OBTAINING NETWORK ORIGINS OF POTENTIAL SOFTWARE THREATS

US 20080034434A1
Filed: 07/30/2007
Published: 02/07/2008
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method of obtaining the network origin of a downloaded entity of interest, the method including the steps of, in a processing system:

recording the network locations of at least some files downloaded to the processing system;

recording the physical locations of the at least some files stored in one or more storage devices of the processing system;

identifying an entity of interest in the processing system;

searching the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest; and

, if the network location and the physical location of the entity of interest is identified, transmitting the network location and the physical location of the entity of interest to a remote processing system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method/system/computer program for obtaining the network origin of a downloaded entity of interest (e.g. a threat or malicious software). The method includes recording the network locations of at least some files downloaded to a processing system and recording the physical locations of the at least some files stored in one or more storage devices of the processing system. Then, identifying an entity of interest in the processing system and searching the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest. Then, if the network location and the physical location of the entity of interest is identified, transmitting the network location and the physical location of the entity of interest to a remote processing system.

Citations

20 Claims

1. A method of obtaining the network origin of a downloaded entity of interest, the method including the steps of, in a processing system:
- recording the network locations of at least some files downloaded to the processing system;
  
  recording the physical locations of the at least some files stored in one or more storage devices of the processing system;
  
  identifying an entity of interest in the processing system;
  
  searching the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest; and
  
  , if the network location and the physical location of the entity of interest is identified, transmitting the network location and the physical location of the entity of interest to a remote processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1, further including the step of recording at least some of the events performed in the processing system by the at least some files downloaded to the processing system.
  - 3. The method as claimed in claim 1, further including the step of searching the recorded network locations and the recorded physical locations for the network location and the physical location of any files downloaded by the entity of interest.
  - 4. The method as claimed in claim 1, further including the step of searching the recorded network locations and the recorded physical locations for the network location and the physical location of a file which downloaded or created the entity of interest.
  - 5. The method as claimed in claim 1, wherein a network location is a Uniform Resource Locator (URL).
  - 6. The method as claimed in claim 1, wherein the network locations of all files downloaded to the processing system are recorded.
  - 7. The method as claimed in claim 1, wherein the network locations of files of at least one type downloaded to the processing system are recorded.
  - 8. The method as claimed in claim 7, wherein a type of file is from the group of an executable, an archive, a library, and data.
  - 9. The method as claimed in claim 1, further including recording a hash function of at least some files downloaded to the processing system, and transmitting the hash function of the entity of interest to the remote processing system.
  - 10. The method as claimed in claim 1, wherein an automatically generated sliding fit signature for the entity of interest is also transmitted to the remote processing system.
  - 11. The method as claimed in claim 1, further including obtaining the network location of an entity of interest by:
    - identifying when an entity is being downloaded to the processing system;
      
      storing the network location of the entity in a record, and storing one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
      
      identifying when a new file is created in the processing system;
      
      comparing information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; and
      
      , if a match is found between the new file and the entity, storing at least the network location and the filename for the new file in a second record.

12. A computer program product for obtaining the network origin of a downloaded entity of interest, the computer program product executable in a processing system and configured to:
- record the network locations of at least some files downloaded to the processing system;
  
  record the physical locations of the at least some files stored in one or more storage devices of the processing system;
  
  identify an entity of interest in the processing system;
  
  search the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest; and
  
  , if the network location and the physical location of the entity of interest is identified, transmit the network location and the physical location of the entity of interest to a remote processing system.

13. A method of obtaining the network location of a downloaded file, the method including the steps of, in a processing system:
- identifying when an entity is being downloaded to the processing system;
  
  storing the network location of the entity in a record, and storing one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
  
  identifying when a new file is created in the processing system;
  
  comparing information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; and
  
  , if a match is found between the new file and the entity, storing at least the network location and the filename for the new file in a second record.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method as claimed in claim 13, wherein the entity is an executable file or an archive containing an executable file.
  - 15. The method as claimed in claim 13, wherein method is performed when the entity is in the process of downloading or has downloaded.
  - 16. The method as claimed in claim 13, wherein a network driver is used to intercept all network activity associated with the processing system.
  - 17. The method as claimed in claim 13, wherein the new file creation is identified using event hooking.
  - 18. The method as claimed in claim 17, wherein the event hooking includes one or more of API hooking, kernel mode driver, system callbacks, and polling all files.
  - 19. The method as claimed in claim 13, wherein the record is periodically deleted.

20. A computer program product for obtaining the network location of a downloaded file, the computer program product executable in a processing system and configured to:
- identify when an entity is being downloaded to the processing system;
  
  store the network location of the entity in a record, and store one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
  
  identify when a new file is created in the processing system;
  
  compare information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; and
  
  , if a match is found between the new file and the entity, store at least the network location and the filename for the new file in a second record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Repasi, Rolf, Pereira, Ryan, Oliver, Ian, Younusov, Neil

Granted Patent

US 7,971,257 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 67/06   specially adapted for file ...

H04L 67/52   specially adapted for the l...

H04W 4/02   Services making use of loca...

OBTAINING NETWORK ORIGINS OF POTENTIAL SOFTWARE THREATS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

OBTAINING NETWORK ORIGINS OF POTENTIAL SOFTWARE THREATS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links