MITIGATING MALICIOUS FILE PROPAGATION WITH PROGRESSIVE IDENTIFIERS

US 20110138465A1
Filed: 12/03/2009
Published: 06/09/2011
Est. Priority Date: 12/03/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, said method comprising:

a computer determining one or more segments of a first computer file and a final segment of said first file by determining a series of sizes of segments defined by a function ƒ

, wherein said first file is being transferred to a first computer system via a network;

said computer receiving said one or more segments of said first file;

said computer determining one or more signatures that identify said one or more segments of said first file by applying a hash function to each segment of said one or more segments of said first file;

said computer receiving said final segment of said first file;

said computer determining a signature that identifies said final segment of said first file by applying said hash function to said final segment of said first file;

said computer determining a complete match between a first progressive identifier (pID) of said first file and a second pID of another file (malicious file) by determining a first match between said one or more signatures that identify said one or more segments of said first file and one or more signatures that identify one or more segments of said malicious file and by determining a second match between said signature that identifies said final segment of said first file and a signature of a last segment of said malicious file, wherein said malicious file is another computer file identified as including malicious code, wherein said first pID includes a first series of signatures consisting of said one or more signatures that identify said one or more segments of said first file followed by said signature that identifies said final segment of said first file, and wherein said second pID includes a second series of signatures consisting of said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said final segment of said malicious file;

responsive to the step of determining said first match and prior to the step of determining said second match, said computer transferring said one or more segments of said first file to said first computer system; and

responsive to the step of determining said complete match, a processor of said computer identifying said first file as being said malicious file and interdicting a transfer of said final segment of said first file to said first computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mitigating a propagation of a file that includes malicious code. Segments of the file are determined by a series of sizes determined by a function ƒ. Signatures identifying segments of the file are determined by applying a hash function to each segment. A complete match between the file and a malicious file is determined by determining a first match between signature(s) identifying a first set of segment(s) of the file and signature(s) identifying corresponding segment(s) of the malicious file and by determining a second match between a signature identifying a final segment of the file and a signature identifying a last segment of the malicious file. Responsive to determining the complete match, the file is identified as the malicious file and a transfer of the final segment of the file is interdicted.

Citations

20 Claims

1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, said method comprising:
- a computer determining one or more segments of a first computer file and a final segment of said first file by determining a series of sizes of segments defined by a function ƒ
  
  , wherein said first file is being transferred to a first computer system via a network;
  
  said computer receiving said one or more segments of said first file;
  
  said computer determining one or more signatures that identify said one or more segments of said first file by applying a hash function to each segment of said one or more segments of said first file;
  
  said computer receiving said final segment of said first file;
  
  said computer determining a signature that identifies said final segment of said first file by applying said hash function to said final segment of said first file;
  
  said computer determining a complete match between a first progressive identifier (pID) of said first file and a second pID of another file (malicious file) by determining a first match between said one or more signatures that identify said one or more segments of said first file and one or more signatures that identify one or more segments of said malicious file and by determining a second match between said signature that identifies said final segment of said first file and a signature of a last segment of said malicious file, wherein said malicious file is another computer file identified as including malicious code, wherein said first pID includes a first series of signatures consisting of said one or more signatures that identify said one or more segments of said first file followed by said signature that identifies said final segment of said first file, and wherein said second pID includes a second series of signatures consisting of said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said final segment of said malicious file;
  
  responsive to the step of determining said first match and prior to the step of determining said second match, said computer transferring said one or more segments of said first file to said first computer system; and
  
  responsive to the step of determining said complete match, a processor of said computer identifying said first file as being said malicious file and interdicting a transfer of said final segment of said first file to said first computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - prior to said determining said complete match, determining said one or more segments of said malicious file and said last segment of said malicious file by determining said series of sizes of segments defined by said function ƒ
      
      ;
      
      prior to said determining said complete match, determining said one or more signatures that identify one or more segments of said malicious file by applying said hash function to each segment of said one or more segments of said malicious file;
      
      prior to said determining said complete match, determining said signature that identifies said last segment of said malicious file by applying said hash function to said last segment of said malicious file; and
      
      storing one or more pIDs in a blacklist, wherein said one or more pIDs include a pID that consists of a series of signatures that includes said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said last segment of said malicious file, wherein said one or more pIDs stored in said blacklist identify one or more malicious files, and wherein said one or more malicious files include said malicious file.
  - 3. The method of claim 2, further comprising determining a series of segments of said malicious file by said determining said one or more segments of said malicious file and said last segment of said malicious file, wherein said malicious file consists of said series of segments, wherein said series of segments consists of said one or more segments of said malicious file and said last segment of said malicious file, wherein said one or more segments of said malicious file are followed by said last segment of said malicious file in said series of segments, and wherein said determining said first match includes determining said one or more segments of said malicious file does not include all segments of said malicious file.
  - 4. The method of claim 1, wherein said determining said complete match includes determining said malicious file includes no segments other than said one or more segments of said malicious file and said last segment of said malicious file.
  - 5. The method of claim 1, wherein said determining said series of sizes of segments includes applying said function ƒ
    - to said first file to determine a series of n segments of said first file, wherein a maximum value of n is indicated by a size of said first file and by said function ƒ
      
      , wherein said series of n segments of said first file includes said one or more segments of said first file and said final segment of said first file, wherein said function ƒ
      
      is a monotonically increasing function that indicates that ƒ
      
      (i+1)>
      
      ƒ
      
      (i), wherein i and n are positive integers, n>
      
      1, and i<
      
      n−
      
      1, wherein ƒ
      
      (i) is an i-th size in said series of sizes of segments and ƒ
      
      (i+1) is an (i+1)-th size in said series of sizes of segments, and wherein said i-th size is a size of an i-th segment in said series of n segments and said (i+1)-th size is a size of an (i+1)-th segment in said series of n segments.
  - 6. The method of claim 5, wherein said function ƒ
    - determines said series of n segments as a geometric sequence that includes ƒ
      
      (i) and ƒ
      
      (i+1), and wherein ƒ
      
      (i) is followed by ƒ
      
      (i+1) in said geometric sequence.
  - 7. The method of claim 1, wherein said applying said hash function includes applying a hash function algorithm having computationally efficient requirements that include a requirement for a number of cycles of a central processing unit and a requirement for an amount of memory, wherein said number of cycles is less than a first predefined threshold, and wherein said amount of memory is less than a second predefined threshold.
  - 8. The method of claim 1, wherein said applying said hash function includes applying a cyclic redundancy check (CRC) to each segment of series of n segments defined by said function ƒ
    - , wherein said first file consists of said series of n segments.
  - 9. The method of claim 1, further comprising:
    - prior to said determining said complete match and prior to a determination that said malicious file includes said malicious code, an integrated intrusion prevention system (IIPS) receiving a plurality of segments of said malicious file as said malicious file is transferred to a second computing system via said network, wherein said plurality of segments consists of said one or more segments of said malicious file and said last segment of said malicious file;
      
      said TIPS determining a set of signatures identifying said plurality of segments of said malicious file by applying said hash function to each segment of said one or more segments of said malicious file and by applying said hash function to said last segment of said malicious file, wherein said set of signatures includes said one or more signatures that identify said one or more segments of said malicious file and said signature that identifies said last segment of said malicious file;
      
      said IIPS monitoring a plurality of patterns of network traffic emanating from said second computing system via said network subsequent to a receipt of said malicious file by said second computing system;
      
      said IIPS detecting a presence of said malicious code on said second computing system based on said plurality of patterns of network traffic emanating from said second computing system;
      
      said TIPS correlating said presence of said malicious code with a plurality of receipts of a plurality of files by said second computing system, wherein said plurality of files is received by said second computing system prior to said detecting said presence of said malicious code, and wherein said plurality of receipts includes said receipt of said malicious file;
      
      responsive to said correlating said presence of said malicious code, said TIPS determining said malicious file includes said malicious code; and
      
      responsive to said determining said malicious file includes said malicious code, said IIPS storing said set of signatures in a blacklist that includes one or more sets of signatures, wherein said one or more sets of signatures included in said blacklist identify one or more files that include one or more sets of malicious code, and wherein said determining said complete match includes retrieving from said blacklist said one or more signatures that identify said one or more segments of said malicious file and said signature that identifies said last segment of said malicious file.
  - 10. The method of claim 1, further comprising:
    - populating a blacklist that identifies n malicious files that include n sets of malicious code;
      
      determining 1st . . . (i−
      
      1)-th segments of a second computer file by determining 1st . . . (i−
      
      1)-th sizes in a series of sizes of segments determined by said function ƒ
      
      , wherein said second file is being transferred to a second computer system via said network;
      
      receiving said 1st . . . (i−
      
      1)-th segments of said second file;
      
      determining 1st . . . (i−
      
      1)-th signatures that identify said 1st . . . (i−
      
      1)-th segments of said second file by applying a hash function to each segment of said 1st . . . (i−
      
      1)-th segments of said second file;
      
      determining 1st . . . (i−
      
      1)-th matches between said 1st . . . (i−
      
      1)-th signatures that identify said 1st . . . (i−
      
      1)-th segments of said second file and 1st . . . (i−
      
      1)-th signatures that identify 1st . . . (i−
      
      1)-th segments of one or more malicious files included in said n malicious files;
      
      determining each malicious file of said one or more malicious files includes at least one segment other than said 1st . . . (i−
      
      1)-th segments of said one or more malicious files;
      
      responsive to said determining said 1st . . . (i−
      
      1)-th matches and said determining each malicious file includes said at least one segment other than said 1st . . . (i−
      
      1)-th segments of said one or more malicious files, transferring said 1st . . . (i−
      
      1)-th sets of one or more data packets to said second computer system;
      
      determining an i-th segment of said second file by determining an i-th size in said series of sizes of segments defined by said function ƒ
      
      ,receiving said i-th segment of said second file;
      
      determining an i-th signature that identifies said i-th segment of said second file by applying said hash function to said i-th segment of said second file;
      
      determining one or more mismatches between said i-th signature that identifies said i-th segment of said second file and one or more i-th signatures that identify one or more i-th segments of said one or more malicious files;
      
      responsive to said determining said one or more mismatches, determining said second file is not included in said n malicious files identified by said blacklist and transferring said i-th segment of said second file to said second computer system; and
      
      subsequent to said determining said second file is not included in said n malicious files, receiving (i+1)-th . . . m-th segments of said second file and transferring said (i+1)-th . . . m-th segments of said second file to said second computer system without determining (i+1)-th . . . m-th signatures that identify said (i+1)-th . . . m-th segments of said second file by applying said hash function to said (i+1)-th . . . m-th segments of said second file, wherein 1<
      
      i<
      
      m.

11. A first computer system for interdicting a propagation of a malicious file in a computer network, said first computer system comprising:
- a processor;
  
  a computer readable memory;
  
  a computer readable storage medium;
  
  first program instructions to determine one or more segments of a first computer file and a final segment of said first file by determining a series of sizes of segments defined by a function ƒ
  
  , wherein said first file is being transferred to a second computer system via a network;
  
  second program instructions to receive said one or more segments of said first file;
  
  third program instructions to determine one or more signatures that identify said one or more segments of said first file by applying a hash function to each segment of said one or more segments of said first file;
  
  fourth program instructions to receive said final segment of said first file;
  
  fifth program instructions to determine a signature that identifies said final segment of said first file by applying said hash function to said final segment of said first file;
  
  sixth program instructions to determine a complete match between a first progressive identifier (pID) of said first file and a second pID of another file (malicious file) by determining a first match between said one or more signatures that identify said one or more segments of said first file and one or more signatures that identify one or more segments of said malicious file and by determining a second match between said signature that identifies said final segment of said first file and a signature of a last segment of said malicious file, wherein said malicious file is another computer file identified as including said malicious code, wherein said first pID includes a first series of signatures consisting of said one or more signatures that identify said one or more segments of said first file followed by said signature that identifies said final segment of said first file, and wherein said second pID includes a second series of signatures consisting of said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said final segment of said malicious file;
  
  seventh program instructions to, responsive to determining said first match by said sixth program instructions and prior to determining said second match by said sixth program instructions, transfer said first set of one or more data packets of said first file to said second computer system; and
  
  eighth program instructions to, responsive to determining said complete match by said sixth program instructions, identify said first file as being said malicious file and interdict a transfer of said final segment of said first file to said second computer system,wherein said first, second, third, fourth, fifth, sixth, seventh and eighth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The first computer system of claim 11, further comprising:
    - ninth program instructions to, prior to determining said complete match by said sixth program instructions, determine said one or more segments of said malicious file and said last segment of said malicious file by determining said series of sizes of segments defined by said function ƒ
      
      ;
      
      tenth program instructions to, prior to determining said complete match by said sixth program instructions, determine said one or more signatures that identify one or more segments of said malicious file by applying said hash function to each segment of said one or more segments of said malicious file;
      
      eleventh program instructions to, prior to determining said complete match by said sixth program instructions, determine said signature that identifies said last segment of said malicious file by applying said hash function to said last segment of said malicious file; and
      
      twelfth program instructions to store one or more pIDs in a blacklist, wherein said one or more pIDs include a pID that consists of a series of signatures that includes said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said last segment of said malicious file, wherein said one or more pIDs stored in said blacklist identify one or more malicious files, and wherein said one or more malicious files include said malicious file,wherein said ninth, tenth, eleventh and twelfth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
  - 13. The computer system of claim 12, further comprising thirteenth program instructions to determine a series of segments of said malicious file by said determining said one or more segments of said malicious file and said last segment of said malicious file, wherein said malicious file consists of said series of segments, wherein said series of segments consists of said one or more segments of said malicious file and said last segment of said malicious file, wherein said one or more segments of said malicious file are followed by said last segment of said malicious file in said series of segments, wherein said determining said first match includes determining said one or more segments of said malicious file does not include all segments of said malicious file, and wherein said thirteenth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
  - 14. The computer system of claim 11, wherein said sixth program instructions to determine said complete match include ninth program instructions to determine said malicious file includes no segments other than said one or more segments of said malicious file and said last segment of said malicious file, and wherein said ninth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
  - 15. The computer system of claim 11, wherein said determining said series of sizes of segments includes applying said function ƒ
    - to said first file to determine a series of n segments of said first file, wherein a maximum value of n is indicated by a size of said first file and by said function ƒ
      
      , wherein said series of n segments of said first file includes said one or more segments of said first file and said final segment of said first file, wherein said function ƒ
      
      is a monotonically increasing function that indicates that ƒ
      
      (i+1)>
      
      ƒ
      
      (i), wherein i and n are positive integers, n>
      
      1, and i<
      
      n−
      
      1, wherein ƒ
      
      (i) is an i-th size in said series of sizes of segments and ƒ
      
      (i+1) is an (i+1)-th size in said series of sizes of segments, and wherein said i-th size is a size of an i-th segment in said series of n segments and said (i+1)-th size is a size of an (i+1)-th segment in said series of n segments.
  - 16. The computer system of claim 15, wherein said function ƒ
    - determines said series of n segments as a geometric sequence that includes ƒ
      
      (i) and ƒ
      
      (i+1), and wherein ƒ
      
      (i) is followed by ƒ
      
      (i+1) in said geometric sequence.

17. A computer program product for mitigating a propagation of a malicious file in a computer network, said computer program product comprising:
- a computer readable storage medium;
  
  first program instructions to determine one or more segments of a first computer file and a final segment of said first file by determining a series of sizes of segments defined by a function ƒ
  
  , wherein said first file is being transferred to a first computer system via a network;
  
  second program instructions to receive said one or more segments of said first file;
  
  third program instructions to determine one or more signatures that identify said one or more segments of said first file by applying a hash function to each segment of said one or more segments of said first file;
  
  fourth program instructions to receive said final segment of said first file;
  
  fifth program instructions to determine a signature that identifies said final segment of said first file by applying said hash function to said final segment of said first file;
  
  sixth program instructions to determine a complete match between a first progressive identifier (pID) of said first file and a second pID of another file (malicious file) by determining a first match between said one or more signatures that identify said one or more segments of said first file and one or more signatures that identify one or more segments of said malicious file and by determining a second match between said signature that identifies said final segment of said first file and a signature of a last segment of said malicious file, wherein said malicious file is another computer file identified as including said malicious code, wherein said first pID includes a first series of signatures consisting of said one or more signatures that identify said one or more segments of said first file followed by said signature that identifies said final segment of said first file, and wherein said second pID includes a second series of signatures consisting of said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said final segment of said malicious file;
  
  seventh program instructions to, responsive to determining said first match by said sixth program instructions and prior to determining said second match by said sixth program instructions, transfer said first set of one or more data packets of said first file to said first computer system; and
  
  eighth program instructions to, responsive to determining said complete match by said sixth program instructions, identify said first file as being said malicious file and interdict a transfer of said second set of one or more data packets of said first file to said first computer system,wherein said first, second, third, fourth, fifth, sixth, seventh and eighth program instructions are stored on said computer readable storage medium.
- View Dependent Claims (18, 19, 20)
- - 18. The program product of claim 17, further comprising:
    - ninth program instructions to, prior to determining said complete match by said sixth program instructions, determine said one or more segments of said malicious file and said last segment of said malicious file by determining said series of sizes of segments defined by said function ƒ
      
      ;
      
      tenth program instructions to, prior to determining said complete match by said sixth program instructions, determine said one or more signatures that identify one or more segments of said malicious file by applying said hash function to each segment of said one or more segments of said malicious file;
      
      eleventh program instructions to, prior to determining said complete match by said sixth program instructions, determine said signature that identifies said last segment of said malicious file by applying said hash function to said last segment of said malicious file; and
      
      twelfth program instructions to store one or more pIDs in a blacklist, wherein said one or more pIDs include a pID that consists of a series of signatures that includes said one or more signatures that identify said one or more segments of said malicious file followed by said signature that identifies said last segment of said malicious file, wherein said one or more pIDs stored in said blacklist identify one or more malicious files, and wherein said one or more malicious files include said malicious file,wherein said ninth, tenth, eleventh and twelfth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
  - 19. The program product of claim 18, further comprising thirteenth program instructions to determine a series of segments of said malicious file by said determining said one or more segments of said malicious file and said last segment of said malicious file, wherein said malicious file consists of said series of segments, wherein said series of segments consists of said one or more segments of said malicious file and said last segment of said malicious file, wherein said one or more segments of said malicious file are followed by said last segment of said malicious file in said series of segments, wherein said determining said first match includes determining said one or more segments of said malicious file does not include all segments of said malicious file, and wherein said thirteenth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.
  - 20. The program product of claim 17, wherein said sixth program instructions to determine said complete match include ninth program instructions to determine said malicious file includes no segments other than said one or more segments of said malicious file and said last segment of said malicious file, and wherein said ninth program instructions are stored on said computer readable storage medium and are executable by said processor via said computer readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Franklin, Douglas North, Mays, Richard C.

Granted Patent

US 8,353,037 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

H04L 9/08   Key distribution or managem...

MITIGATING MALICIOUS FILE PROPAGATION WITH PROGRESSIVE IDENTIFIERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MITIGATING MALICIOUS FILE PROPAGATION WITH PROGRESSIVE IDENTIFIERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links