METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION

US 20110185423A1
Filed: 01/27/2010
Published: 07/28/2011
Est. Priority Date: 01/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malware, comprising the steps of:

identifying a one or more open network connections of an electronic device;

associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device;

determining the address of a first network destination that is connected to the open network connections of the electronic device;

receiving an evaluation of the first network destination, the evaluation comprising an indication that the first network destination is associated with malware; and

identifying one or more of the executable objects as malware executable objects, wherein the malware executable objects comprise the executable objects that are associated with the open network connections that are connected to the first network destination.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination.

Citations

29 Claims

1. A method for detecting malware, comprising the steps of:
- identifying a one or more open network connections of an electronic device;
  
  associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device;
  
  determining the address of a first network destination that is connected to the open network connections of the electronic device;
  
  receiving an evaluation of the first network destination, the evaluation comprising an indication that the first network destination is associated with malware; and
  
  identifying one or more of the executable objects as malware executable objects, wherein the malware executable objects comprise the executable objects that are associated with the open network connections that are connected to the first network destination.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising the step of cleaning the one or more malware executable objects from the electronic device.
  - 3. The method of claim 1, further comprising the step of for each malware executable object, identifying a second network destination connected to the open network connections, wherein the malware executable object is associated with the open network connections that are connected to the second network destination.
  - 4. The method of claim 3, further comprising the step of reporting the second network destination to a reputation application.
  - 5. The method of claim 3, further comprising the step of blocking access to the second network destination.

6. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  identify a one or more open network connections of an electronic device;
  
  associate one or more executable objects on the electronic device with the one or more open network connections of the electronic device;
  
  determine the address of a first network destination that is connected to the open network connections of the electronic device;
  
  receive an evaluation of the first network destination, the evaluation comprising an indication that the first network destination is associated with malware; and
  
  identify one or more of the executable objects as malware executable objects, wherein the malware executable objects comprise the executable objects that are associated with the open network connections that are connected to the first network destination.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The article of claim 6, wherein the processor is further caused to clean the one or more malware executable objects from the electronic device.
  - 8. The article of claim 6, wherein the processor is further caused to, for each malware executable object, identify a second network destination connected to the open network connections, wherein the malware executable object is associated with the open network connections that are connected to the second network destination.
  - 9. The article of claim 8, wherein the processor is further caused to report the second network destination to a reputation application.
  - 10. The article of claim 8, wherein the processor is further caused to block access to the second network destination.

11. A method of evaluating the reputation of a network destination, comprising the steps of:
- receiving information about a network destination from a monitor, wherein;
  
  the monitor is scanning an electronic device for malware; and
  
  the network destination is in communication with an executable object on the electronic device;
  
  accessing reputation information about the network destination in a reputation database;
  
  evaluating whether reputation information indicates that the network destination is associated with malware; and
  
  sending the evaluation to the monitor.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the reputation information comprises a reputation score.
  - 13. The method of claim 11, further comprising the step of:
    - creating an entry in the reputation database for a network destination, if the reputation database did not previously comprise an entry for the network destination.
  - 14. The method of claim 11, further comprising the steps of:
    - receiving information for a first network destination and for a second destination, wherein;
      
      the first network destination and the second network destination are in communication with an executable object on the electronic device; and
      
      ,the first network destination is associated with malware; and
      
      associating the reputation of the second network destination with the first network destination.
  - 15. The method of claim 14, wherein the second destination did not have a prior association with malware.

16. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  receive information about a network destination from a monitor, wherein;
  
  the monitor is scanning an electronic device for malware; and
  
  the network destination is in communication with an executable object on the electronic device;
  
  access reputation information about the network destination in a reputation database;
  
  evaluate whether reputation information indicates that the network destination is associated with malware; and
  
  send the evaluation to the monitor.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of claim 16, wherein the reputation information comprises a reputation score.
  - 18. The article of claim 16, wherein the processor is further caused to create an entry in the reputation database for a network destination, if the reputation database did not previously comprise an entry for the network destination.
  - 19. The article of claim 16, the processor is further caused to:
    - receive information for a first network destination and for a second destination, wherein;
      
      the first network destination and the second network destination are in communication with an executable object on the electronic device; and
      
      the first network destination is associated with malware; and
      
      associate the reputation of the second network destination with the first network destination.
  - 20. The article of claim 19, wherein the second destination did not have a prior association with malware.

21. A system for detection of malware, comprising:
- a monitor, the monitor configured to;
  
  identify one or more open network connections of an electronic device;
  
  identify one or more executable objects on the electronic device using the one or more open network connections of the electronic device; and
  
  determine the address of a first network destination that is connected to the one or more open network connections of the electronic device;
  
  a reputation application, the reputation application configured to;
  
  receive information about the first network destination from the monitor;
  
  access reputation information about the first network destination in a reputation database;
  
  evaluate whether reputation information indicates that the first network destination is associated with malware; and
  
  return the evaluation to the monitor;
  
  wherein the monitor is further configured to;
  
  receive an evaluation of the first network destination, the evaluation comprising an indication that the first network destinations is associated with malware; and
  
  determine one or more malware executable objects, wherein the one or more malware executable objects comprise the executable objects in communication with the first network destination evaluated to be associated with malware.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21, wherein the monitor is further configured to clean the one or more malware executable objects from the electronic device.
  - 23. The system of claim 21, wherein the monitor is further configured to, for each malware executable object, determine a second network destination connected to the open network connections, wherein the malware executable object is associated with the open network connections that are connected to the second network destination.
  - 24. The system of claim 23, wherein the monitor is further configured to report the second network destination to a reputation application.
  - 25. The system of claim 21, wherein the monitor is further caused to block access to the second network destination.
  - 26. The system of claim 21, wherein the reputation information comprises a reputation score.
  - 27. The system of claim 21, wherein the reputation application is further caused to create an entry in the reputation database for a network destination, if the reputation database did not previously comprise an entry for the network destination.
  - 28. The system of claim 21, wherein the reputation application is further configured to:
    - receive information for the first network destination and for a second destination, wherein;
      
      the first network destination and the second network destination are in communication with an executable object on the electronic device; and
      
      ,the first network destination is associated with malware; and
      
      associate the reputation of the second network destination with the first network destination.
  - 29. The system of claim 28, wherein the second destination did not have a prior association with malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 8,819,826 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links