| 发明名称 | Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks | ||
| 摘要 | A system and method for specification of a policy to trigger automatic signature generation, refinement, and confidence characterization is provided. The system monitors incoming payloads and identifies untrusted payloads based on specified characteristics of the process including process name, triggering action, prior actions and/or state and/or conditions. Signatures are automatically generated for untrusted payloads and stored. Additionally, the system enables denial-of-service (DoS) protection based on the number of signature-generation attempts that allows the server process to continue providing service on unaffected interfaces. | ||
| 申请公布号 | US8806629(B1) | 申请公布日期 | 2014.08.12 |
| 申请号 | US200811968488 | 申请日期 | 2008.01.02 |
| 申请人 | Cisco Technology, Inc. | 发明人 | Cherepov Mikhail;Zawadowskiy Andrew;Kraemer Jeffrey Albin;Ruchansky Boris |
| 分类号 | G06F12/14 | 主分类号 | G06F12/14 |
| 代理机构 | Schwegman Lundberg & Woessner, P.A. | 代理人 | Schwegman Lundberg & Woessner, P.A. |
| 主权项 | 1. An anti-malware system, comprising: a processing device comprising: a payload monitoring component monitoring incoming payloads, detects an event that triggers a process of generating a signature based on the incoming payloads, and generates a rule request based on information associated with an incoming payload, the rule request employed to determine if a signature is to be generated for the incoming payloads after detecting the event and prior to generating the signature; a policy defining component receiving one or more policies from a user, the one or more policies include at least one of a policy for signature generation or a policy for filtering incoming payloads; a signature determining component comprising a signature-determining rules component comparing the rule request with the one of more policies to determine if the signature is to be generated, the signature determining component generating the signature for the incoming payloads based at least in part on the rule request and the one or more policies, the signature employed to identify malware, the signature-determining rules component further attaching metadata to the generated signature, the metadata including a confidence metric associated with the generated signature, wherein the confidence metric for a particular signature indicates a likelihood that a payload triggering the particular signature is malware and the metadata facilitates identification and separation of a particular malware attack from other malware attacks; and a signature verifying component sending the generated signature and its associated metadata to the user for approval of the generated signature based on the confidence metric. | ||
| 地址 | San Jose CA US | ||