Methods and apparatus for malware threat research

US 10,574,630 B2
Filed: 02/13/2012
Issued: 02/25/2020
Est. Priority Date: 02/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method of classifying a computer object as malware, the method comprising:

at a base computer, receiving checksum data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;

storing said checksum data in a database;

in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, providing by the base computer to a display, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;

displaying a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and

displaying a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.

Citations

22 Claims

1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving checksum data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;
  
  storing said checksum data in a database;
  
  in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, providing by the base computer to a display, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;
  
  displaying a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and
  
  displaying a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein at least one of the first and second symbols comprises a symbol having at least one of a shape and a color different than another symbol.
  - 3. The method according to claim 2, comprising:
    - identifying, by the base computer, commonality of one or more attribute values between the second group of plural objects; and
      
      refining, by the base computer, a query in accordance with said identified commonality.
  - 4. The method of claim 1, comprising creating, by the base computer, a rule from a user query if it is determined that the query is deterministic in identifying malware.
  - 5. The method of claim 1, comprising:
    - monitoring user groupings of objects along with any and all user actions taken such as classifying the objects of the second group of plural objects as being safe or unsafe; and
      
      automatically applying said groupings and actions in generating new rules for classifying objects as malware.
  - 6. The method according to claim 5, comprising applying the rule to an object at the base computer and or sending the rule to a remote computer and applying the rule to an object at the remote computer to classify the object as safe or unsafe.
  - 7. The method according to claim 6, comprising storing the classification of an object as safe or unsafe according to the rule in the database at the base computer.
  - 8. The method according to claim 7, comprising:
    - receiving, by the base computer, an indication from a remote computer that an object classified as malware by said rule is believed not to be malware; and
      
      amending or deleting, by the base computer, the rule in accordance with said indication.
  - 9. The method according to claim 1, further comprising receiving actor information pertaining to an actor object performing an act and victim information pertaining to a victim object upon which the act is being performed.
  - 10. The method according to claim 1, wherein one or more attributes correspond to an object pathname and an object filename.
  - 11. The method according to claim 1, further comprising displaying a third symbol, different from the first symbol and second symbol, when one or more values of the one or more attributes is common amongst the second group of plural objects.
  - 12. The method according to claim 1, wherein the checksum data comprises at least one of:
    - an import table, a section at the beginning of a code section, a section at the end of the code section, a section at the beginning of an entire file, and a section at the end of the entire file.

13. An apparatus, comprising:
- a base computer including network components to receive checksum data about a computer object from each of plural remote computers on which the computer object is located, the base computer including;
  
  a data store including a database;
  
  at least one processor;
  
  a display;
  
  the base computer being configured to classify a computer object as malware;
  
  the base computer being configured to store the checksum data in the database;
  
  present, on the display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, information relating to a second group of plural objects including the first group of plural objects and additional object in the in the first group, and information related to various checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;
  
  present, on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and
  
  present, on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The apparatus according to claim 13, wherein the information relating to a second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the object.
  - 15. The apparatus according to claim 13, wherein at least one of the first and second symbols comprises a symbol having a shape different than another symbol and/or a color different than another symbol.
  - 16. The apparatus according to claim 13, wherein the base computer is further configured to:
    - identify commonality in one or more attributes between objects; and
      
      refine a query in accordance with said identified commonality.
  - 17. The apparatus according to claim 13, wherein the base computer is further configured to allow the user to create a rule from a user query if it is determined that the query is deterministic in identifying malware.
  - 18. The apparatus according to claim 13, wherein the base computer is further configured to monitor user groupings of objects along with any and all user actions taken such as classifying the objects of the second group as being safe or unsafe;
    - andto automatically apply said groupings and actions in generating new rules for classifying objects as malware.
  - 19. The apparatus according to claim 18, wherein the base computer is further configured to apply the rule to an object at the base computer to classify the object as safe or unsafe, and or arranged to send the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer.
  - 20. The apparatus of claim 19, wherein the base computer is further configured to store the classification of an object as safe or unsafe according to the rule in the database.
  - 21. The apparatus according to claim 20, wherein the base computer is further configured to receive an indication from a remote computer that an object classified as malware by the rule is believed not to be malware;
    - and to amend or delete the rule in accordance with the indication.
  - 22. The apparatus according to claim 13, wherein one or more attributes correspond to an object pathname and an object filename.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Morris, Melvyn, Jaroch, Joseph
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US13/372,433
Publication Number

US 20120266208A1
Time in Patent Office

2,934 Days
Field of Search

726 1, 726 22- 25
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

Methods and apparatus for malware threat research

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for malware threat research

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links