Systems and methods for obtaining information about security threats on endpoint devices

US 10,262,131 B2
Filed: 05/06/2016
Issued: 04/16/2019
Est. Priority Date: 03/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for obtaining information about security threats on endpoint devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting, by a security program on the computing device, an attempt to access at least one suspicious file;

before permitting the computing device to access the suspicious file;

searching, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and

determining, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file;

in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file;

identifying, by the security program, at least one third-party resource that;

is not associated with the security program; and

is at least partially responsible for developing the suspicious file;

determining, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device;

performing, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and

accessing, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device;

determining, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and

adding, by the security program, information to the security database that indicates whether the suspicious file represents the security threat.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for obtaining information about security threats on endpoint devices may include (1) detecting, by a security program on a computing device, an attempt to access at least one suspicious file, (2) before permitting the computing device to access the suspicious file, identifying, by the security program, at least one third-party resource not associated with the security program that contains information potentially indicative of the trustworthiness of the suspicious file, (3) obtaining, by the security program from the third-party resource, the information potentially indicative of the trustworthiness of the suspicious file, and then (4) determining, by the security program based at least in part on the information potentially indicative of the trustworthiness of the suspicious file, whether the suspicious file represents a security threat to the computing device. Various other methods, systems, and computer-readable media are also disclosed.

16 Citations

20 Claims

1. A computer-implemented method for obtaining information about security threats on endpoint devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, by a security program on the computing device, an attempt to access at least one suspicious file;
  
  before permitting the computing device to access the suspicious file;
  
  searching, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and
  
  determining, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file;
  
  in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file;
  
  identifying, by the security program, at least one third-party resource that;
  
  is not associated with the security program; and
  
  is at least partially responsible for developing the suspicious file;
  
  determining, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device;
  
  performing, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and
  
  accessing, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device;
  
  determining, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and
  
  adding, by the security program, information to the security database that indicates whether the suspicious file represents the security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20)
- - 2. The method of claim 1, wherein detecting the attempt to access the suspicious file comprises detecting an attempt to access a file whose trustworthiness is unknown.
  - 3. The method of claim 1, further comprising determining that the third-party resource is at least partially responsible for developing the suspicious file based on the third-party resource being at least one of:
    - a creator of the suspicious file;
      
      a publisher of the suspicious file; and
      
      a distributor of the suspicious file.
  - 4. The method of claim 1, further comprising obtaining, from the server that is hosted by the third-party resource, information indicating that the suspicious file was created with malicious intent.
  - 5. The method of claim 1, wherein obtaining the information about the behaviors the suspicious file is expected to perform on the computing device comprises crawling a web page hosted by the third-party resource.
  - 6. The method of claim 1, wherein determining whether the suspicious file represents the security threat comprises determining that the suspicious file represents the security threat based on determining that the information obtained from the third-party resource indicates that the suspicious file is not trustworthy;
    - andfurther comprising performing at least one security action on the suspicious file in response to determining that the suspicious file represents the security threat.
  - 7. The method of claim 1, wherein determining whether the suspicious file represents the security threat comprises determining that the suspicious file does not represent the security threat based on determining that the information obtained from the third-party resource indicates that the suspicious file is trustworthy;
    - andfurther comprising permitting the computing device to access the suspicious file in response to determining that the suspicious file does not represent the security threat.
  - 8. The method of claim 1, wherein adding the information that indicates whether the suspicious file represents the security threat to the security database comprises prompting a remote security service that manages the security program to generate at least one security policy associated with the suspicious file that is to be implemented on at least one additional computing device.
  - 20. The method of claim 1, wherein obtaining the information about the behaviors the suspicious file is expected to perform on the computing device comprises identifying an End User License Agreement (EULA) that describes behaviors the file performs while running.

9. A system for obtaining information about security threats on endpoint devices, the system comprising:
- a detection module, stored in memory, that detects, as part of a security program on a computing device, an attempt to access at least one suspicious file;
  
  an identification module, stored in memory, that before the computing device is permitted to access the suspicious file;
  
  searches, as part of the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file;
  
  determines, as part of the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file;
  
  identifies, as part of the security program, in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file, at least one third-party resource that;
  
  is not associated with the security program; and
  
  is at least partially responsible for developing the suspicious file; and
  
  determines, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device;
  
  an information module, stored in memory, that;
  
  performs, as part of the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and
  
  accesses, as part of the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device;
  
  a determination module, stored in memory, that determines, as part of the security program, based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device;
  
  a security module, stored in memory, that adds, as part of the security program, information to the security database that indicates whether the suspicious file represents the security threat; and
  
  at least one processor configured to execute the detection module, the identification module, the information module, the determination module, and the security module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the detection module detects the attempt to access the suspicious file by detecting an attempt to access a file whose trustworthiness is unknown.
  - 11. The system of claim 9, wherein the identification module determines that the third-party resource is at least partially responsible for developing the suspicious file based on the third-party resource being at least one of:
    - a creator of the suspicious file;
      
      a publisher of the suspicious file; and
      
      a distributor of the suspicious file.
  - 12. The system of claim 9, wherein the information module further obtains, from the server that is hosted by the third-party resource, information indicating that the suspicious file was created with malicious intent.
  - 13. The system of claim 9, wherein the information module obtains the information about the behaviors the suspicious file is expected to perform on the computing device by crawling a web page hosted by the third-party resource.
  - 14. The system of claim 9, wherein the determination module determines whether the suspicious file represents the security threat by determining that the suspicious file represents the security threat based on determining that the information obtained from the third-party resource indicates that the suspicious file is not trustworthy;
    - andfurther comprising a security module that performs at least one security action on the suspicious file in response to determining that the suspicious file represents the security threat.
  - 15. The system of claim 9, wherein the determination module determines whether the suspicious file represents the security threat by determining that the suspicious file does not represent the security threat based on determining that the information obtained from the third-party resource indicates that the suspicious file is trustworthy;
    - andfurther comprising a security module that permits the computing device to access the suspicious file in response to determining that the suspicious file does not represent the security threat.
  - 16. The system of claim 9, wherein the security module adds the information that indicates whether the suspicious file represents the security threat to the security database by prompting a remote security service that manages the security program to generate at least one security policy associated with the suspicious file that is to be implemented on at least one additional computing device.

17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect, by a security program on the computing device, an attempt to access at least one suspicious file;
  
  before permitting the computing device to access the suspicious file;
  
  search, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and
  
  determine, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file;
  
  in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file;
  
  identify, by the security program, at least one third-party resource that;
  
  is not associated with the security program; and
  
  is at least partially responsible for developing the suspicious file;
  
  determine, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device;
  
  perform, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and
  
  access, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device; and
  
  determine, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and
  
  add, by the security program, information to the security database that indicates whether the suspicious file represents the security threat.
- View Dependent Claims (18, 19)
- - 18. The computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to detect the attempt to access the suspicious file by detecting an attempt to access a file whose trustworthiness is unknown.
  - 19. The computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to determine that the third-party resource is at least partially responsible for developing the suspicious file based on the third-party resource being at least one of:
    - a creator of the suspicious file;
      
      a publisher of the suspicious file; and
      
      a distributor of the suspicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
More, Priti, Agarwal, Kovid, Magar, Sujit
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
De Jesus Lassala, Carlos M

Application Number

US15/148,019
Publication Number

US 20170279819A1
Time in Patent Office

1,075 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 43/04   Processing captured monitor...

H04L 43/062   related to network traffic

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Systems and methods for obtaining information about security threats on endpoint devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for obtaining information about security threats on endpoint devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links