Computer system analysis method and apparatus

US 20120102569A1
Filed: 10/21/2010
Published: 04/26/2012
Est. Priority Date: 10/21/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method of analysing a computer on which are installed a plurality of applications each comprising a set of inter-related objects, the method comprising:

identifying a local dependency network for each of one or more of said applications, a local dependency network comprising at least a set of object paths and inter-object relationships;

comparing the or each local application dependency network against a database of known application dependency networks to determine whether the application associated with the local dependency network is known; and

using the results of the comparison to identify malware and/or orphan objects.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of analysing a computer on which are installed a plurality of applications each comprising a set of inter-related objects. The method first comprises identifying a local dependency network for each of one or more of said applications, a local dependency network comprising at least a set of object paths and inter-object relationships. The (or each) local application dependency network is then compared against a database of known application dependency networks to determine whether the application associated with the local dependency network is known. The results of the comparison are then used to identify malware and/or orphan objects.

24 Citations

View as Search Results

16 Claims

1. A method of analysing a computer on which are installed a plurality of applications each comprising a set of inter-related objects, the method comprising:
- identifying a local dependency network for each of one or more of said applications, a local dependency network comprising at least a set of object paths and inter-object relationships;
  
  comparing the or each local application dependency network against a database of known application dependency networks to determine whether the application associated with the local dependency network is known; and
  
  using the results of the comparison to identify malware and/or orphan objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method as claimed in claim 1, wherein said inter-related objects are one or more of executable files, data files, registry keys, registry values, registry data and launch points.
  - 3. A method as claimed in claim 1 and comprising identifying the paths of objects of a local application dependency network, and normalizing the paths to make them system independent.
  - 4. A method as claimed in claim 1, wherein the object paths of a local application dependency network are identified by tracing activity when the installation program for an application is launched.
  - 5. A method as claimed in claim 1, wherein the object paths of a local application dependency network are identified by taking system snapshots before and after the installation of the application and identifying the differences between the two snapshots.
  - 6. A method as claimed in claim 1, wherein a local application dependency network is identified by:
    - 1) for a given input object, performing a search for all other objects dependent upon the input object;
      
      2) storing the paths of the input object and any other objects found by the search, and their inter-object relationships, in a results file;
      
      3) recursively repeating steps
      
      1) and
      
      2) for each other object until no further dependent objects are found; and
      
      4) normalizing the object paths within the results file.
  - 7. A method as claimed in claim 1, wherein the database of known application dependency networks is populated by observing the installation of known applications to capture their dependency networks.
  - 8. A method as claimed in claim 1, wherein the database of known application dependency networks is populated by gathering application dependency networks from the local systems of a distributed client base.
  - 9. A method according to claim 1 and comprising carrying out said step of identifying a local dependency network for each of one or more of said applications at a client computer, and carrying out said step of comparing the or each local application dependency network against a database of known application dependency networks at a central server.
  - 10. A method according to claim 1 and comprising, for application dependency networks that are unknown, performing a further malware scan of the objects belonging to the unknown application dependency networks.
  - 11. A method according to claim 10, wherein said further malware scan comprises one or both of:
    - performing a check on application binary certificates; and
      
      running a heuristic analysis on objects identified in the unknown local application dependency networks; and
      
      removing from the client computer or otherwise making safe the objects identified in the unknown local application dependency network if the application is found to be malicious.
  - 12. A method as claimed in claim 10, wherein the application dependency network for an unknown local application that is found to be legitimate following said further malware scan is entered into the database of known application dependency networks.
  - 13. A method according to claim 10, wherein said further malware scan comprises one or both of:
    - performing a check on an application binary certificate; and
      
      running a heuristic analysis on objects identified in the unknown, local application dependency networks; and
      
      removing from the client computer or otherwise making safe the objects identified in the unknown local application dependency network if the application is found to be malicious, with the exception of objects shared with other known application dependency networks.
  - 14. A computer program for causing a computer to perform the method of claim 1.

15. A client computer comprising:
- a system scanner for identifying a local dependency network for each of one or more applications installed on the client computer, a local application dependency network comprising at least a set of object paths and inter-object relationships;
  
  a result handler for obtaining the results of a comparison of the or each local application dependency network against a database of known application dependency networks to determine whether the application associated with the local application dependency network is known; and
  
  a policing unit for using the results of the comparison to identify malware and/or orphan objects.

16. A server computer system for serving a multiplicity of client computers, the server computer system comprising:
- a database of known application dependency networks, each application dependency network including object paths and inter-object relationships;
  
  a receiver for receiving local application dependency networks from one or more of said client computers;
  
  a dependency network comparator for comparing the received local application dependency networks against the known application dependency networks in the database to determine whether associated local applications are known; and
  
  a transmitter for sending the results of the comparisons to the respective client computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F-Secure Corporation (F-Secure Oyj)
Original Assignee
F-Secure Corporation (F-Secure Oyj)
Inventors
Turbin, Pavel

Application Number

US12/925,482
Publication Number

US 20120102569A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Computer system analysis method and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system analysis method and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links