NETWORK SERVICE FOR THE DETECTION, ANALYSIS AND QUARANTINE OF MALICIOUS AND UNWANTED FILES

US 20090044024A1
Filed: 08/05/2008
Published: 02/12/2009
Est. Priority Date: 08/06/2007
Status: Active Grant

First Claim

Patent Images

1. A system for detecting, analyzing and quarantining unwanted files in a network environment, comprising:

a network service that analyzes and detects unwanted files, the network service is accessible to computing devices in the network environment and embodied as computer executable instruction on a computer readable medium, wherein the network service includes;

a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines;

said plurality of detection engines operating in parallel to receive and analyze the candidate file in accordance with a detection algorithm and output a report regarding the candidate file; and

a result aggregator configured to receive reports from one or more of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the network environment. An architecture for the network service may include: a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines, where the detection engines operate in parallel to analyze the candidate file and output a report regarding the candidate file; and a result aggregator configured to receive reports from each of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

Citations

23 Claims

1. A system for detecting, analyzing and quarantining unwanted files in a network environment, comprising:
- a network service that analyzes and detects unwanted files, the network service is accessible to computing devices in the network environment and embodied as computer executable instruction on a computer readable medium, wherein the network service includes;
  
  a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines;
  
  said plurality of detection engines operating in parallel to receive and analyze the candidate file in accordance with a detection algorithm and output a report regarding the candidate file; and
  
  a result aggregator configured to receive reports from one or more of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 further comprises a host agent embodied as computer executable instruction on a computer readable medium and residing on the computing device in the network environment, the host agent detects a new file introduced to the computing device and sends the new file to the network service for analysis while blocking access to the new file.
  - 3. The system of claim 2 wherein the host agent resides on a mobile device.
  - 4. The system of claim 2 wherein the host agent receives an aggregate report from the network service regarding the new file and regulates access to the new file based on results in the aggregate report.
  - 5. The system of claim 4 wherein the host agent stores the aggregate report in cache and, upon receipt of a second new file, accesses the aggregate report in the cache before sending the second new file to the network service.
  - 6. The system of claim 1 wherein the network service stores the aggregate report in cache and, upon receipt of a second new file, the request dispatcher accesses the aggregate report in the cache before distributing the second new file.
  - 7. The system of claim 2 wherein the host agent collects host context data indicative of operating state and configurations of the computing device and send the host context data along with the new file to the network service.
  - 8. The system of claim 7 wherein the network service replicates operating state of the computing device using the host context data and simulates access of the new file
  - 9. The system of claim 2 wherein the host agent captures a virtual machine image of the computing device and sends the virtual machine image along with the new file to the network service.
  - 10. The system of claim 1 wherein the network service instantiates more than that one instance of a particular type of detection engine.

11. A system for detecting, analyzing and quarantining unwanted files in a computing environment, comprising:
- a detection engine that receives candidate files for inspection and analyzes the candidate files to identify unwanted files, the detection engine embodied as computer executable instructions in a computer readable medium;
  
  a file history data store operable to store an indicia of for the candidate files analyzed by the detection engine; and
  
  a retrospective detector embodied as computer executable instructions in a computer readable medium, the retrospective detector configured to receive an indicia of an unwanted file and search the file history data store for candidate files that match the unwanted file.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11 wherein the retrospective detector generates a report of candidate files previously analyzed by the detection engine that match the unwanted file.
  - 13. The system of claim 11 wherein the retrospective detector removes candidate files that match the unwanted file from the computing environment.
  - 14. The system of claim 11 wherein the detection engine generates a signature for each candidate file using cryptographic techniques and stores the signature as the indicia for each candidate file in the file history data store.
  - 15. The system of claim 11 wherein the indicia for a given candidate files is one of a subset of bytes in the candidate file, a permutation of bytes in the candidate file, a hash of the candidate file or the candidate file itself.
  - 16. The system of claim 11 wherein the retrospective detector receives an indicia of an unwanted file from the detection engine or another external source.
  - 17. The system of claim 11 is embodied as a network service in a network environment that is accessible to a plurality of computing devices.

18. A system for detecting, analyzing and quarantining unwanted files in a network environment, comprising:
- a network service accessible to computing devices in the network environment and embodied as computer executable instructions on a computer readable medium, wherein the network service receives candidate files for inspection from computing devices in the network environment and analyzes the candidate files to identify unwanted files;
  
  a file history data store associated with the network service and operable to store an indicia for the candidate files analyzed by the network service along with an indicia of the computing device from which the candidate files were received; and
  
  a retrospective detector associated with the network service and configured, upon detection of an unwanted file, to search the file history data store for candidate files that match the unwanted file.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18 further comprises a host agent embodied as computer executable instructions on a computer readable medium and residing on a given computing device in the network environment, the host agent detects a candidate file introduced to the given computing device and sends the candidate file to the network service for analysis.
  - 20. The system of claim 18 wherein the retrospective detector generates a report of candidate files previously analyzed by the network service that match the unwanted file.
  - 21. The system of claim 18 wherein the retrospective detector removes candidate files that match the unwanted file from the computing device hosting the candidate file.
  - 22. The system of claim 18 wherein the network service generates a signature for each candidate file using cryptographic techniques and stores the signature as the indicia for each candidate file in the file history data store.
  - 23. The system of claim 18 wherein the indicia for a given candidate files is one of a subset of bytes in the candidate file, a permutation of bytes in the candidate file, a hash of the candidate file or the candidate file itself.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Michigan
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Oberheide, Jon, Jahanian, Farnam, Cooke, Evan

Granted Patent

US 8,621,610 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/145   the attack involving the pr...

NETWORK SERVICE FOR THE DETECTION, ANALYSIS AND QUARANTINE OF MALICIOUS AND UNWANTED FILES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SERVICE FOR THE DETECTION, ANALYSIS AND QUARANTINE OF MALICIOUS AND UNWANTED FILES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links