Techniques for detecting malicious files

US 10,200,374 B1
Filed: 02/29/2016
Issued: 02/05/2019
Est. Priority Date: 02/29/2016
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious files comprising:

one or more computer processors communicatively coupled to a network, the one or more computer processors being configured to;

collect at least one of a file or an attribute of the file;

determine if the file is malicious;

identify, if the file is determined to be malicious, a download Uniform Resource Locator (URL) from which the file was downloaded, a connection URL to which the file attempted to connect, and a limited time frame associated with the file, the limited time frame having a beginning point in time and an ending point in time; and

create a block policy for the download URL and the connection URL that is configured to be applied only for the limited time frame, the block policy configured to block any network connection with, or block any file from downloading and executing from, the download URL and the connection URL during the limited time frame.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malicious files are disclosed. In one embodiment, the techniques may be realized as a system for detecting malicious files comprising one or more computer processors. The one or more computer processors may be configured to collect at least one of a file or an attribute of the file. The one or more computer processors may further be configured to determine if the file is malicious. The one or more computer processors may further be configured to identify, if the file is determined to be malicious, a Uniform Resource Locator (URL) and a time frame associated with the file. The one or more computer processors may further be configured to detect a threat based on the URL and the time frame.

12 Citations

View as Search Results

20 Claims

1. A system for detecting malicious files comprising:
- one or more computer processors communicatively coupled to a network, the one or more computer processors being configured to;
  
  collect at least one of a file or an attribute of the file;
  
  determine if the file is malicious;
  
  identify, if the file is determined to be malicious, a download Uniform Resource Locator (URL) from which the file was downloaded, a connection URL to which the file attempted to connect, and a limited time frame associated with the file, the limited time frame having a beginning point in time and an ending point in time; and
  
  create a block policy for the download URL and the connection URL that is configured to be applied only for the limited time frame, the block policy configured to block any network connection with, or block any file from downloading and executing from, the download URL and the connection URL during the limited time frame.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the one or more computer processors are further configured to determine if the file is malicious based on external information retrieved from a security product vendor.
  - 3. The system of claim 1, wherein the block policy is configured to block any file downloaded from the download URL during the limited time frame from executing.
  - 4. The system of claim 3, wherein the block policy is configured to allow any file downloaded from the download URL after the limited time frame to execute.
  - 5. The system of claim 1, wherein the block policy is configured to block any network connection with the download URL during the limited time frame.
  - 6. The system of claim 5, wherein the block policy is configured to allow a network connection with the download URL after the limited time frame.
  - 7. The system of claim 1, wherein the connection URL is a URL to which the file further attempted to download another file.

8. A computer-implemented method for detecting malicious files, the method comprising:
- collecting at least one of a file or an attribute of the file;
  
  determining if the file is malicious;
  
  identifying, if the file is determined to be malicious, a download Uniform Resource Locator (URL) from which the file was downloaded, a connection URL to which the file attempted to connect, and a limited time frame associated with the file, the limited time frame having a beginning point in time and an ending point in time; and
  
  creating a block policy for the download URL and the connection URL that is configured to be applied only for the limited time frame, the block policy configured to block any network connection with, or block any file from downloading and executing from, the download URL and the connection URL during the limited time frame.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising determining if the file is malicious based on external information retrieved from a security product vendor.
  - 10. The method of claim 8, wherein the block policy is configured to block any file downloaded from the download URL during the limited time frame from executing.
  - 11. The method of claim 10, wherein the block policy is configured to allow any file downloaded from the download URL after the limited time frame to execute.
  - 12. The method of claim 8, wherein the block policy is configured to block any network connection with the download URL during the limited time frame.
  - 13. The method of claim 12, wherein the block policy is configured to allow a network connection with the download URL after the limited time frame.
  - 14. The method of claim 8, wherein the connection URL is a URL to which the file further attempted to download another file.

15. A non-transitory computer readable medium storing instructions thereon that are configured to be executed by at least one processor and thereby cause the at least one processor to operate so as to:
- collect at least one of a file or an attribute of the file;
  
  determine if the file is malicious;
  
  identify, if the file is determined to be malicious, a download Uniform Resource Locator (URL) from which the file was downloaded, a connection URL to which the file attempted to connect, and a limited time frame associated with the file, the limited time frame having a beginning point in time and an ending point in time; and
  
  create a block policy for the download URL and the connection URL that is configured to be applied only for the limited time frame, the block policy configured to block any network connection with, or block any file from downloading and executing from, the download URL and the connection URL during the limited time frame.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium according to claim 15, wherein the instructions are further configured to cause the at least one processor to operate so as to determine if the file is malicious based on external information retrieved from a security product vendor.
  - 17. The non-transitory computer readable medium according to claim 15, wherein the block policy is configured to block any file downloaded from the download URL during the limited time frame from executing.
  - 18. The non-transitory computer readable medium according to claim 17, wherein the block policy is configured to allow any file downloaded from the download URL after the limited time frame to execute.
  - 19. The non-transitory computer readable medium according to claim 15, wherein:
    - the block policy is configured to block any network connection with the download URL during the limited time frame; and
      
      the block policy is configured to allow a network connection with the download URL after the limited time frame.
  - 20. The non-transitory computer readable medium according to claim 15, wherein the connection URL is a URL to which the file further attempted to download another file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kim, Samuel, Lai, Everett J., Vo, Thuan
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas A

Application Number

US15/056,588
Time in Patent Office

1,072 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

Techniques for detecting malicious files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for detecting malicious files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links