METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH
First Claim
1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located;
counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers;
comparing the counted number with the expected number based on past observations; and
,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.
-
Citations
25 Claims
-
1. A method of classifying a computer object as malware, the method comprising:
-
at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located; counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers; comparing the counted number with the expected number based on past observations; and
,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious. - View Dependent Claims (2)
-
-
3. An apparatus for classifying a computer object as malware, the apparatus comprising:
a base computer arranged to receive data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;
the base computer including;means for receiving the data; means for counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers; means for comparing the counted number with the expected number based on past observations; and means for flagging the objects as unsafe or as suspicious if the comparison exceeds some predetermined threshold. - View Dependent Claims (4)
-
5. A method of classifying a computer object as malware, the method comprising:
-
at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed; storing said data in a database; and
,presenting the user with a display of information relating to a group of plural objects and various attributes of those objects, the display being arranged such that commonality is shown between objects, wherein the group of objects displayed correspond to a user query of the database. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a base computer including network components to receive data about a computer object from each of plural remote computers on which the computer object is located;
the base computer including;a data store including a database; at least one processor; a display; a non-transitory, tangible storage medium, encoded with instructions that are executable by the at least one processor, to classify a computer object as malware, the instructions including instructions for; storing the data in the database; and presenting, on the display, the user with a display of information relating to a group of plural objects and various attributes of those objects, the display being arranged such that commonality is shown between objects, wherein the group of objects displayed correspond to a user query of the database. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory, tangible processing readable storage medium, encoded with processor readable instructions to perform a method for classifying a computer object as malware, the method comprising:
-
at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are located; counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers; comparing the counted number with the expected number based on past observations; and
,if the comparison exceeds some predetermined threshold, flagging the objects as unsafe or as suspicious.
-
Specification