SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION
First Claim
1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
applying a hash function to the data to create a hash identifier for the data; and
comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and
if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.
-
Citations
25 Claims
-
1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying a hash function to the data to create a hash identifier for the data; and comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device. - View Dependent Claims (2, 3)
-
-
4. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is safe; if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device; if the known good component does not determine that the data is safe, then applying by the known bad component, logic on the data to determine if the data is malicious; and if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (5)
-
-
6. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is safe; if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device; if the known good component logic does not determine that the data is safe, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (7, 8)
-
-
9. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a method comprising:
-
by the server, receiving a hash identifier for data from the mobile communications device; comparing, by the known good component, the data hash identifier against a database of identifiers of known good data stored in memory associated with the server; and if the comparison by the known good component results in a positive match, then sending an instruction to the mobile communications device to allow the data to be processed by the mobile communications device. - View Dependent Claims (10, 11)
-
-
12. In a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a method comprising:
-
receiving data at the server from the mobile communications device; applying by the known good component, logic on the data to determine if the data is safe; if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device; if the known good component logic does not determine that the data is safe, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (13, 14)
-
-
15. A computer readable medium stored in a memory of a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, the computer readable medium containing computer readable instructions comprising:
-
computer program code for comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; computer program code for comparing by the known bad component, the data hash identifier against either a database of identifiers of known bad data stored in the mobile communications device memory, or against a database of known bad data signatures stored in the mobile communications device memory, or against a database of known bad data patterns stored in the mobile communications device memory; and computer program code for performing an analysis on the data by the decision component to determine if the data is safe or malicious.
-
-
16. A computer readable medium stored in a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, the computer readable medium containing computer readable instructions comprising:
-
computer program code for comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in memory associated with the server; computer program code for comparing by the known bad component, the data hash identifier against either a database of identifiers of known bad data stored in memory associated with the server, or against a database of known bad data signatures stored in memory associated with the server, or against a database of known bad data patterns stored in memory associated with the server; and computer program code for performing an analysis on the data by the decision component to determine if the data is safe or malicious.
-
-
17. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device; and if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (18, 19)
-
-
20. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying a hash function to the data to create a hash identifier for the data; and comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (21, 22)
-
-
23. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is not safe; and if the known good component logic determines that the data is not safe, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (24, 25)
-
Specification