Systems and methods for determining the trustworthiness of files within organizations

US 10,055,586 B1
Filed: 06/29/2015
Issued: 08/21/2018
Est. Priority Date: 06/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining trustworthiness of files within organizations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a file on a computing device within a plurality of computing devices managed by an organization;

before allowing the computing device to access the file;

identifying a user of an additional computing device within the plurality of computing devices that is qualified to assess the trustworthiness of the file based on determining that the user has previously assessed additional files that share characteristics with the file;

distributing at least a portion of the file to the user of the additional computing device with a request to receive an indication of the trustworthiness of the file; and

receiving, from the additional computing device, a response that indicates the trustworthiness of the file based on at least the portion of the file that was distributed to the user of the additional computing device;

protecting a security state of the computing device by controlling the computing device'"'"'s access to the file based on the trustworthiness of the file indicated in the response;

determining, based at least in part on an analysis of the response received from the additional computing device, that the user of the additional computing device is a trusted reviewer that is capable of accurately identifying security threats within the organization; and

in response to determining that the user of the additional computing device is the trusted reviewer, rewarding the user by enabling the additional computing device to access other files before the other files have been assessed for trustworthiness by other users within the organization.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for determining trustworthiness of files within organizations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a file on a computing device within a plurality of computing devices managed by an organization;
  
  before allowing the computing device to access the file;
  
  identifying a user of an additional computing device within the plurality of computing devices that is qualified to assess the trustworthiness of the file based on determining that the user has previously assessed additional files that share characteristics with the file;
  
  distributing at least a portion of the file to the user of the additional computing device with a request to receive an indication of the trustworthiness of the file; and
  
  receiving, from the additional computing device, a response that indicates the trustworthiness of the file based on at least the portion of the file that was distributed to the user of the additional computing device;
  
  protecting a security state of the computing device by controlling the computing device'"'"'s access to the file based on the trustworthiness of the file indicated in the response;
  
  determining, based at least in part on an analysis of the response received from the additional computing device, that the user of the additional computing device is a trusted reviewer that is capable of accurately identifying security threats within the organization; and
  
  in response to determining that the user of the additional computing device is the trusted reviewer, rewarding the user by enabling the additional computing device to access other files before the other files have been assessed for trustworthiness by other users within the organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 18, 19, 20)
- - 2. The method of claim 1, wherein identifying the file on the computing device comprises detecting at least one attempt by a user of the computing device to:
    - install the file on the computing device;
      
      download the file onto the computing device; and
      
      execute the file on the computing device.
  - 3. The method of claim 1, wherein identifying the user that is qualified to assess the trustworthiness of the file is further based on determining that the qualified user and a user of the computing device on which the file was identified have similar roles within the organization.
  - 4. The method of claim 1, wherein distributing the portion of the file to the user of the additional computing device comprises distributing at least one of:
    - information about a source of the file; and
      
      information about behaviors exhibited by the file.
  - 5. The method of claim 1, further comprising providing, to the user of the additional computing device, a virtual execution environment in which to analyze the file.
  - 6. The method of claim 1, wherein determining that the user of the additional computing device is the trusted reviewer comprises:
    - receiving, from the user of the additional computing device, a justification of the indication of the trustworthiness of the file;
      
      displaying the justification of the indication of the trustworthiness of the file to a plurality of users within the organization; and
      
      determining that at least a predetermined number of users within the organization indicate that the justification is trusted.
  - 7. The method of claim 1, wherein determining that the user of the additional computing device is the trusted reviewer comprises determining that the user of the additional computing device has correctly indicated the trustworthiness of at least a predetermined number of files identified on computing devices within the plurality of computing devices.
  - 8. The method of claim 1, further comprising:
    - distributing, to the user of the additional computing device, a request to identify permissions that should be granted to the file when the file is executed by the plurality of computing devices;
      
      receiving, from the additional computing device, at least one allowed permission in response to the request; and
      
      preventing the file from being granted permissions other than the allowed permission when the file is executed by the plurality of computing devices.
  - 9. The method of claim 1, wherein controlling the computing device'"'"'s access to the file based on the trustworthiness of the file comprises:
    - determining that the response from the additional computing device indicates that the file is trustworthy; and
      
      based on the response from the additional computing device indicating that the file is trustworthy, adding the file to a whitelist that identifies files allowed to be accessed by the plurality of computing devices.
  - 10. The method of claim 1, wherein controlling the computing device'"'"'s access to the file based on the trustworthiness of the file comprises:
    - determining that the response from the additional computing device indicates that the file is untrustworthy; and
      
      based on the response from the additional computing device indicating that the file is untrustworthy, adding the file to a blacklist that identifies files not allowed to be accessed by the plurality of computing devices.
  - 18. The method of claim 1, wherein determining that the user of the additional computing device is the trusted reviewer is further based on a role of the user within the organization.
  - 19. The method of claim 1, wherein identifying the user that is qualified to assess the trustworthiness of the file is further based on determining that the user has previously been identified as the trusted reviewer.
  - 20. The method of claim 1, wherein identifying the user that is qualified to assess the trustworthiness of the file is further based on determining that the number of files that the user has previously reviewed does not exceed a certain number.

11. A system for determining trustworthiness of files within organizations, the system comprising:
- a memory;
  
  a physical processor coupled to the memory;
  
  an identification module, stored in the memory, that;
  
  identifies a file on a computing device within a plurality of computing devices managed by an organization; and
  
  before the computing device is allowed to access the file, identifies a user of an additional computing device within the plurality of computing devices that is qualified to assess the trustworthiness of the file based on determining that the user has previously assessed additional files that share characteristics with the file;
  
  a distribution module, stored in the memory, that distributes at least a portion of the file to the user of the additional computing device with a request to receive an indication of the trustworthiness of the file;
  
  a reception module, stored in the memory, that receives, from the additional computing device, a response that indicates the trustworthiness of the file based on at least the portion of the file that was distributed to the user of the additional computing device;
  
  a security module, stored in the memory, that protects a security state of the computing device by controlling the computing device'"'"'s access to the file based on the trustworthiness of the file indicated in the response;
  
  a reward module, stored in memory, that;
  
  determines, based at least in part on an analysis of the response received from the additional computing device, that the user of the additional computing device is a trusted reviewer that is capable of accurately identifying security threats within the organization; and
  
  in response to determining that the user of the additional computing device is the trusted reviewer, rewards the user by enabling the additional computing device to access other files before the other files have been assessed for trustworthiness by other users within the organization; and
  
  wherein the physical processor is configured to execute the identification module, the distribution module, the reception module, the security module, and the reward module.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the identification module identifies the user that is qualified to assess the trustworthiness of the file further based on determining that the qualified user and a user of the computing device on which the file was identified have similar roles within the organization.
  - 13. The system of claim 11, wherein the distribution module distributes the portion of the file to the user of the additional computing device by distributing at least one of:
    - information about a source of the file; and
      
      information about behaviors exhibited by the file.
  - 14. The system of claim 11, wherein the distribution module further provides, to the user of the additional computing device, a virtual execution environment in which to analyze the file.
  - 15. The system of claim 11, wherein the security module controls the computing device'"'"'s access to the file based on the trustworthiness of the file by:
    - determining that the response from the additional computing device indicates that the file is trustworthy; and
      
      based on the response from the additional computing device indicating that the file is trustworthy, adding the file to a whitelist that identifies files allowed to be accessed by the plurality of computing devices.
  - 16. The system of claim 11, wherein the security module controls the computing device'"'"'s access to the file based on the trustworthiness of the file by:
    - determining that the response from the additional computing device indicates that the file is untrustworthy; and
      
      based on the response from the additional computing device indicating that the file is untrustworthy, adding the file to a blacklist that identifies files not allowed to be accessed by the plurality of computing devices.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by a computing device comprising at least one processor, cause the computing device to:
- identify a file on a computing device within a plurality of computing devices managed by an organization;
  
  before allowing the computing device to access the file;
  
  identify a user of an additional computing device within the plurality of computing devices that is qualified to assess the trustworthiness of the file based on determining that the user has previously assessed additional files that share characteristics with the file;
  
  distribute at least a portion of the file to the user of the additional computing device with a request to receive an indication of the trustworthiness of the file; and
  
  receive, from the additional computing device, a response that indicates the trustworthiness of the file based on at least the portion of the file that was distributed to the user of the additional computing device;
  
  protect a security state of the computing device by controlling the computing device'"'"'s access to the file based on the trustworthiness of the file indicated in the response;
  
  determine, based at least in part on an analysis of the response received from the additional computing device, that the user of the additional computing device is a trusted reviewer that is capable of accurately identifying security threats within the organization; and
  
  in response to determining that the user of the additional computing device is the trusted reviewer, reward the user by enabling the additional computing device to access other files before the other files have been assessed for trustworthiness by other users within the organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin, Bhatkar, Sandeep, Gates, Christopher, Kashyap, Anand, Liu, Yin, Parker-Wood, Aleatha, Yumer, Leylya
Primary Examiner(s)
Jhaveri, Jayesh M

Application Number

US14/753,051
Time in Patent Office

1,149 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for determining the trustworthiness of files within organizations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining the trustworthiness of files within organizations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links