Method and system for detecting malicious code

US 10,511,617 B2
Filed: 12/31/2015
Issued: 12/17/2019
Est. Priority Date: 05/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious code by a server storing a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection, the method comprising:

receiving, by the server, a testing sample sent by a client computer from a network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;

testing, by the server, the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results;

comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy;

dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy;

determining, by the server, the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; and

determining, by the server, a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises;

processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;

black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises;

in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray;

in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;

providing, by the server, the final detection result of the testing sample to the client computer;

obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and

setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present application discloses a method and a system for detecting malicious code. The method comprises receiving a testing sample; testing the sample with a plurality of malicious code detectors to obtain a plurality of testing results; determining a credibility scale and a reputation value of each of the testing results, wherein the credibility scale indicates whether the testing result is malicious or safe, and the reputation value indicates a quantified trust level corresponding to the credibility scale; and determining a final detection result of the testing sample based on the determined credibility scales and the reputation values of the testing results. According to the technical solution of the present application, the testing results obtained from various malicious code detectors are rationally utilized to improve the testing accuracy for the malicious code.

Citations

9 Claims

1. A method for detecting malicious code by a server storing a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection, the method comprising:
- receiving, by the server, a testing sample sent by a client computer from a network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;
  
  testing, by the server, the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results;
  
  comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy;
  
  dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy;
  
  determining, by the server, the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; and
  
  determining, by the server, a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises;
  
  processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;
  
  black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises;
  
  in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
  
  in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
  
  providing, by the server, the final detection result of the testing sample to the client computer;
  
  obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and
  
  setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors.
- View Dependent Claims (2, 3, 9)
- - 2. The method of claim 1, further comprising:
    - assigning the credibility scale and the reputation value to the testing result matching the type of malicious code recorded in the file reputation scoring policy.
  - 3. The method of claim 1, wherein the decision policy for the credibility scale and the reputation value further comprises at least one of:
    - if the plurality of testing results are gray, the final detection result of the testing sample is determined to be gray;
      
      if the plurality of testing results are black, the final detection result of the testing sample is determined to be black;
      
      if the plurality of testing results are white, the final detection result of the testing sample is determined to be white;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are white, and collision priorities of the testing results are not identical, the final detection result of the testing sample is determined to be identical to the testing result with the highest priority;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are white, and the collision priorities of the testing results are identical, the final detection result of the testing sample is determined to be gray;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are suspected white, the final detection result of the testing sample is determined to be black; and
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are white while the rest are suspected black, the final detection result of the testing sample is determined to be white.
  - 9. The method of claim 1, wherein the file reputation scoring policy is a table recording each type of the plurality of malicious code detectors, the at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors.

4. A system for detecting malicious code, the system comprising:
- a cloud-based detecting server for receiving a testing sample sent by a client computer from a network, the cloud-based detecting server being coupled to the client computer and the network, providing a final detection result of the testing sample to the client computer, obtaining false positive rates of respective types of the malicious code detectors according to the final detection result, setting the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors, wherein the server stores the malicious code detectors having different types of malicious code detection and the file reputation scoring policy associating each of a plurality of malicious code detectors with at least one type of malicious code each corresponding to the credibility scale and a reputation value, the file reputation scoring policy recording each type of the malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;
  
  the client computer;
  
  the plurality of malicious code detectors, including computer readable instructions for receiving the testing sample from the cloud-based detecting server and testing the testing sample to acquire a plurality of testing results;
  
  a file reputation decider for comparing the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy, dismissing testing results which do not match the type of malicious code recorded in the file reputation scoring policy, determining a credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy and determining a final detection result of the testing sample for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the credibility scales and the reputation values of the testing results, wherein the credibility scale indicates whether the testing result is malicious, and the reputation value indicates a quantified trust level corresponding to the credibility scale, wherein the file reputation decider comprises a decision unit for processing the respective credibility scales and the respective reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;
  
  black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe;
  
  wherein the decision policy comprises;
  
  in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray,in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray; and
  
  ,a determination unit for determining the credibility scale and the reputation value of the testing result for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy.
- View Dependent Claims (5, 6)
- - 5. The system of claim 4, wherein the determination unit is further configured to:
    - assign the credibility scale and the reputation value to the testing result matching the type of malicious code recorded in the file reputation scoring policy.
  - 6. The system of claim 4, wherein the decision policy of the credibility scale and the reputation value further comprises at least one of:
    - if the plurality of testing results are gray, the final detection result of the testing sample is determined to be gray;
      
      if the plurality of testing results are black, the final detection result of the testing sample is determined to be black;
      
      if the plurality of testing results are white, the final detection result of the testing sample is determined to be white;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are white, and collision priorities of the testing results are not identical, the final detection result of the testing sample is determined to be identical to the testing result with the highest priority;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are white, and the collision priorities of the testing results are identical, the final detection result of the testing sample is determined to be gray;
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are black while the rest are suspected white, the final detection result of the testing sample is determined to be black; and
      
      if a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are white while the rest are suspected black, the final detection result of the testing sample is determined to be white.

7. An apparatus comprising, a memory and a processor, the memory storing computer code, a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection and the processor being configured to execute the computer code to implement a method comprising:
- receiving a testing sample sent by a client computer from a network, the apparatus being coupled to the client computer and the network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;
  
  testing the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results;
  
  comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy;
  
  dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy;
  
  determining the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale;
  
  determining a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises;
  
  processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any, one of;
  
  black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises;
  
  in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray,in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
  
  providing, by the server, the final detection result of the testing sample to the client computer;
  
  obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and
  
  setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors.
- View Dependent Claims (8)
- - 8. The apparatus of claim 7, wherein the determining the credibility scale and the reputation value based on the file reputation scoring policy comprises:
    - assigning the credibility scale and the reputation value to the testing result matching the type of malicious code recorded in the file reputation scoring policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Baidu Netcom Science and Technology Company Limited (Baidu Incorporated)
Original Assignee
Iyuntian Co., Ltd.
Inventors
Zou, Rongxin, Mei, Yinming, Yao, Jun
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/985,927
Publication Number

US 20160352763A1
Time in Patent Office

1,447 Days
Field of Search

726 24
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Method and system for detecting malicious code

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malicious code

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links