SOFTWARE VULNERABILITY EXPLOITATION SHIELD

Abstract

This paper describes a mechanism for minimizing the exploitation of vulnerabilities on software installed on a computing system. At a transport layer (e.g., transmission communication protocol (TCP) sockets layer), network traffic is monitored using a security component installed on a target computer. When a message destined for the computing system is received, data included in the message is compared with exploit evidence used to identify malicious code. The exploit evidence is provided to the security component by security service that gathers information about the malicious code. Based on the comparison of data in the message with the exploit evidence, rules are identified that instruct the security component to take an appropriate action on the message received.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and other advantageous features of the invention can be obtained, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered to be limiting of its scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:

FIG. 1 illustrates a computing network with a security service and security component used to minimize exploitation of software vulnerabilities in accordance with example embodiments; and

FIG. 2 illustrates flow diagrams for implementing a method of reducing a risk window for computers that are potential targets of malefactors in accordance with example embodiments.

Claims

1. At a computing system in a network computing environment, a method of minimizing the exploitation of vulnerabilities on software installed on the computing system by inspecting network traffic thereto and identifying the malicious code before it can be executed and/or installed, the method comprising: monitoring, at a transport layer, incoming network traffic of a computing system using a security component installed thereon;receiving as part of the network traffic a message at the transport layer identified as destined for the computing system;comparing at least a portion of data included in the message received with exploit evidence used to identify malicious code, the exploit evidence provided to the security component by a security service that gathers information about the malicious code;based on the comparison with the exploit evidence, identifying one or more rules that instruct the security component to perform one or more actions on the message received.

2. The method of claim 1, wherein the transport layer is one or more of a TCP socket level.

3. The method of claim 1, wherein the comparison identifies the at least a portion of data as corresponding to malicious code, and the one or more rules instruct the security component to do one or more of the following: block the message received from entering the computing system;inform a user of the computing system about the correspondence of the message to the malicious code in order to allow the user to take appropriate action; ormodify the message in order to disable any harmful features of the malicious code.

4. The method of claim 3, wherein the one or more rules allow other benign messages to pass to the computing system, while blocking the message received.

5. The method of claim 3, wherein the one or more rules inform the user of the computing system about the correspondence of the message using a user interface and allowing the user to either accept or reject the message.

6. The method of claim 1, wherein the exploit evidence includes a list of known electronic addresses associated with malicious code.

7. The method of claim 6, wherein the electronic address list includes IP addresses or URLs for websites and wherein an IP address or a URL for a source of the message is compared to the list of known electronic address associated with malicious code.

8. The method of claim 1, wherein the exploit evidence includes one or more signatures of the malicious code, which are unique data structures that represent the malicious code.

9. The method of claim 1, further comprising: receiving from the security service a command that indicates that exploit evidence used to identify malicious code should expire based on one or more events; andupon occurrence of the one or more events, taking action on the exploit evidence as defined by one or more rules.

10. The method of claim 9, wherein the event is one or more of determining that a risk window has passed or that the malicious code is below some threat rating threshold, and wherein the action on the exploit evidence includes one or more of cancelling the comparing of the exploit evidence, deleting the exploit evidence from the security component, or temporarily pausing the comparing of the exploit evidence.

11. At a computing system in a network computing environment, a computer program product comprising a computer-readable storage medium having encoded thereon computer-readable instructions, the instructions, when executed in a computing environment, perform a method comprising: monitoring, at a transport layer, incoming network traffic of a computing system using a security component installed thereon;receiving as part of the network traffic a message at the transport layer identified as destined for the computing system;comparing at least a portion of data included in the message received with exploit evidence used to identify malicious code, the exploit evidence provided to the security component by a security service that gathers information about the malicious code;based on the comparison with the exploit evidence, identifying one or more rules that instruct the security component to perform one or more actions on the message received.

12. The computer program product of claim 11, wherein the transport layer is one or more of a TCP socket level.

13. The computer program product of claim 11, wherein the comparison identifies the at least a portion of data as corresponding to malicious code, and the one or more rules instruct the security component to do one or more of the following: block the message received from entering the computing system;inform a user of the computing system about the correspondence of the message to the malicious code in order to allow the user to take appropriate action; ormodify the message in order to disable any harmful features of the malicious code.

14. The computer program product of claim 13, wherein the one or more rules allow other benign messages to pass to the computing system, while blocking the message received.

15. The computer program product of claim 13, wherein the one or more rules inform the user of the computing system about the correspondence of the message using a user interface and allowing the user to either accept or reject the message.

16. The computer program product of claim 11, wherein the exploit evidence includes a list of known electronic addresses associated with malicious code.

17. The computer program product of claim 16, wherein the electronic address list includes IP addresses or URLs for websites and wherein an IP address or a URL for a source of the message is compared to the list of known electronic address associated with malicious code.

18. The computer program product of claim 11, wherein the exploit evidence includes one or more signatures of the malicious code, which are unique data structures that represent the malicious code.

19. The computer program product of claim 11, further comprising: receiving from the security service a command that indicates that exploit evidence used to identify malicious code should expire based on one or more events; andupon occurrence of the one or more events, taking action on the exploit evidence as defined by one or more rules.

20. The computer program product of claim 19, wherein the event is one or more of determining that a risk window has passed or that the malicious code is below some threat rating threshold, and wherein the action on the exploit evidence includes one or more of cancelling the comparing of the exploit evidence, deleting the exploit evidence from the security component, or temporarily pausing the comparing of the exploit evidence.