Context-Aware Real-Time Computer-Protection Systems and Methods

US 20100154056A1
Filed: 12/17/2008
Published: 06/17/2010
Est. Priority Date: 12/17/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest, the method comprising:

detecting an event of interest;

identifying at least one file associated with the event of interest;

accessing contextual metadata associated with the event of interest;

accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file;

determining, by applying the rule, whether to perform the security scan on the file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest may comprise: 1) detecting an event of interest, 2) identifying at least one file associated with the event of interest, 3) accessing contextual metadata associated with the event of interest, 4) accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file, and then 5) determining, by applying the rule, whether to perform the security scan on the file. Corresponding systems and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest, the method comprising:
- detecting an event of interest;
  
  identifying at least one file associated with the event of interest;
  
  accessing contextual metadata associated with the event of interest;
  
  accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file;
  
  determining, by applying the rule, whether to perform the security scan on the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the contextual metadata comprises:
    - information about the file;
      
      information about at least one application associated with the file.
  - 3. The method of claim 2, wherein the information about the file comprises information that identifies at least one of:
    - the file'"'"'s name;
      
      the file'"'"'s pathname;
      
      the file'"'"'s type;
      
      the file'"'"'s creation date;
      
      the file'"'"'s last-modified date;
      
      a hash of the file;
      
      the number of times the file has been read;
      
      the number of times the file has been modified;
      
      applications that have read the file;
      
      applications that have modified the file;
      
      usage behavior for the file;
      
      results of a prior security scan performed on the file.
  - 4. The method of claim 2, wherein the information about the application associated with the file comprises information that identifies:
    - the application'"'"'s name;
      
      processes associated with the application;
      
      usage behavior for the application;
      
      whether the application is a portal;
      
      whether the application generates network activity;
      
      whether the application contains a known vulnerability.
  - 5. The method of claim 1, wherein the rule comprises:
    - a generic file rule;
      
      a generic application rule;
      
      a file-type-specific rule that identifies acceptable usage behavior for the file;
      
      an application-specific rule that identifies acceptable usage behavior for an application associated with the file.
  - 6. The method of claim 1, wherein the rule further comprises criteria for determining, based on the contextual metadata, a level of scrutiny to be applied to the file when performing the security scan.
  - 7. The method of claim 1, wherein the event of interest comprises at least one of:
    - an attempt to open the file;
      
      an attempt to close the file;
      
      an update to a virus definition set supplied by a security vendor.
  - 8. The method of claim 1, wherein:
    - accessing the contextual metadata comprises retrieving the contextual metadata from a contextual-metadata database;
      
      accessing the rule comprises retrieving the rule from a rules database.
  - 9. The method of claim 1, further comprising:
    - performing the security scan on the file;
      
      determining, based on results of the security scan, whether to perform a security operation on the file.
  - 10. The method of claim 9, wherein the security operation comprises at least one of:
    - blocking the file;
      
      quarantining the file;
      
      transmitting a notification that identifies the file as a security risk.
  - 11. The method of claim 9, further comprising updating, based on the results of the security scan, the contextual metadata.
  - 12. The method of claim 9, wherein performing the security scan on the file comprises at least one of:
    - determining whether a portion of the file matches at least one signature within a virus definition set supplied by a security vendor;
      
      determining whether the file triggers a malware-detection heuristic supplied by a security vendor;
      
      executing the file within a virtual environment.

13. A system for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest, the system comprising:
- an event-detection module programmed to;
  
  detect an event of interest;
  
  identify at least one file associated with the event of interest;
  
  a contextual-metadata database containing contextual metadata associated with the event of interest;
  
  a rule-application module programmed to;
  
  access at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file;
  
  determine, by applying the rule, whether to perform the security scan on the file.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the contextual metadata comprises:
    - information about the file;
      
      information about at least one application associated with the file.
  - 15. The system of claim 13, wherein the rule further comprises criteria for determining, based on the contextual metadata, a level of scrutiny to be applied to the file when performing the security scan.
  - 16. The system of claim 13, further comprising a security module programmed to:
    - perform the security scan;
      
      determine, based on results of the security scan, whether to perform a security operation on the file.
  - 17. The system of claim 16, further comprising a metadata-update module programmed to update, based on the results of the security scan, the contextual metadata.

18. A computer-readable medium comprising computer-executable instructions that, when executed by a computing device, cause the computing device to:
- detect an event of interest;
  
  identify at least one file associated with the event of interest;
  
  access contextual metadata associated with the event of interest;
  
  access at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file;
  
  determine, by applying the rule, whether to perform the security scan on the file.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18, wherein the computer-executable instructions, when executed by the computing device, further cause the computing device to:
    - perform the security scan on the file;
      
      determine, based on results of the security scan, whether to perform a security operation on the file.
  - 20. The computer-readable medium of claim 18, wherein the computer-executable instructions, when executed by the computing device, further cause the computing device to update the contextual metadata based on the results of the security scan.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Mesropian, Haik, Smith, Spencer

Granted Patent

US 8,161,556 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562 Static detection

G06F 21/564 by virus signature recognition

Context-Aware Real-Time Computer-Protection Systems and Methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Context-Aware Real-Time Computer-Protection Systems and Methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links