METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE
First Claim
1. A computer-implemented method for detection of previously unknown malware, the method comprising:
- (a) receiving event information and file metadata from a remote computer;
(b) identifying whether the event information or the file metadata are indicative of known malware presence, indicative of unknown malware presence, or indicative of malware absence;
(c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata;
(d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata so as to determine if the event and the file metadata are indicative of the previously unknown malware presence; and
(e) performing a risk analysis and risk assessment wherein the risk analysis and risk assessment includes a construction of a “
parent-child”
hierarchy based on invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and computer program product for detection of the previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of the already known malware presence, indicative of the unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of the known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) where performing a risk analysis and risk assessment includes a “parent-child” hierarchy of the files, and the risk assessed to the parent is based on the risk associated with the child.
-
Citations
17 Claims
-
1. A computer-implemented method for detection of previously unknown malware, the method comprising:
-
(a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of known malware presence, indicative of unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata so as to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) performing a risk analysis and risk assessment wherein the risk analysis and risk assessment includes a construction of a “
parent-child”
hierarchy based on invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer system for detection of previously unknown malware, the computer system performing the functions of:
-
(a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of the known malware presence, indicative of the unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) performing risk analysis and risk assessment includes a construction of a “
parent-child”
hierarchy based on the invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification