System and method for detection of malicious data encryption programs

US 10,375,086 B2
Filed: 11/25/2015
Issued: 08/06/2019
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detection of malicious encryption programs, the method comprising:

intercepting a file operation request from a client device on a file stored on a server;

responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;

collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;

determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;

when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;

when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and

sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.

Citations

18 Claims

1. A method for detection of malicious encryption programs, the method comprising:
- intercepting a file operation request from a client device on a file stored on a server;
  
  responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
  
  collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
  
  determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
  
  when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
  
  when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
  
  sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
  - 3. The method of claim 1, wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
  - 4. The method of claim 1, wherein collecting information about the requested file and the file operation request further includes, collecting one or more of:
    - type of the file operation request, and an application programming interface (API) function called.
  - 5. The method of claim 1, wherein, when the file operation request came from a known malicious encryption program, denying the file operation request on the file.
  - 6. The method of claim 1, wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.

7. A system for detection of malicious encryption programs, the system comprising:
- a server having a hardware processor configured to;
  
  intercept a file operation request from a client device on a file stored on the server;
  
  responsive to intercepting the file operation request, create and save a backup copy of the file at the server;
  
  collect information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
  
  determine based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
  
  when the file operation request came from an unknown encryption program, calculate a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
  
  when the difference is below a threshold, allow the file operation request of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise;
  
  block a connection between the client device and the server and restore the backup copy of the file at the server; and
  
  send information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept the request by a file system driver filter.
  - 9. The system of claim 7, wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept a system function call and one or more parameters of the call.
  - 10. The system of claim 7, wherein, to collect the information about the requested file and the file operation request, the processor is further configured to collect one or more of:
    - type of the file operation request, and an application programming interface (API) function called.
  - 11. The system of claim 7, wherein the processor is further configured to deny the file operation request on the file when the file operation request came from a known malicious encryption program.
  - 12. The system of claim 7, wherein, to calculate the entropies of at least a portion of the file, the processor is further configured to calculate entropies of at least portions of file headers before and after the execution of the requested operation on the file.

13. A non-transitory computer readable medium storing computer executable instructions for detection of malicious encryption programs, including instructions for:
- intercepting a file operation request from a client device on a file stored on a server;
  
  responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
  
  collecting information about at least the client device, the requested file and the requested operation, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
  
  determining, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file requested operation on the server;
  
  when the file operation request came from an unknown encryption program, calculating a difference between a first entropy of a header of the file before the execution of the requested operation and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
  
  when the difference is below a threshold, allowing the requested operation of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise;
  
  blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
  
  sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, and wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable medium of claim 13, wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
  - 15. The non-transitory computer readable medium of claim 13, wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
  - 16. The non-transitory computer readable medium of claim 13, wherein collecting information about the requested file and the file operation request includes, collecting one or more of:
    - type of the requested file operation request, and an application programming interface (API) function called.
  - 17. The non-transitory computer readable medium of claim 13, wherein, when the file operation request came from a known malicious encryption program, denying the file operation request on the file.
  - 18. The non-transitory computer readable medium of claim 13, wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Ovcharik, Vladislav I., Bykov, Oleg G.
Primary Examiner(s)
Lemma, Samson B
Assistant Examiner(s)
Golriz, Arya

Application Number

US14/951,970
Publication Number

US 20170093886A1
Time in Patent Office

1,350 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 9/002   Countermeasures against att...

System and method for detection of malicious data encryption programs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of malicious data encryption programs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links