Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored

US 10,482,240 B2
Filed: 01/21/2016
Issued: 11/19/2019
Est. Priority Date: 01/29/2015
Status: Active Grant

First Claim

Patent Images

1. An anti-malware device comprising:

a storage to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;

a memory that stores a set of instructions; and

at least one processor configured to execute the set of instructions to;

collect the value indicating the attribution of the first information processing device from outside;

collect the value indicating the attribution of the software from outside; and

determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected; and

transfer the software to a second information processing device when it is determined thatthe software is malware, and then cause the second information processing device to execute the software.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-malware device 50 includes: a risk information storage unit 51 in which risk information 510 is stored, in which there are associated a value indicating an attribution of an information processing device 60 for executing software 600, a value indicating an attribution of the software 600, and a value that indicates the degree of risk when the software 600 is executed; a subject attribution collection unit 53 for collecting the value indicating the attribution of the information processing device 60; an object attribution collection unit 54 for collecting the value indicating the attribution of the software 600; and a determination unit 55 for determining that the software 600 is malware when the value indicating the degree of risk obtained by comparing the risk information 510 and the values collected by the subject attribution collection unit 53 and object attribution collection unit 54 satisfies a criterion.

Citations

18 Claims

1. An anti-malware device comprising:
- a storage to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;
  
  a memory that stores a set of instructions; and
  
  at least one processor configured to execute the set of instructions to;
  
  collect the value indicating the attribution of the first information processing device from outside;
  
  collect the value indicating the attribution of the software from outside; and
  
  determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected; and
  
  transfer the software to a second information processing device when it is determined thatthe software is malware, and then cause the second information processing device to execute the software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The anti-malware device according to claim 1, wherein the at least one processor is configured further to:
    - collect information indicating an internal state from the second information processing device after the software transfers to the second information processing device and before the second information processing device is caused to execute the software.
  - 3. The anti-malware device according to claim 2, wherein the at least one processor is configured further to:
    - transfer the software to the second information processing device being a virtual machine, andcollect a snapshot of the second information processing device before the second information processing device is caused to execute the software.
  - 4. The anti-malware device according to claim 2, wherein the at least one processor is configured further to:
    - collect information indicating an operation of the software being executed by the second information processing device and store the collected information into the storage as the risk information.
  - 5. The anti-malware device according to claim 4, wherein the at least one processor is configured further to:
    - collect at least one of an IP address of a communication destination device, a communication frequency, an argument of a system call, and a frequency of the system call, as the information indicating the operation of the software being executed by the second information processing device.
  - 6. The anti-malware device according to claim 1, wherein the at least one processor is configured further to:
    - collect the risk information from an accessible external device via a communication network connected in a communicable manner, and store the collected risk information into the storage.
  - 7. The anti-malware device according to claim 1, wherein the at least one processor is configured further to:
    - collect an IP address assigned to the first information processing device from the first information processing device.
  - 8. The anti-malware device according to claim 7, whereinthe storage stores the risk information in which the IP address assigned to the first information processing device is associated with an identifier capable of identifying an organization which owns the first information processing device or in which the first information processing device is installed.
  - 9. The anti-malware device according to claim 8, whereinthe storage stores the risk information in which there are associated the identifier capable of identifying the organization which owns the first information processing device or by which the first information processing device is installed, information relating to the development source which developed the software, and the value indicating the degree of risk.
  - 10. The anti-malware device according to claim 1, wherein the at least one processor is configured further to:
    - collect a hash value obtained by inputting a binary code of the software to a hash function.
  - 11. The anti-malware device according to claim 10, whereinthe storage stores the risk information in which the hash value is associated with information relating to a development source which developed the software.
  - 12. The anti-malware device according to claim 1, whereinthe storage stores the risk information in which a content of a security policy applied to the first information processing device is associated with a value indicating the degree of risk when an operation that is non-conforming to the security policy is performed at a time when the first information processing device executes the software.
  - 13. The anti-malware device according to claim 1, whereinthe storage stores the risk information in which the value indicating the degree of risk is associated with information indicating a content of an event occurring when the first information processing device executes the software.

14. An anti-malware system comprising:
- an anti-malware device including;
  
  a storage to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;
  
  a memory that stores a set of instruction;
  
  and at least one processor configured to execute the set of instructions to;
  
  collect the value indicating the attribution of the first information processing device from outside;
  
  collect the value indicating the attribution of the software from outside; and
  
  determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected; and
  
  transfer the software to a second information processing device when it is determined that the software is malware, and then cause the second information processing device to execute the software; and
  
  the first information processing device and the second information processing device.

15. An anti-malware method comprising, when storage stores risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device:
- by a third information processing device comprising a memory that stores a set of instructions and at least one processor configured to execute the set of instructions,collecting the value indicating the attribution of the first information processing device from outside;
  
  collecting the value indicating the attribution of the software from outside;
  
  determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected, indicating the attribution of the first information processing device and the attribution of the software; and
  
  transferring the software to a second information processing device when it is determined that the software is malware, and then causing the second information processing device to execute the software.
- View Dependent Claims (16)
- - 16. The anti-malware method according to claim 15, whereininformation indicating an internal state is collected from the second information processing device after the software is transferred to the second information processing device and before the second information processing device is caused to execute the software.

17. A non-transitory computer readable recording medium storing an anti-malware program for causing a computer accessible to storage for storing risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device, to execute:
- a process of collecting the value indicating the attribution of the first information processing device from outside;
  
  a process of collecting the value indicating the attribution of the software from outside;
  
  a process of determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected in the subject attribution collection process and the object attribution collection process; and
  
  a process of transferring the software to a second information processing device when it is determined that the software is malware and then causing the second information processing device to execute the software.
- View Dependent Claims (18)
- - 18. The non-transitory computer readable recording medium storing the anti-malware program according to claim 17, further causing the computer to executean internal state collection process of collecting information indicating an internal state from the second information processing device after the software is transferred to the second information processing device and before the second information processing device is caused to execute the software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Kawakita, Masaru
Primary Examiner(s)
Su, Sarah

Application Number

US15/543,599
Publication Number

US 20180004939A1
Time in Patent Office

1,398 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links