Remedial Action Request Architecture

Referring to Figure 1, a remedial action request architecture that may include a client computing facility 102 and a gateway facility 104 is shown. In an embodiment, a client computing facility 102 may be any type of computing device that may reside on a network 106 and may include the capability of requesting access to other internal or external client computing facilities. The client computing facility 102 may be any type of computing device that may include a desktop computer, a laptop computer, a tablet computer, a handheld computer, a smart phone computing device, or the like. The client computing facility 102 resident network 106 may be any type of network 106 that may include a LAN, WAN, Peer-to-Peer network, intranet, internet, or the like and the network access requests may be to other client computing facilities 102 within the network 106 or to an external network; the external network may include a LAN, WAN, Peer-to-Peer network, intranet, internet, or the like. The network 106 may be a wired network, wireless network, a combination of wired and wireless network, or the like. In an embodiment, the network access request may be to a URL, an FTP access, a peer-to-peer access request, a request within the network 106, a request to another network 106, or the like. 

A gateway facility 104, may be any network computing device that may controlaccess of client computing facilities from one network to another network or within a network. Access control of the network 106 may include controlling network 106access request from client computing facilities 102 from within the network 106 to computing facilities external to the network 106, controlling access request from external computing facilities external to the network 106 to client computing facilities, or the like. The gateway may include at least one protocol to determine if the network 106access request is to be allowed such as using a block list, a black list, an allow list, a white list, a rules data base, a policy database, or the like. Based on the protocol, the gateway facility 104 may allow or block a network access request from an internal client computing facility 102, an external computing facility, or the like. When a request is blocked by the gateway facility 104, information regarding the block may be transmitted to a client computing facility 102. In an embodiment, the information may be a data file, a command file, a combination of a data file and command file, or the like. The data file may contain a number of commands, definitions, or instructions to be parsed and acted upon, or the like. In an embodiment the data file may include address information on the requested network site, an application requesting the requested network site interaction, a file requesting the requested network site interaction, a rule that blocked the requested network site interaction, or the like.

A security facility 108 may be a software application that may provide malicious code and malicious application protection to the client computing facility 102. The security facility may have the ability to scan the client computing facility 102 files for malicious code, remove or quarantinecertain applications and files, prevent certain actions, perform remedial actions (e.g. as described herein) and perform other security measures. In embodiments, scanning the client computing facility 102 may include scanning some or all of the files stored to the client computing facility 102 on a periodic basis, may scan applications once the application has been requested to execute, may scan files as the files are transmitted to or from the client computing facility 102, or the like. The scanning of the applications and files may be to detect known malicious code or known malicious applications. In an embodiment, new malicious code and malicious applications may be continually developed and distributed and updates to the known malicious code file may be provided on a periodic basis, on a demand basis, on an alert basis, or the like. 

A network control facility 110 may provide the network access capability to the client computing facility 102; the network access may be to other client computing facilities 102 within the network 106, the network access may be to other computer facilities external to the client computing facility 102 network 106, or the like. The network control facility 110 may be a software application (e.g. a web browser), hardware (e.g. a network access device), a firmware application, a combination of software, hardware, and firmware, or the like. In an embodiment, the network control facility 110 may interface with the security facility 108, any associated malicious code files, and a policy facility 118 to determine network 106access rights and permissions. Additionally, once the client computing facility 102 network control facility 110 determines and provides network 106access, the gateway facility 104 may make a determination of what connectivity may be made to other client computing facilities and networks. 

In an embodiment, an application 112 may be any software file that may be executed on the client computing facility 102. The application 112 may be an application 112 that is executed at a user request to perform some work on the client computing facility 102, an application 112 that requests network access to another computing facility either within the same network 106 as the client computing facility 102 or external to the client computing facility 102, or the like. In embodiments, the application access request may be user requested, may be auto-requested, or the like. Depending on policies for network access requests, a user network access request may be allowed or denied. If an access request is denied, the user may or may not be notified, the access request denial may just fail to connect to the desired network location. In embodiments, the auto-requested network request may be a result of a legitimate application 112 requesting information from another client computing facility 102 or network, a malicious application requesting network access, or the like. The malicious application network access may be an attempt to corrupt the client computer facility 102, an attempt to corrupt the gateway facility 104, an attempt to corrupt the network 106 on which the client computing facility 102 resides, an attempt to accessexternal networks or computer facilities, or the like. 

An IDE 114 may be a virus identity file that may include definitions of known or potential malicious code. The IDE 114 may provide information that may identify malicious code within files, applications, or the like. The IDE 114 may be accessed by the security facility 108 when scanning files or applications 112 within the client computing facility 102 for the determination of malicious code that may be within the file or application 112. In an embodiment, when the information regarding a blocked access is received from the gateway facility 104, the security facility 108 may access the IDE 114 to parse the data file and determine an action to be taken on an application requesting access to a denied network location. The IDE 114 may contain a number of commands, definitions, or instructions, to be parsed and acted upon, or the like. In embodiments, the client computing facility 102 may be updated with new IDE 114 files periodically to provide the client computing facility 102 with the most recent malicious code definitions; the updating may be performed on a set time period, may be updated on demand from the client computing facility 102, may be updated on demand from the network 106, may be updated on a received malicious code alert, or the like. In an embodiment, the client computing facility 102 may request an update to the IDE 114 files from an update facility within the network 106, may request updated IDE 114 files from a computing facility external to the network 106, updated IDE 114 files may be provided to the client computing facility 102 from within the network 106, IDE 114 files may be provided to the client computing facility 102 from an external computing facility from an external network, or the like. 

In an embodiment, the policy facility 118 may be a set of rules or policies that may indicate network access permissions for a client computing facility 102. The policy facility 118 may include a database, a text file, a combination of databases and text files, or the like. In an embodiment, the policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of network locations that may or may not be accessed by the client computing facility 102. The policy facility 118 may include rules that may be interpreted with respect to the network access request to determine if the request should be allowed. The rules may provide a generic rule for the type of access that may be granted; the rules may be related to the policies of an enterprise for access rights for the enterprise’sclient computer facilities 102. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client computing facility 102, the security facility 108 may access the rules within the policy facility 118 to determine if the requested access is related to a sporting website. In an embodiment, the security facility 108 may analyze the requested website to determine if the website matches with any of the policy facility 118rules. 

In an embodiment, a remedial action facility 120 may be an application that may respond to information from the gateway facility 104 when a client computing facility 102 network access request has been denied. In an embodiment, when the data file is received from the gateway facility 104, the remedial action facility 120 may parse the data file, interpret the various aspects of the data file, and act on the parsed datafile information to determine actions to be taken on an application requesting access to a denied network location. In an embodiment, when the data file may be received from the gateway facility 104, the remedial action facility 120 may access the IDE to parse the data file and determine an action to be taken on an application requesting access to a denied network location. In an embodiment, the information received from the gateway facility 104 may be a command or a command file. The remedial action facility 120 may carry out any commands that are received or parsed from a data file from the gateway facility 120 without performing any interpretation of the commands. In an embodiment, the remedial action facility may interact with the received information and may perform various actions on an application requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client computer facility 102, quarantine of the application, terminating the application, isolation of the application, isolation of the client computer facility 102 to a location within the network that restricts network access, blocking a network access port from a client computer facility 102, reporting the application to a system administrator, or the like. 

In an embodiment, a network access control 122 may be responsible for determining if a client computing facility 102 application should be granted access to a requested network location. The network location may be on the same network 106 as the gateway facility 104 or may be on another network. In an embodiment, the network access control 122 may verify access rights for client computing facilities from within the network 106 or may verify access rights of computer facilities from external networks. When network access for a client computing facility 102 is denied, the network access control 122 may send an information file to the client computing facility 102, the information file may contain data or commands that may provide instructions for the remedial action facility 120. The information sent by the network access control 122 may be a data file. The data file may contain a number of commands, definitions, instructions, commands to be parsed and acted upon by the remedial action facility, or the like. The information sent by the network access control 122 may be a command or command file that the remedial action facility may access and take action upon. 

In an embodiment, the network access rules 124 may provide an information store to be accessed by the network access control 122. The network access rules 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client computing facility 102. Additionally, the network access rules may incorporate rule evaluation, the rule evaluation may parse network access requests and apply the parsed information to network access rules. The network access rules may a generic set of rules that may be in support of an enterprise’snetwork access policies such as denying access to certain types of websites, controlling instant messenger access, or the like. The rule evaluation may include regular expression rule evaluation, virus description language (VDL) evaluation, or other rule evaluation method for interpreting the network access request and comparing the interpretation to the established rules for network 106access. In an embodiment, the network access rules 124 may receive a rules evaluation request from the network access control 122 and may return the rules evaluation to the network access control 122. 

Referring again to Figure 1, protecting the client computing facility 102 from threats caused by malicious code and malicious applications may include more than one level. In an embodiment, malicious code may imbed itself into applications that may already be stored on the client computing facility 102, such as within a document application or document file. The threats may be received from other client computing facilities 102 on the same network as files are shared, received from external networks as the client computing facility 102 connects with other networks, or the like. 

For protecting the individual client computing facility 102 the security facility may interact with the IDE file114 and policy facility 118 as files are received at the client computing facility 102. The security facility 108 may attempt to determine if the incoming file may include malicious code or if the file is a malicious application by comparing the contents of the file with the IDE 114file information. For malicious code and malicious applications that are previously defined within the IDE file this may provide adequate protection for the client computer facility 102 by cleaning the incoming file, denying the incoming file from being stored on the client computing facility 102, or the like. 

In a similar manner, both the IDE file114 and policy facility 118 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per the enterprise rules and policies. By checking outgoing files, the security facility may be able discover malicious code infected files that were not detected as incoming files as a result of the client computing facility having been updated with either new IDE 114 files or policy facility 118information. The IDE file114 may discover the malicious code infectedfile by having received updates of developing malicious code from the system administrator, updates from an IDE provider, or the like. The policy facility 118 may discover the malicious code infectedfile by having received new updates from the system administrator, from a rules provider, or the like. 

Once a client computing facility 102 has become infected with malicious code or a malicious application, the user of the client computing facility 102 may be unaware that the application is attempting to connect to another network location in an attempt to receive additional malicious code. Additionally, the malicious code or malicious application may have deactivated some or all of the security facility 108 leaving the client computing facility 102 with the inability to determine that a malicious file is attempting to access another network. Once infected, the user may not be aware that the client computing facility 102 application 112 is attempting to connect with another network. 

Once a client computing facility 102 has become infected with malicious code, the malicious code may use the application 112 and network control facility 110 to attempt to connect to a network location where additional malicious code and/or malicious applications may be downloaded to the client computing facility 102. If the malicious code is not yet defined in the IDE file114 or if at least part of the security facility 108 has been disabled, the malicious code may be successful in using the application 112 and network control facility 110 to request a network access from the gateway facility 104. 

The client computing facility 102 network access request may be received at the gateway facility 104network access control 122. The network access control 122 may act as a second level of defense against malicious code and malicious applications from accessing other network locations. The network access control 122 may be associated with the network access rules 124 that may provide all the rules for accessing other networks for the network 106. As previously described herein, the network access rules may include access databases, access rules that may be interpreted, a combination of databases and access rules, or the like. 

In an embodiment, the network access request may be an attempt to connect to any type of computer facility on another network such as a server 126, desktop computer, laptop computer 128, smart device 130, database 116, or the like. 

Once received at the network access control 122, the network access request may be analyzed, parsed, reviewed, or the like to determine if the network access request is allowed by the defined access rules stored within the network access rules 124. If the network access request is for a network location that is not allowed as defined by the rules within the network access rules 124, the network access request may be denied. 

In a first embodiment, the denied network access request may be reported back to the client computing facility 102 as a denied access and the malicious code infected may continue attempts to access the same network location or a different access location with the possibility that the second network location may not be within the deny access rules. In an embodiment, the malicious code infectedapplication 112 may try a plurality of different network locations in an attempt for a successful network access request. 

In a second embodiment, with the denied network access request, the network access control 122 may return a file to the client computing facility 102 that may include information for investigating the source of the denied network access request. In an embodiment, the information file that is received at a client computing facility 102 may be accessed by the remedial action facility 120 to determine actions that the remedial action facility 120 and the security facility 108 may take to determine the source of the denied network access request. In embodiments, the sending of file information to the client computing facility 102 may comprise an attempt to find the source application of the denied network access request, the remedial action facility 120 may take action against the application 112 attempting the network accesses to prevent additional attempts to connect with network locations that are not permitted per the network access rules 124. In an embodiment, the information file may be stored on the client computing facility 102 and the storing of the information file may provide an indication for the remedial action facility 120 to analyze the information file. 

In an embodiment, the information file may include commands determined by the network access control 122 to locate the source of the network access request. The remedial action facility 120 may parse the information file to at least one command. In an embodiment, the commands may be executed as the information file is parsed, the commands may be stored to a file from which the commands may be executed, or the like. In an embodiment, there may be more than one command, with a second command being executed based on the outcome of a first command. For example, the first command may include instructing the security facility 108 to scan all executing applications on the client computing facility 102 to determine the application 112 that requested the denied network access. The second command may include instructions to terminate executing applications 112 if the first command is not able to determine the application 112 that requested the denied network access. In an embodiment, one of the commands in the information file may be to request a new IDE file114 that may provide the latest malicious code and malicious application information. 

In an embodiment, the information file may include data that the remedial action facility 120 may interpret for locating the application that requested the denied network application request. In an embodiment, the data within the information file may include instructions to the remedial action facility 120 for steps to be taken to identify the application requesting the denied network access request. The remedial action facility 120 may parse the information file in to at least one instruction. In an embodiment, the parsed instructions may be interpreted by the remedial action facility 120 for the determination of the actions that are to be used to identify the application requesting the denied network access request. In embodiments, the instructions may be interpreted as requesting a new IDE file114, requesting the security facility 108 to scan the client computing facility 102, terminating an identified application, isolating an identified application, reporting an identified application to a reporting facility within the network, requesting additional actions from the network access control 122, or the like.