METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE

US 20110083180A1
Filed: 12/23/2009
Published: 04/07/2011
Est. Priority Date: 10/01/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detection of previously unknown malware, the method comprising:

(a) receiving event information and file metadata from a remote computer;

(b) identifying whether the event information or the file metadata are indicative of known malware presence, indicative of unknown malware presence, or indicative of malware absence;

(c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata;

(d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata so as to determine if the event and the file metadata are indicative of the previously unknown malware presence; and

(e) performing a risk analysis and risk assessment wherein the risk analysis and risk assessment includes a construction of a “

parent-child”

hierarchy based on invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for detection of the previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of the already known malware presence, indicative of the unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of the known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) where performing a risk analysis and risk assessment includes a “parent-child” hierarchy of the files, and the risk assessed to the parent is based on the risk associated with the child.

Citations

17 Claims

1. A computer-implemented method for detection of previously unknown malware, the method comprising:
- (a) receiving event information and file metadata from a remote computer;
  
  (b) identifying whether the event information or the file metadata are indicative of known malware presence, indicative of unknown malware presence, or indicative of malware absence;
  
  (c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata;
  
  (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata so as to determine if the event and the file metadata are indicative of the previously unknown malware presence; and
  
  (e) performing a risk analysis and risk assessment wherein the risk analysis and risk assessment includes a construction of a “
  
  parent-child”
  
  hierarchy based on invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the file metadata comprises any of file name, file extension, file size, file linking status, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, file source, file invocation frequency, file path, the URL from which the file was received and a port the file is accessing.
  - 3. The method of claim 1, wherein the event information comprises any of behavioral patterns of an object associated with the event.
  - 4. The method of claim 1, wherein performing risk analysis and risk assessment includes construction of a decision tree.
  - 5. The method of claim 3, wherein the event information comprises any of statistical data associated with the event, name stability of the object source, IP address stability of the object source and activity of the object.
  - 6. The method of claim 3, wherein the event information comprises the information on a type of the event including any of file downloading, file dropping and file linking.
  - 7. The method of claim 1, wherein the risk analysis and risk assessment is performed automatically in real-time.
  - 8. The method of claim 1, wherein a detection of previously unknown malware includes any of heuristic detection algorithms, statistical analysis, multi-dimensional database processing, dynamic adjustment of the accuracy of the risk assessment criteria based on the previously performed risk assessment and empirical evaluation of accuracy of the risk assessment criteria, composite risk assessment criteria and multiple stage risk assessment.
  - 9. A computer useable storage medium having computer executable program logic stored thereon, the computer executable program logic executed on a processor for implementing the steps of claim 1.

10. A computer system for detection of previously unknown malware, the computer system performing the functions of:
- (a) receiving event information and file metadata from a remote computer;
  
  (b) identifying whether the event information or the file metadata are indicative of the known malware presence, indicative of the unknown malware presence, or indicative of malware absence;
  
  (c) if the event information or the file metadata are indicative of known malware or indicative of malware absence, filtering out the event information and the file metadata;
  
  (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and
  
  (e) performing risk analysis and risk assessment includes a construction of a “
  
  parent-child”
  
  hierarchy based on the invocation sequence of the files, and wherein the risk assessed to the parent is based on the risk associated with the child.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer system of claim 10, wherein the file metadata comprises any of file name, file extension, file size, file linking status, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, file source, file invocation frequency, file path, the URL from which the file was received and a port the file is accessing.
  - 12. The computer system of claim 10, wherein the event information comprises any of behavioral patterns of an object associated with the event.
  - 13. The computer system of claim 10, wherein performing risk analysis and risk assessment includes construction of a decision tree.
  - 14. The computer system of claim 12, wherein the event information comprises statistical data associated with the event, name stability of the object source, IP address stability of the object source and activity of the object.
  - 15. The computer system of claim 12, wherein the event information comprises information on the type of the event including any of file downloading, file dropping and file linking.
  - 16. The computer system of claim 10, wherein the risk analysis and risk assessment is performed automatically in real-time.
  - 17. The computer system of claim 10, wherein detection of the previously unknown malware includes heuristic detection algorithms, statistical analysis, multi-dimensional database processing, dynamic adjustment of the accuracy of the risk assessment criteria based on the previously performed risk assessment and empirical evaluation of accuracy of the risk assessment criteria, composite risk assessment criteria and multiple stage risk assessment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
DENISHCHENKO, NIKOLAY V., MASHEVSKY, YURY V., NAMESTNIKOV, YURY V., ZELENSKY, PAVEL A.

Granted Patent

US 8,572,740 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links