Sourcefire, Inc. Patent applications |
Patent application number | Title | Published |
20140188986 | Method and Apparatus for Identifying Computing Resource Trajectory - The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in maintaining a plurality of computing systems is that it may be required to have visibility into the extensive collection of computing related resources located across those systems as well as information about resources together with their behaviors and evolutions within those systems. Examples of such resources include files, file names, registry keys, entries in network communications logs, etc. Accordingly, we present novel methods, components, and systems for keeping track of information about these resources and presenting this information to an ultimate end user. More specifically, we describe methods, components, and systems that perform data analytics on system data to obtain and report upon resource trajectory information, such as when particular resources were seen in an environment, the actions associated with those resources, and other resources related to those original resources. If a particular resource is believed to be malicious or otherwise undesirable, then it can be determined which systems that resource is on, how it arrived on those systems, what it did on those systems as well as what resources are related to the original resource, and as such what might need to be removed from those systems to restore them to a more desirable state. Through the disclosed invention, system administrators will be better able to determine how to more effectively address issues related to the presence of those resources. | 07-03-2014 |
20140007233 | SYSTEM AND METHOD FOR REAL TIME DATA AWARENESS | 01-02-2014 |
20130173790 | SYSTEM AND METHOD FOR ASSIGNING NETWORK BLOCKS TO SENSORS - A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block. | 07-04-2013 |
20120246728 | TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INSTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table. | 09-27-2012 |
20120233222 | SYSTEM AND METHOD FOR REAL TIME DATA AWARENESS - A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. | 09-13-2012 |
20110314143 | SYSTEM AND METHOD FOR RESOLVING OPERATING SYSTEM OR SERVICE IDENTITY CONFLICTS - A system includes a processor device. The processor device is configured to receive reports of operating system identities for a single host; determine which of the operating system identities are an intersection of the reported operating system identities; and assign the intersection of the reported operating system identities as a resolved operating system identity. | 12-22-2011 |
20110307600 | SYSTEM AND METHOD FOR ASSIGNING NETWORK BLOCKS TO SENSORS - A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block. | 12-15-2011 |
20110258702 | SYSTEM AND METHOD FOR NEAR-REAL TIME NETWORK ATTACK DETECTION, AND SYSTEM AND METHOD FOR UNIFIED DETECTION VIA DETECTION ROUTING - A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”. | 10-20-2011 |
20100205675 | SYSTEMS AND METHODS FOR MODIFYING NETWORK MAP ATTRIBUTES - The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter. | 08-12-2010 |
20100088767 | TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table. | 04-08-2010 |
20090262659 | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing - In an intrusion detection/prevention system, network traffic is received and checked for a matching pattern. Upon identifying the matching pattern, the network traffic with the matching pattern is evaluated against rules that are represented by a rule tree. References to rule options are represented in the rule tree and are stored separately from the rule tree. The rule tree represents unique rules by unique paths from a root of the tree to the leaf nodes, and represents rule options as non-leaf nodes of the rule tree. Evaluating the network traffic includes processing, against the network traffic, the rule options in the rule tree beginning at the root. Processing of the rules represented by subtrees of nodes with rule options that do not match is eliminated. The network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options that match the network traffic. | 10-22-2009 |
20080276319 | Real-time user awareness for a computer network - A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in. | 11-06-2008 |
20080209518 | Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session - A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp. | 08-28-2008 |