Systems and methods for automated whitelisting of files

US 10,200,395 B1
Filed: 03/30/2016
Issued: 02/05/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for automated whitelisting of computer files, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

obtaining, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system;

grouping, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information;

establishing, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information;

calculating, by the computing device, an amount by which a cost for using the whitelist will increase if the file is included in the whitelist;

calculating, by the computing device, an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist;

determining, by the computing device, whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and

using, by the computing device, the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for automated whitelisting of files may include (1) obtaining telemetry information that identifies files located on a set of computing systems, (2) establishing a whitelist of files for the set of computing systems by, for each file identified by the telemetry information, (A) calculating an amount by which a cost for using the whitelist will increase if the file is included in the whitelist, (B) calculating an amount by which whitelist coverage of files in the set of computing devices will increase if the file is included in the whitelist, (C) determining whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage, and (3) using the whitelist to protect the set of computing systems from undesirable files. Various other methods, systems, and computer-readable media are also disclosed.

12 Citations

20 Claims

1. A computer-implemented method for automated whitelisting of computer files, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- obtaining, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system;
  
  grouping, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information;
  
  establishing, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information;
  
  calculating, by the computing device, an amount by which a cost for using the whitelist will increase if the file is included in the whitelist;
  
  calculating, by the computing device, an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist;
  
  determining, by the computing device, whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and
  
  using, by the computing device, the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising creating the group of computing systems by grouping a plurality of computing systems together based on how they are used within an organization.
  - 3. The method of claim 2, wherein grouping the plurality of computing systems together based on how they are used within the organization comprises grouping the plurality of computing systems together based on at least one of:
    - a role within the organization of the users of the plurality of computing systems as indicated by the telemetry information;
      
      ora department within the organization of the users that access the computing systems as indicated by the telemetry information.
  - 4. The method of claim 1, further comprising grouping the plurality of computing systems together based on at least one of:
    - a type of software installed on the computing systems as indicated by the telemetry information;
      
      ora version of software installed on the computing systems as indicated by the telemetry information.
  - 5. The method of claim 1, wherein calculating the amount by which the cost for using the whitelist will increase if the file is included in the whitelist comprises basing the cost at least in part on a frequency with which the file is found within the group of computing systems.
  - 6. The method of claim 1, wherein calculating the amount by which the cost for using the whitelist will increase if the file is included in the whitelist comprises basing the cost at least in part on a reputation of the file.
  - 7. The method of claim 1, wherein balancing the increase in the cost against the increase in whitelist coverage comprises determining the coverage threshold that is met when at least a predefined percentage of computing systems in the group of computing systems store one or more computer files identified in the whitelist.
  - 8. The method of claim 7, wherein balancing the increase in the cost against the increase in whitelist coverage comprises minimizing the cost for using the whitelist while still satisfying the coverage threshold.
  - 9. The method of claim 1, wherein using the whitelist to protect the group of computing systems from undesirable computer files comprises at least one of:
    - using the whitelist to protect the group of computing systems against malware;
      
      orusing the whitelist to prevent users from installing applications that cause security vulnerabilities in the group of computing systems.
  - 10. The method of claim 1, wherein calculating an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist comprises evaluating a number of computing systems in the group of computing systems for which each file on the computing system is covered by the whitelist that includes the file.
  - 11. The method of claim 10, further comprising evaluating the number of computing systems that are completely covered by different permutations of whitelists that include the file.
  - 12. The method of claim 1, wherein establishing the whitelist of computer files for the group of computing systems comprises adding to the whitelist computer files that appear on at least a certain number of computing systems within the group of computing systems.

13. A system for automated whitelisting of computer files, the system comprising:
- a telemetry module, stored in memory, that obtains telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system and that groups selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information;
  
  a calculating module, stored in memory, that establishes a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information;
  
  calculating an amount by which a cost for using the whitelist will increase if the file is included in the whitelist;
  
  calculating an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist;
  
  determining whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met;
  
  a protecting module, stored in memory, that uses the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist; and
  
  at least one physical processor configured to execute the telemetry module, the calculating module, and the protecting module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the telemetry module creates the group of computing systems by grouping a plurality of computing systems together into telemetry module groups based on how they are used within an organization as indicated by the telemetry information.
  - 15. The system of claim 14, wherein the telemetry module groups the plurality of computing systems together based on how they are used within the organization by grouping the plurality of computing systems together based on at least one of:
    - the role within the organization of the users of the plurality of computing systems as indicated by the telemetry information;
      
      ora department within the organization of the users that access the computing systems as indicated by the telemetry information.
  - 16. The system of claim 13, wherein the telemetry module groups the plurality of computing systems together based on at least one of:
    - a type of software installed on the computing systems as indicated by the telemetry information;
      
      ora version of software installed on the computing systems as indicated by the telemetry information.
  - 17. The system of claim 13, wherein the calculating module calculates the amount by which the cost for using the whitelist will increase if the file is included in the whitelist by basing the cost at least in part on a frequency with which the file is found within the group of computing systems.
  - 18. The system of claim 13, wherein the calculating module calculates the amount by which the cost for using the whitelist will increase if the file is included in the whitelist by basing the cost at least in part on a reputation of the file.
  - 19. The system of claim 13, wherein the calculating module balances the increase in the cost against the increase in whitelist coverage by determining the coverage threshold that is met when at least a predefined percentage of computing systems in the group of computing systems store one or more computer files identified in the whitelist.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- obtain, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system;
  
  group, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization, as indicated by the telemetry information;
  
  establish, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information;
  
  calculate an amount by which a cost for using the whitelist will increase if the file is included in the whitelist;
  
  calculate an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist;
  
  determine whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and
  
  use the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin Alejandro, Gates, Christopher
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/084,515
Time in Patent Office

1,042 Days
Field of Search

726 25
US Class Current
CPC Class Codes

H04L 63/101 Access control lists [ACL]

H04L 63/1433 Vulnerability analysis

Systems and methods for automated whitelisting of files

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automated whitelisting of files

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links