SYSTEMS AND METHOD FOR MALWARE DETECTION

US 20110320816A1
Filed: 03/13/2010
Published: 12/29/2011
Est. Priority Date: 03/13/2009
Status: Active Grant

First Claim

Patent Images

1. A system for distinguishing human input events from malware-generated events, the system comprising:

at least a central processing unit (CPU) (12);

at least an input device (17); and

memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU (12) to perform the following steps;

obtaining first input events from a user utilizing the at least an input device;

utilizing the first input events to obtain a feature indicative of the user;

obtaining second input events; and

classifying the second input events against the feature indicative of the user to determine if the user or malware initiated the second input events.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for distinguishing human input events from malware-generated events includes one or more central processing units (CPUs), one or more input devices and memory. The memory includes program code that when executed by the CPU causes the CPU to obtain a first set of input events from a user utilizing the input device. The first input events are used to obtain or derive a feature indicative of the user, such as a multi-dimensional feature vector as provided by a support vector machine. Second input events are then obtained, and the second input events are classified against the feature to determine if either the user or malware initiated the second input events.

239 Citations

12 Claims

1. A system for distinguishing human input events from malware-generated events, the system comprising:
- at least a central processing unit (CPU) (12);
  
  at least an input device (17); and
  
  memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU (12) to perform the following steps;
  
  obtaining first input events from a user utilizing the at least an input device;
  
  utilizing the first input events to obtain a feature indicative of the user;
  
  obtaining second input events; and
  
  classifying the second input events against the feature indicative of the user to determine if the user or malware initiated the second input events.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 wherein the program code (18) causes the at least a CPU to further perform the following steps:
    - in response to determining that a suspicious event has occurred, initiating an authentication test to obtain the second input events.
  - 3. The system of claim 1 wherein the program code (18) implements a support vector machine to train against the first input events to obtain a multi-dimensional feature vector, and employs principle component analysis to reduce the dimensionality of the feature vector.
  - 4. The system of claim 1 wherein the input device is a keyboard and the first input events include timing information related to the user pressing keys on the keyboard (17).
  - 5. The system of claim 1 further comprising networking hardware (18) capable of communications with a client remote server (200), and program code (218) causing at least a CPU (212) to further perform the following steps:
    - performing an RSA key exchange with the client;
      
      obtaining cryptographically signed third input events from the client; and
      
      verifying a signature of the cryptographically signed third input events.
  - 6. The system of claim 5 wherein if the signature does not pass the verifying step then the program code further causes the system to utilize the networking hardware (16) to send a warning message to the client.
  - 7. The system of claim 5 wherein if the third input events include timing information related to the user pressing and releasing keys on a keyboard (17).

8. A computer system for distinguishing user-initiated outbound network traffic from malware-initiated outbound network traffic, the network traffic comprising a plurality of packets that employ a multi-layered communications protocol comprising an upper application layer, a lower physical layer and a plurality of intermediate layers, the system comprising:
- at least a central processing unit (CPU) (12);
  
  networking hardware (16) capable of carrying the network traffic; and
  
  memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the CPU (12) to perform the following steps;
  
  cryptographically signing a packet at a first layer in the plurality of intermediate layers;
  
  verifying the signature of the packet at a second layer in the plurality of intermediate layers, the second layer being at a lower layer than the first layer; and
  
  correlating the packet with malware-initiated outbound network traffic if the signature of the packet at the second layer is not verified.
- View Dependent Claims (9, 10)
- - 9. The system of claim 8 wherein the program code (18) further causes the at least a CPU (12) to determine if the packet originates from any known application obtained from a process table.
  - 10. The system of claim 8 wherein the program code (18) further causes the packet to be sent as outbound traffic prior to completing the verification of the signature.

11. A computer system for distinguishing user-initiated outbound network traffic from malware-initiated outbound network traffic, the system comprising:
- at least a central processing unit (CPU) (12);
  
  at least an input device (17);
  
  networking hardware (16) capable of carrying the network traffic; and
  
  memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU to perform the following steps;
  
  monitoring input events generated by the input device (17);
  
  monitoring outbound network traffic events;
  
  performing a time-based correlation analysis between the input events and the outbound network traffic events; and
  
  distinguishing malware-initiated outbound traffic according to the time-based correlation analysis.
- View Dependent Claims (12)
- - 12. The system of claim 11 wherein performing the time-based correlation analysis comprises performing a linear regression analysis between timestamps on outbound packets and timestamps on user input events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rutgers University
Original Assignee
Rutgers University
Inventors
Yao, Danfeng, Stefan, Deian, Wu, Chehai

Granted Patent

US 8,763,127 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2133   Verifying human interaction...

H04L 63/145   the attack involving the pr...

SYSTEMS AND METHOD FOR MALWARE DETECTION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

239 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHOD FOR MALWARE DETECTION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

239 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links