitoring the devices to determine the extent to which each device on the network is vulnerable to one or more attacks; - storing data relating to the extent to which each device on the network is vulnerable to the one or more attacks; detecting attacks contained in data being transmitted to the network; and - selectively blocking the data according to the stored data.
12. The method of claim 11 in which the step of selectively blocking the data comprises the further step of blocking data if the data contains an attack A, if the data is due to be transmitted to a device X on the network, and if the information contained in the database indicates that the device X is vulnerable to the attack A.
13. The method of claim 11 or 12 comprising the further step of issuing a warning message to a user only when an effective attack is detected.
14. The method of claim 11, 12 or 13 in which the step of monitoring the devices comprises the further step of periodically monitoring each of the devices.
15. The method of claim 14 comprising the further step of updating the stored data each time a device is monitored.
16. The method of any of claims 11 to 15 in which the step of monitoring the devices comprising the further step of determining the extent to which a device is vulnerable to an attack A by executing a scanning routine associated with the attack A.
17. The method of claim 16 comprising the further step of automatically loading one or more scanning routines upon initialisation of the system.
18. The method of claim 16 or 17 comprising the further step of automatically loading new scanning routines when new attacks become known.
19. The method of any of claims 11 to 18 in which the step of detecting attacks comprises the further step of assigning a priority level to a detected attack according to the extent to which the detected attack is effective on the device to which the attack was destined.
20. A computer program comprising computer executable instructions which when executed by a processor, causes the processor to perform the method of any of claims 11 to 19.
21. A computer program product comprising computer executable instructions according to claim 20.
GB0505511A 2005-03-17 2005-03-17 Blocking network attacks based on device vulnerability Pending GB2424291A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0505511A GB2424291A (en) 2005-03-17 2005-03-17 Blocking network attacks based on device vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0505511A GB2424291A (en) 2005-03-17 2005-03-17 Blocking network attacks based on device vulnerability

Publications (2)

Publication Number Publication Date
GB0505511D0 GB0505511D0 (en) 2005-04-27
GB2424291A true GB2424291A (en) 2006-09-20

Family

ID=34531436

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0505511A Pending GB2424291A (en) 2005-03-17 2005-03-17 Blocking network attacks based on device vulnerability

Country Status (1)

Country Link
GB (1) GB2424291A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3842974A4 (en) * 2018-10-17 2021-11-17 Panasonic Intellectual Property Corporation of America Information processing device, information processing method, and program
EP4135261A1 (en) * 2018-10-17 2023-02-15 Panasonic Intellectual Property Corporation of America Information processing device, information processing method, and program

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001084270A2 (en) * 2000-04-28 2001-11-08 Internet Security Systems, Inc. Method and system for intrusion detection in a computer network
US6415321B1 (en) * 1998-12-29 2002-07-02 Cisco Technology, Inc. Domain mapping method and system
WO2003100617A1 (en) * 2002-05-22 2003-12-04 Lucid Security Corporation Adaptive intrusion detection system
US20040064726A1 (en) * 2002-09-30 2004-04-01 Mario Girouard Vulnerability management and tracking system (VMTS)
US20050005171A1 (en) * 2003-07-01 2005-01-06 Oliphant Brett M. Real-time vulnerability monitoring
US20050022028A1 (en) * 2003-04-16 2005-01-27 Aron Hall Network security apparatus and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6415321B1 (en) * 1998-12-29 2002-07-02 Cisco Technology, Inc. Domain mapping method and system
WO2001084270A2 (en) * 2000-04-28 2001-11-08 Internet Security Systems, Inc. Method and system for intrusion detection in a computer network
WO2003100617A1 (en) * 2002-05-22 2003-12-04 Lucid Security Corporation Adaptive intrusion detection system
US20040064726A1 (en) * 2002-09-30 2004-04-01 Mario Girouard Vulnerability management and tracking system (VMTS)
US20050022028A1 (en) * 2003-04-16 2005-01-27 Aron Hall Network security apparatus and method
US20050005171A1 (en) * 2003-07-01 2005-01-06 Oliphant Brett M. Real-time vulnerability monitoring

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3842974A4 (en) * 2018-10-17 2021-11-17 Panasonic Intellectual Property Corporation of America Information processing device, information processing method, and program
EP4135261A1 (en) * 2018-10-17 2023-02-15 Panasonic Intellectual Property Corporation of America Information processing device, information processing method, and program

Also Published As

Publication number Publication date
GB0505511D0 (en) 2005-04-27

Similar Documents

Publication Publication Date Title
CN109684832B (en) System and method for detecting malicious files
US11082435B1 (en) System and method for threat detection and identification
US7278161B2 (en) Protecting a data processing system from attack by a vandal who uses a vulnerability scanner
US8359645B2 (en) Dynamic protection of unpatched machines
US9282109B1 (en) System and method for analyzing packets
US8006305B2 (en) Computer worm defense system and method
US11962606B2 (en) Protecting serverless applications
US10417420B2 (en) Malware detection and classification based on memory semantic analysis
US20040049698A1 (en) Computer network security system utilizing dynamic mobile sensor agents
US11070570B2 (en) Methods and cloud-based systems for correlating malware detections by endpoint devices and servers
CN110119619B (en) System and method for creating anti-virus records
US20060294588A1 (en) System, method and program for identifying and preventing malicious intrusions
US7533413B2 (en) Method and system for processing events
US20080201722A1 (en) Method and System For Unsafe Content Tracking
US20060282896A1 (en) Critical period protection
KR20060041865A (en) Network security device and method for protecting a computing device in a networked environment
CN101399827A (en) Method and system for safely installing patch to system
US11803647B2 (en) Computer system vulnerability lockdown mode
US20220417255A1 (en) Managed detection and response system and method based on endpoints
CN101316171B (en) Virus precaution method and device
GB2424291A (en) Blocking network attacks based on device vulnerability
US11093615B2 (en) Method and computer with protection against cybercriminal threats
CN115603985A (en) Intrusion detection method, electronic device and storage medium
US20230388340A1 (en) Arrangement and method of threat detection in a computer or computer network
CN114866355B (en) Message flow forwarding method, device and computer equipment