METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH

US 20120266208A1
Filed: 02/13/2012
Published: 10/18/2012
Est. Priority Date: 02/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method of classifying a computer object as malware, the method comprising:

at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located;

counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers;

comparing the counted number with the expected number based on past observations; and

,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.

Citations

25 Claims

1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located;
  
  counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers;
  
  comparing the counted number with the expected number based on past observations; and
  
  ,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious.
- View Dependent Claims (2)
- - 2. The method according to claim 1, wherein the attribute of the object is selected from the group consisting of:
    - a file name, a file type, a file location, vendor information contained in a file, a file size, registry keys relating to a file, system derived data, and event data relating to the object.

3. An apparatus for classifying a computer object as malware, the apparatus comprising:
- a base computer arranged to receive data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;
  
  the base computer including;
  
  means for receiving the data;
  
  means for counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers;
  
  means for comparing the counted number with the expected number based on past observations; and
  
  means for flagging the objects as unsafe or as suspicious if the comparison exceeds some predetermined threshold.
- View Dependent Claims (4)
- - 4. The apparatus according to claim 3, wherein the attribute of the object is selected from the group consisting of a file name, a file type, a file location, vendor information contained in a file, a file size, registry keys relating to the file, system derived data, and event data relating to the object.

5. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;
  
  storing said data in a database; and
  
  ,presenting the user with a display of information relating to a group of plural objects and various attributes of those objects, the display being arranged such that commonality is shown between objects, wherein the group of objects displayed correspond to a user query of the database.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The method according to claim 5, wherein the information is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the objects.
  - 7. The method of claim 5, wherein at least one attribute of the objects is presented to the user pictorially such that objects with common attributes are given the same pictorial representation.
  - 8. The method according to claim 7, wherein the pictorial representation comprises symbols having different shapes and/or colours.
  - 9. The method according of claim 8, comprising:
    - identifying commonality in one or more attributes between objects; and
      
      ,refining the query in accordance with said identified commonality.
  - 10. The method of claim 5, comprising creating a rule from a user query if it is determined that the query is deterministic in identifying malware.
  - 11. The method of claim 5, comprising:
    - monitoring user groupings of objects along with any and all user actions taken such as classifying the objects of the group as being safe or unsafe; and
      
      ,automatically applying said groupings and actions in generating new rules for classifying objects as malware.
  - 12. The method according to claim 11, comprising applying the rule to an object at the base computer and or sending the rule to a remote computer and applying the rule to an object at the remote computer to classify the object as safe or unsafe.
  - 13. The method according to claim 12, comprising storing the classification of an object as safe or unsafe according to the rule in the database at the base computer.
  - 14. The method according to claim 13, comprising:
    - receiving information from a remote computer that an object classified as malware by said rule is believed not to be malware; and
      
      ,amending or deleting the rule in accordance with said information.

15. An apparatus, comprising:
- a base computer including network components to receive data about a computer object from each of plural remote computers on which the computer object is located;
  
  the base computer including;
  
  a data store including a database;
  
  at least one processor;
  
  a display;
  
  a non-transitory, tangible storage medium, encoded with instructions that are executable by the at least one processor, to classify a computer object as malware, the instructions including instructions for;
  
  storing the data in the database; and
  
  presenting, on the display, the user with a display of information relating to a group of plural objects and various attributes of those objects, the display being arranged such that commonality is shown between objects, wherein the group of objects displayed correspond to a user query of the database.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The apparatus according to claim 15, wherein the information is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the object.
  - 17. The apparatus according to claim 15, wherein at least one attribute of the object is displayed pictorially such that objects with common attributes are given the same pictorial representation.
  - 18. The apparatus according to claim 17, wherein the pictorial representation comprises symbols having different shapes or colors.
  - 19. The apparatus according to claim 15, wherein the instructions include instructions to:
    - identify commonality in one or more attributes between objects; and
      
      refine a query in accordance with said identified commonality.
  - 20. The apparatus according to claim 15, wherein the instructions include instructions to allow the user to create a rule from a user query if it is determined that the query is deterministic in identifying malware.
  - 21. The apparatus according to claim 15, wherein the instructions include instructions to monitor user groupings of objects along with any and all user actions taken such as classifying the objects of the group as being safe or unsafe;
    - and to automatically apply said groupings and actions in generating new rules for classifying objects as malware.
  - 22. The apparatus according to claim 21, wherein the instructions include instructions to apply the rule to an object at the base computer to classify the object as safe or unsafe, and or arranged to send the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer.
  - 23. The apparatus of claim 22, wherein the instructions include instructions to store the classification of an object as safe or unsafe according to the rule in the database.
  - 24. The apparatus according to claim 23, wherein the instructions include instructions to receive information from a remote computer that an object classified as malware by the rule is believed not to be malware;
    - and to amend or delete the rule in accordance with the information.

25. A non-transitory, tangible processing readable storage medium, encoded with processor readable instructions to perform a method for classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located;
  
  counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers;
  
  comparing the counted number with the expected number based on past observations; and
  
  ,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Morris, Melvyn, Jaroch, Joseph

Granted Patent

US 10,574,630 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links