SYSTEMS AND METHODS FOR MALWARE DETECTION

US 20110197281A1
Filed: 02/04/2011
Published: 08/11/2011
Est. Priority Date: 02/08/2010
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a computer network including at least one client computer, the at least one client computer operable to generate a request; and

an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network,wherein the anti-malware engine is operable to receive the request generated by the at least one client computer, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.

47 Citations

View as Search Results

26 Claims

1. A computer system comprising:
- a computer network including at least one client computer, the at least one client computer operable to generate a request; and
  
  an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network,wherein the anti-malware engine is operable to receive the request generated by the at least one client computer, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer system of claim 1, wherein the anti-malware engine is operable to determine that a request does not include the one or more valid tags, and to classify the request as malware if the request is an HTTP POST request.
  - 3. The computer system of claim 1, wherein the anti-malware engine is operable to determine that a request does not include the one or more valid tags, and to classify the request as malware if the request is an HTTP GET request that meets one or more pre-determined criteria.
  - 4. The computer system of claim 1, further including:
    - a database including a whitelist coupled to the anti-malware engine, the anti-malware engine operable to determine if a suspicious request is included in the whitelist, and if the suspicious request is included in the whitelist, to allow further processing of the suspicious request.
  - 5. The computer system of claim 1, wherein the whitelist includes a list of known and trustworthy download Universal Resource Locators.
  - 6. The computer system of claim 1, wherein the anti-malware engine is operable to determine that at least one or more valid tags are included in the request, to removed the at least one or more tags from the given request, to store the at least one or more valid tags, and to forward the request having had the at least one or more valid tags removed in order to retrieve a response to the request.
  - 7. The computer system of claim 1, wherein the anti-malware engine is operable to receive a response directed to a protected portion of the computer system, to scan the response for links, and if links are found in the response, to add one or more valid tags to the response before forwarding the response to the protected portion of the computer network.
  - 8. The computer system of claim 1, wherein the at least one of the one or more valid tags includes a hash value of an original Universal Resource Locator included in a link included in the response, plus a nounce generated by the anti-malware engine.

9. A computer system comprising:
- a computer network including at least one client computer, the as least one client computer operable to generate a request; and
  
  anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network,wherein the anti-malware engine is operable to receive content at the anti-malware engine that is directed to the computer network, to determine if the content is to be classified as malware, and if the content is not determined to be classified as malware, to scan the content for one or more links, and if the one or more links are found, to add at least one valid tag to at least one of the one or more links before forwarding the content on to the computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer system of claim 9, wherein the one or more links found in the content includes a plurality of links, and wherein the anti-malware engine is operable to apply heuristics to a reduced a number of links to which valid tags are to be applied to be some number less than the plurality of links included in the content.
  - 11. The computer system of claim 10, wherein the reduced number of links includes links that are visible or that are made visible dynamically at runtime.
  - 12. The computer system of claim 10, wherein the reduced number of links includes links that are user clickable.
  - 13. The computer system of claim 10, wherein the reduced number of links includes links that include an .exe file extension.
  - 14. The computer system of claim 9, wherein the anti-malware engine includes a cache memory, the anti-malware engine operable to pre-fetch and store in the cache memory a content pointed to by one or more links included in the content received at the computer network.
  - 15. The computer system of claim 9, wherein the anti-malware engine is operable to determine a media type for the content, and to use the media type as a heuristic to reduce a total number of links of the one or more links included in the content to which a valid tag will be added to.

16. A method comprising:
- receiving at an anti-malware engine a request from a protected commuter network;
  
  inspecting the received request for the presence of one or more valid tags; and
  
  classifying the request as malware if at least one valid tag is not found included in the request.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, further including:
    - determining that the request includes at least one of the one or more valid tags;
      
      removing the one or more valid tags from the request;
      
      storing the one or more valid tags in data fields associated with a transaction associated with the request; and
      
      forwarding the request.
  - 18. The method of claim 17, further including:
    - receiving a response to the request;
      
      applying anti-malware detection processing to the response to determine if the response is to be classified as malware; and
      
      if the response is not to be classified as malware, scanning the response for links, and if one or more links are found in the response, adding at least one valid tag to at least one of the one or more links in the response before forwarding the response to the protected network.
  - 19. The method of claim 18, wherein the one or more links in the response includes a plurality of links, andwherein adding the at least one valid tag to at least one of the one or more links found in the response includes applying heuristics to reduce a total number of links of the plurality links found in the response to which a valid tag is added.
  - 20. The method of claim 16, wherein classifying the request as malware further includes:
    - processing the request to determine a source of the request within the protected computer network.
  - 21. The method of claim 20, further including:
    - determining that the request does not include at least one valid tag;
      
      comparing the request to a whitelist, andforwarding the request if the request is included in a listing included in the whitelist.

22. A non-transitory computer memory storing instructions that can be executed by a processor, and that that when executed by the processor, perform a method comprising:
- receiving content at a protected computer network;
  
  determining if the content is original content, or if the content is a response to a request previously forwarded by the protected computer network; and
  
  if the content is original content, processing the content to determine if the content is to be classified as malware, and if the content is not to be classified as malware, scanning the content for links, and if at least one link is found, applying a valid tag to the at least one link found in the content before forwarding the content to the protected computer network.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22, wherein applying a valid tag to at least one link in the content includes:
    - determining that the content includes a plurality of links, andusing heuristics to determine a reduced number of links of the plurality of links to which the valid tag is to be applied.
  - 24. The method of claim 22, further including:
    - determining that the content is to be classified as malware; and
      
      blocking the content from being forwarded to the protected computer network.
  - 25. The method of claim 24, further including:
    - reporting the classification of the content as malware to a user interface.
  - 26. The method of claim 24, further including;
    - determining that the content that is to be classified as malware is a reply to a particular request originating from the protected computer network;
      
      identifying a source of the request located within the protected computer network; and
      
      isolating the source of the request from the protected computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skyhigh Security LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph, Pekrul, Micha

Granted Patent

US 8,850,584 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

SYSTEMS AND METHODS FOR MALWARE DETECTION

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR MALWARE DETECTION

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links