System And Method For Malware Detection

US 20110219450A1
Filed: 03/08/2010
Published: 09/08/2011
Est. Priority Date: 03/08/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for execution on one or more processors, the method comprising:

receiving a first file;

determining a file type of the first file;

determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file;

scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy; and

in response to determining the results of applying the plurality of malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.

629 Citations

32 Claims

1. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file;
  
  determining a file type of the first file;
  
  determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file;
  
  scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy; and
  
  in response to determining the results of applying the plurality of malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - determining one or more actions to perform on a message in response to the results of applying the plurality of malware detection schemes to the first file and to a set of results from applying a second plurality of malware detection schemes to a second file;
      
      wherein the first and second files are attachments to the message.
  - 3. The method of claim 1, further comprising:
    - receiving a second file and a third file;
      
      determining that the second file and the third file have been previously analyzed for malware;
      
      determining the result of the previous analysis of the second file;
      
      determining the result of the previous analysis of the third file;
      
      determining that the second file is malware based on the result of the previous analysis of the second file; and
      
      determining that the third file is not malware based on the result of the previous analysis of the second file.
  - 4. The method of claim 1, further comprising:
    - determining the results of applying a first malware detection scheme at a first detection node of the plurality of detection nodes to the first file; and
      
      increasing the priority of the first file in a queue associated with a second detection node of the plurality of detection nodes applying a second malware detection scheme in response to receiving the response from the first detection node.
  - 5. The method of claim 1, wherein determining that the first file is malware or determining that the first file is suspected malware comprises:
    - determining a plurality of scores based on the results of applying the plurality of malware detection schemes; and
      
      determining that the sum of the plurality of scores is greater than a threshold.
  - 6. The method of claim 1, further comprising:
    - providing a first interface to add a new malware detection scheme to the first policy, the first interface comprising;
      
      at least one element for associating the new malware detection scheme with at least one file type; and
      
      at least one element for identifying a first detection node that implements the new malware detection scheme;
      
      providing a second interface to modify the second policy, the second interface comprising at least one element for adjusting the queue of files to be analyzed at a second detection node in response to determining a result from applying the new malware detection scheme at the first detection node;
      
      providing a third interface to modify the third policy, the third interface comprising at least one element for scoring the result from applying the new malware detection scheme;
      
      configuring at least one detection node of the plurality of detection nodes to receive files for applying the new malware detection scheme according to an interface standard of the plurality of detection nodes; and
      
      configuring the at least one detection node of the plurality of detection nodes to report results of applying the new malware detection scheme according to the interface standard of the plurality of detection nodes.
  - 7. The method of claim 1, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file utilizing a plurality of versions of an application.
  - 8. The method of claim 1, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file in a plurality of operating systems.
  - 9. The method of claim 1, further comprising:
    - in response to determining the results of applying the plurality of malware detection schemes, automatically determining a set of tasks to be performed by a human analyst regarding the first file based on the results of applying the plurality of malware detection schemes; and
      
      sending the set of tasks to the human analyst.
  - 10. The method of claim 9, further comprising automatically executing at least one task of the set of tasks.
  - 11. The method of claim 1, further comprising:
    - performing a first determination of one or more processing loads of the plurality of detection nodes;
      
      receiving the first file from a messaging agent, wherein the first file is an attachment to a first message;
      
      in response to the first determination, preventing the delivery of the first message before receiving the results of applying the plurality of malware detection schemes to the first file;
      
      performing a second determination of one or more processing loads of the plurality of detection nodes after preventing the delivery of the first message;
      
      receiving a second file from the messaging agent, wherein the second file is an attachment to a second message;
      
      determining a second plurality of malware detection schemes to apply to the second file according to the first policy;
      
      scheduling the application of the second plurality of malware detection schemes to the second file amongst a second plurality of detection nodes according to the second policy; and
      
      in response to the second determination, allowing the delivery of the second message before receiving the results of applying the second plurality of malware detection schemes to the second file.
  - 12. The method of claim 1, further comprising applying a first malware detection scheme to the first file in a virtual machine, wherein execution of virtual machine processes associated with applying the first malware detection scheme comprises skipping wait states associated with interactions of a guest operating system of the virtual machine.
  - 13. The method of claim 1, further comprising:
    - applying a first malware detection scheme to the first file in at least one guest operating system on the same machine;
      
      maintaining at least one baseline image of the at least one guest operating system while applying the first malware detection scheme to the first file;
      
      tracking changes to each of the at least one guest operating systems in memory while applying the first malware detection scheme to the first file; and
      
      reverting each of the at least one guest operating systems to one of the at least one baseline images in response to completing the application of the first malware detection scheme to the first file using the tracked changes.
  - 14. The method of claim 1, wherein the first file comprises a Uniform Resource Locator (URL).

15. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file and a second file from a messaging agent, wherein the first file and the second file are attachments to a first message;
  
  applying a first malware detection scheme to the first file at a first detection node of a plurality of detection nodes;
  
  determining the results of applying the first malware detection scheme at the first detection node to the first file; and
  
  increasing the priority of the second file in a queue associated with a second detection node of the plurality of detection nodes applying a second malware detection scheme to the second file in response to determining the results of applying the first malware detection scheme at the first detection node to the first file.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein the first file comprises a Uniform Resource Locator (URL).

17. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a file;
  
  determining a malware detection scheme to apply to the file;
  
  accessing the file in a guest operating system of a virtual machine in accordance with the determined malware detection scheme;
  
  skipping at least one wait state associated with the guest operating system while accessing the file within the guest operating system; and
  
  determining that the file is malware or determining that the file is suspected malware in response to accessing the file.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the first file comprises a Uniform Resource Locator (URL).

19. A system for malware detection comprising:
- an ingest module operable to;
  
  receive a first file;
  
  determine a file type of the first file; and
  
  determine, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file;
  
  a scheduling module operable to schedule the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy; and
  
  an adjudication and disposition module operable to determine, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware according to a third policy.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 20. The system of claim 19, wherein the adjudication and disposition module is operable to:
    - determine one or more actions to perform on a message in response to the results of applying the plurality of malware detection schemes to the first file and to a set of results from applying a second plurality of malware detection schemes to a second file; and
      
      wherein the first and second file are attachments to the message.
  - 21. The system of claim 19, wherein:
    - the ingest module is operable to;
      
      receive a second file and a third file; and
      
      determine that the second file and the third file have been previously analyzed for malware; and
      
      the adjudication and disposition module is operable to;
      
      determine the result of the previous analysis of the second file;
      
      determine the result of the previous analysis of the third file;
      
      determine that the second file is malware based on the result of the previous analysis of the second file; and
      
      determine that the third file is not malware based on the result of the previous analysis of the second file.
  - 22. The system of claim 19, wherein the scheduling module is operable to increase the priority of the first file in a queue of a second detection node of the plurality of detection nodes applying a second malware detection scheme in response to the results of applying a first malware detection scheme at a first detection node of the plurality of detection nodes to the first file.
  - 23. The system of claim 19, wherein the adjudication and disposition module operable to determine that the first file is malware comprises an adjudication and disposition module operable to:
    - determine a plurality of scores based on the results of applying the plurality of malware detection schemes; and
      
      determine that the sum of the plurality of scores is greater than a threshold.
  - 24. The system of claim 19, further comprises:
    - a first interface operable to add a new malware detection scheme to the first policy, the first interface comprising;
      
      at least one element operable to associate the new malware detection scheme with at least one file type; and
      
      at least one element operable to identify a first detection node that implements the new malware detection scheme;
      
      a second interface operable to modify the second policy, the second interface comprising at least one element operable to adjust the queue of files to be analyzed at a second detection node in response to determining a result from applying the new malware detection scheme at the first detection node;
      
      a third interface operable to modify the third policy, the third interface comprising at least one element operable to score the result from applying the new malware detection scheme; and
      
      at least one detection node that is configured to;
      
      receive files for applying the new malware detection scheme according to an interface standard of the plurality of detection nodes; and
      
      report results of applying the new malware detection scheme according to an interface standard of the plurality of detection nodes.
  - 25. The system of claim 19, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file utilizing a plurality of versions of an application.
  - 26. The system of claim 19, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file in a plurality of operating systems.
  - 27. The system of claim 19, further comprising an analysis console that is operable to:
    - automatically determine a set of tasks to be performed by a human analyst regarding the first file in response to determining the results of applying the plurality of malware detection schemes; and
      
      send the set of tasks to the human analyst.
  - 28. The system of claim 27, wherein the analysis console is operable to automatically execute at least one task of the set of tasks.
  - 29. The system of claim 19, wherein the adjudication and disposition module is operable to:
    - perform a first determination of one or more processing loads of the plurality of detection nodes;
      
      prevent, in response to the first determination, the delivery of a first message before receiving the results of applying the plurality of malware detection schemes to the first file, wherein the first file is an attachment to a first message;
      
      perform a second determination of one or more processing loads of the plurality of detection nodes after preventing the delivery of the first message; and
      
      allow, in response to the second determination, the delivery of a second message before receiving the results of applying a second plurality of malware detection schemes to a second file, wherein the second file is an attachment to the second message.
  - 30. The system of claim 19, further comprising at least one detection node operable to apply a first malware detection scheme to the first file in a virtual machine, wherein the execution of virtual machine processes associated with applying the first malware detection scheme comprises skipping wait states associated with interactions of a guest operating system of the virtual machine.
  - 31. The system of claim 19, further comprising at least one detection node operable to:
    - apply a first malware detection scheme to the first file in at least one guest operating system on the same machine;
      
      maintain at least one baseline image of the at least one guest operating system while applying the first malware detection scheme to the first file;
      
      track changes to each of the at least one guest operating systems while applying the first malware detection scheme to the first file; and
      
      revert each of the at least one guest operating systems to one of the at least one baseline images in response to completing the application of the first malware detection scheme to the first file using the tracked changes.
  - 32. The system of claim 19, wherein the first file comprises a Uniform Resource Locator (URL).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Brown, Jeffrey C., Daly, Michael K., Lee, Jesse J., Cariker, Kevin L., De Rita, Darin J., Jennings, Randy S., Sterns, William E., McDougal, Monty D., Smith, Brian N.

Granted Patent

US 8,863,279 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 63/1416 Event detection, e.g. attac...

System And Method For Malware Detection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

629 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System And Method For Malware Detection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

629 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links