Methods and apparatus for malware threat research
First Claim
Patent Images
1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving checksum data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;
storing said checksum data in a database;
in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, providing by the base computer to a display, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;
displaying a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and
displaying a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.
-
Citations
22 Claims
-
1. A method of classifying a computer object as malware, the method comprising:
-
at a base computer, receiving checksum data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed; storing said checksum data in a database; in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, providing by the base computer to a display, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects; displaying a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and displaying a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
a base computer including network components to receive checksum data about a computer object from each of plural remote computers on which the computer object is located, the base computer including; a data store including a database; at least one processor; a display; the base computer being configured to classify a computer object as malware; the base computer being configured to store the checksum data in the database; present, on the display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, information relating to a second group of plural objects including the first group of plural objects and additional object in the in the first group, and information related to various checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects; present, on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and present, on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
Specification