System and method for protecting systems from malicious attacks

US 10,015,194 B1
Filed: 02/24/2017
Issued: 07/03/2018
Est. Priority Date: 01/05/2017
Status: Active Grant

First Claim

Patent Images

1. A method of disarming malicious code in a computer system having a processor, the method comprising:

receiving, by the computer system, input content; and

automatically applying, by the processor, a data value alteration model to the input content, the data value alteration model being configured to disarm malicious code included in the input content without interfering with an intended use of the input content and being applied without first detecting malicious code in the input content and without knowing a location of data units in the input content including malicious code, the data value alteration model including operations for;

selecting, by the processor, at least a portion of a plurality of data units included in the input content, the portion being determined randomly or pseudo-randomly based on the data value alteration model determining that at least one of the data units of the portion is statistically likely to include any malicious code; and

altering respective data values of the selected portion of the plurality of data units included in the input content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments include a method of disarming malicious code in a computer system having a processor. The method comprises receiving, by the computer system, input content, and rendering, by the processor, any malicious code included in the input content inactive for its intended malicious purpose without applying a malware detection algorithm to the input content. The rendering is performed by automatically applying, using the processor, a data value alteration model to the input content for altering select data values within the input content, and outputting a new content reflecting the application of the data value alteration model to the input content. The processor renders any malicious code included in the input content inactive for its intended malicious purpose without regard to any structure used to encapsulate the input content. The input content includes media content.

41 Citations

View as Search Results

20 Claims

1. A method of disarming malicious code in a computer system having a processor, the method comprising:
- receiving, by the computer system, input content; and
  
  automatically applying, by the processor, a data value alteration model to the input content, the data value alteration model being configured to disarm malicious code included in the input content without interfering with an intended use of the input content and being applied without first detecting malicious code in the input content and without knowing a location of data units in the input content including malicious code, the data value alteration model including operations for;
  
  selecting, by the processor, at least a portion of a plurality of data units included in the input content, the portion being determined randomly or pseudo-randomly based on the data value alteration model determining that at least one of the data units of the portion is statistically likely to include any malicious code; and
  
  altering respective data values of the selected portion of the plurality of data units included in the input content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, the method further comprising:
    - outputting a new content reflecting the application of the data value alteration model to the input content.
  - 3. The method of claim 2, further comprising:
    - applying a malware detection algorithm to the new content, thereby confirming the applied data value alteration model disarmed malicious code included in the input content.
  - 4. The method of claim 1, wherein the processor, based on the application of the data value alteration model, disarms malicious code included in the input content, without regard to any structure used to encapsulate the input content.
  - 5. The method of claim 1, further comprising, applying a malware detection algorithm to the input content before applying the data value alteration model to the input content, wherein the data value alteration model is applied only if suspected malicious content is not detected in the input content.
  - 6. The method of claim 5, wherein the malware detection algorithm includes at least one of a signature-based malware detection algorithm and a behavior-based malware detection algorithm.
  - 7. The method of claim 1, wherein the data value alteration model reflects an adjustment of a data value determined so as not to interfere with an intended use of the input content.
  - 8. The method of claim 7, wherein the data value is adjusted by a binary value of one.
  - 9. The method of claim 7, wherein the data value represents media content.
  - 10. The method of claim 7, wherein the adjustment of each select data value is determined in an unpredictable manner from among an increase in data value and a decrease in data value based on the data value alteration model.
  - 11. The method of claim 1, wherein the plurality of data units included in the input content includes each data unit corresponding to media content of the input content, and wherein the portion of the data units includes at least 0.1% of the plurality of data units but not more than 2% of the plurality of data units.
  - 12. The method of claim 1, further comprising, before applying the data value alteration model to the input content, determining based on a characteristic associated with the input content whether the input content is suspicious, wherein the data value alteration model is applied if the input content is determined to be suspicious.
  - 13. The method of claim 1, wherein the input content includes an input file of a file type indicative of at least one media content type.
  - 14. The method of claim 1, wherein the number of data units included in the portion is determined based on the data value alteration model according to a potential length of malicious code.
  - 15. The method of claim 14, wherein the data value alteration model is configured to determine the number of data units included in the portion as a percentage of data units ‘
    - X’
      
      based on the following relationship;
      
      ‘
      
      X’
      
      >
      
      =1/′
      
      Y′
      
      , where ‘
      
      Y’
      
      represents the potential length of malicious code as a number of data units.

16. A non-transitory computer-readable medium storing instructions that, when executed by a processor, cause the processor to perform operations for disarming malicious code in a computer system, the operations comprising:
- receiving input content; and
  
  automatically applying a data value alteration model to the input content, the data value alteration model being configured to disarm malicious code included in the input content without interfering with an intended use of the input content and being applied without first detecting malicious code in the input content and without knowing a location of data units in the input content including malicious code, and without regard to any structure used to encapsulate the input content, the data value alteration model including steps for;
  
  selecting at least a portion of a plurality of data units included in the input content, the portion being determined randomly or pseudo-randomly based on the data value alteration model determining that at least one of the data units of the portion is statistically likely to include any malicious code; and
  
  altering respective data values of the selected portion of the plurality of data units included in the input content.
- View Dependent Claims (17)
- - 17. The computer-readable medium of claim 16, the operations further comprising:
    - outputting a new content reflecting the application of the data value alteration model to the input content.

18. A system for disarming malicious code, the system comprising:
- a memory device storing a set of instructions; and
  
  a processor configured to execute the set of instructions to;
  
  receive input content; and
  
  automatically apply a data value alteration model to the input content, the data value alteration model being configured to disarm malicious code included in the input content without interfering with an intended use of the input content and being applied without first detecting malicious code in the input content and without knowing a location of data units in the input content including malicious code, the data value alteration model including operations for;
  
  selecting at least a portion of a plurality of data units included in the input content, the portion being determined randomly or pseudo-randomly based on the data value alteration model determining that at least one of the data units of the portion is statistically likely to include any malicious code; and
  
  altering respective data values of the selected portion of the plurality of data units included in the input content.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the processor is further configured to execute the set of instructions to:
    - output a new content reflecting the application of the data value alteration model to the input content.
  - 20. The system of claim 18, wherein the data value alteration model is configured to disarm malicious code included in the input content without regard to any structure used to encapsulate the input content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Votiro Cybersec Ltd
Original Assignee
Votiro Cybersec Ltd
Inventors
Grafi, Aviv, Glick, Itay
Primary Examiner(s)
Zhao, Don

Application Number

US15/441,904
Publication Number

US 20180191737A1
Time in Patent Office

494 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

System and method for protecting systems from malicious attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting systems from malicious attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links