What technology area does this patent fall under?

Primary CPC classification G01S19/215. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jan 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Detecting timing anomalies

US9541649B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9541649-B2
Application number	US-201313875672-A
Country	US
Kind code	B2
Filing date	May 2, 2013
Priority date	May 2, 2013
Publication date	Jan 10, 2017
Grant date	Jan 10, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Disclosed herein are system, method, and computer program product embodiments for adapting to malware activity on a compromised computer system. An embodiment operates by detecting an active adversary operating malware on a compromised system. A stream of data traffic associated with active adversary is intercepted. The stream of data traffic includes a command and control channel of the active adversary. The stream of data traffic is accessed. An emulation of the command and control channel is provided. An analysis of the accessed stream of traffic is executed. A plurality of response mechanisms is provided. The plurality of response mechanisms is based in part on the analysis of the stream of data traffic and a custom policy language tailored for the malware.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: processing first timing data accessed from a validated clock source; processing second timing data accessed from an unvalidated receiver source, wherein the validated clock source is independent of the validated receiver source; comparing the processed first timing data with the processed second timing data for an adjustable interval of time to determine a threat detection value; and when the threat detection value meets a configurable threat detection threshold, generating a threat alert message, wherein the threat alert message identifies an anomaly in either the validated clock source or the unvalidated receiver source, wherein the comparing comprises analyzing the processed second timing data and the processed first timing data, wherein the analyzing comprises: detecting a pulse per second (PPS) received from the unvalidated receiver source, determining a quantity of cycles received from the validated clock source prior to the detected PPS, wherein the comparing further comprises: determining the threat detection value based on a comparison between the determined quantity of cycles and a predetermined expected clock cycle value. 2. The method of claim 1 , wherein analyzing the processed second timing data and the processed first timing data comprises: initiating a cycle counter, wherein the cycle counter counts the quantity of cycles received from the validated clock source; latching the initiated cycle counter to a leading edge of the detected pulse per second (PPS) of the unvalidated receiver source; recording a count of the cycle counter, wherein the recorded count represents the quantity of cycles received from the validated clock source; and resetting the cycle counter when the pulse per second (PPS) is detected from the unvalidated receiver source. 3. The method of claim 1 , wherein determining the threat detection value comprises: determining a delta between the determined quantity of cycles and the predetermined expected clock cycle value; and assigning an absolute value of the delta to the threat detection value. 4. The method of claim 1 , wherein generating a threat alert message comprises: determining if the threat value is within a statistical noise range based on the threat detection threshold; and when the threat value is outside the statistical noise range, sending the threat alert message including the threat value to an operator for further threat analysis. 5. The method of claim 1 , further comprising: adjusting the interval of time based on a user-defined threat analysis type. 6. The method of claim 1 , wherein the validated clock source is a frequency source. 7. The method of claim 1 , wherein the unvalidated receiver source is a distributed coordinated time source. 8. A system comprising: a memory; and at least one processor coupled to the memory and configured to: process first timing data received from a validated clock source; process second timing data received from an unvalidated receiver source, wherein the validated clock source is independent of the unvalidated receiver source; compare the processed first timing data with the processed second timing data for an adjustable interval of time to determine a threat detection value; and when the threat detection value meets a configurable threat detection threshold, generate a threat alert, wherein the threat value indicates at least one of a timing anomaly or frequency anomaly in either the validated clock source or the unvalidated receiver source, wherein to perform the compare the processor is configured to: analyze the processed second timing data and the processed first timing data; detect a pulse per second (PPS) received from the unvalidated receiver source; determine a quantity of cycles received from the validated clock source prior to the detected PPS; determine the threat detection value based on a comparison between the determined quantity of cycles and a predetermined expected clock cycle value. 9. The system of claim 8 , wherein to analyze the processed second timing data and the processed first timing data the processor is configured to: initiate a cycle counter, wherein the cycle counter counts the quantity of cycles received from the validated clock source; latch the initiated cycle counter to a leading edge of the detected pulse per second (PPS) of the unvalidated receiver source; record a count of the cycle counter, wherein the recorded count represents the quantity of cycles received from the validated clock source; and reset the cycle counter when the pulse per second (PPS) is detected from the unvalidated receiver source. 10. The system of claim 8 , wherein to determine the threat detection value the processor is configured to: determine a delta between the determined quantity of cycles and the predetermined expected clock cycle value; and assign an absolute value of the delta to the threat detection value. 11. The system of claim 8 , wherein to generate a threat alert message the processor is further configured to: determine if the threat value is within a statistical noise range based on the threat detection threshold; and when the threat value is outside the statistical noise, send the threat value to an operator for further threat analysis. 12. The system of claim 8 , wherein the processor is further configured to: adjust the interval of time based on a user-defined threat analysis type. 13. The system of claim 8 , wherein the validated clock source is a frequency source. 14. The system of claim 8 , wherein the unvalidated receiver source is a distributed coordinated time source. 15. A tangible computer-readable device having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising: processing first timing data received from a validated clock source; processing second timing data received from an unvalidated receiver source, wherein the validated clock source is independent of the unvalidated receiver source; comparing the processed first timing data with the processed second timing data for an adjustable interval of time to determine a threat detection value; and when the threat detection value meets a configurable threat detection threshold, generating a threat alert, wherein the threat value indicates at least one of a timing anomaly or frequency anomaly in either the validated clock source or the unvalidated receiver source, wherein the comparing comprises analyzing the processed second timing data and the processed first timing data, wherein the analyzing comprises: detecting a pulse per second (PPS) received from the unvalidated receiver source; determining a quantity of cycles received from the validated clock source prior to the detected PPS, and wherein the comparing further comprises: determining the threat detection value based on a comparison between the determined quantity of cycles and a predetermined expected clock cycle value.

Assignees

Mitre Corp

Inventors

Classifications

H04K3/90
related to allowing or preventing navigation or positioning, e.g. GPS · CPC title
H04K3/65
using deceptive jamming or spoofing, e.g. transmission of false signals for premature triggering of RCIED, for forced connection or disconnection to/from a network or for generation of dummy target signal · CPC title
G01S19/215Primary
issues related to spoofing · CPC title
H04L63/1483
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
H04K3/22
including jamming detection and monitoring · CPC title

Patent family

Related publications grouped by family.

View patent family 51841177

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9541649B2 cover?: Disclosed herein are system, method, and computer program product embodiments for adapting to malware activity on a compromised computer system. An embodiment operates by detecting an active adversary operating malware on a compromised system. A stream of data traffic associated with active adversary is intercepted. The stream of data traffic includes a command and control channel of the active…
Who is the assignee on this patent?: Mitre Corp
What technology area does this patent fall under?: Primary CPC classification G01S19/215. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jan 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).