METHODS AND APPARATUS FOR DEALING WITH MALWARE

US 20120278895A1
Filed: 07/08/2012
Published: 11/01/2012
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of classifying a computer object as malware, the method comprising:

at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed;

storing at the base computer said data received from plural remote computers;

comparing in the base computer the data about the computer object received from the plural computers to identify relationships between the object and other objects or entities; and

,classifying the computer object as malware on the basis of said comparison.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object;

the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.

13 Citations

View as Search Results

29 Claims

1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed;
  
  storing at the base computer said data received from plural remote computers;
  
  comparing in the base computer the data about the computer object received from the plural computers to identify relationships between the object and other objects or entities; and
  
  ,classifying the computer object as malware on the basis of said comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 29)
- - 2. A method according to claim 1, wherein the relationship is between objects related directly, or between objects related via other objects.
  - 3. A method according to claim 1, wherein where an object and other objects are found to have a relationship, monitoring those related objects as a homogenous entity.
  - 4. A method according to claim 1, comprising deducing an object to be malware based on the behaviour of a related object.
  - 5. A method according to claim 1, wherein if at least one other object to which said object is related is classed as malware, then classifying said object as malware.
  - 6. A method according to claim 1, wherein said other objects include the object or similar objects stored on at least some of the remote computers.
  - 7. A method according to claim 1, wherein said other objects include other objects that are parent objects or child objects or otherwise process-related objects to said object.
  - 8. A method according to claim 1, wherein the data about the computer object that is sent from the plural remote computers to the base computer and that is used in the comparison includes one or more of:
    - executable instructions contained within or constituted by the object;
      
      the size of the object;
      
      the current name of the object;
      
      the physical and folder location of the object on disk;
      
      the original name of the object;
      
      the creation and modification dates of the object;
      
      vendor, product and version and any other information stored within the object; and
      
      ,the object header or header held by the remote computer.
  - 9. A method according to claim 1, wherein the data is sent in the form of key that is obtained by a hashing process carried out in respect of the objects on the respective remote computers.
  - 10. A method according to claim 9, wherein the key has at least one component that represents executable instructions contained within or constituted by the object.
  - 11. A method according to claim 9, wherein the key has at least one component that represents data about said object.
  - 12. A method according to claim 11, wherein said data about said object includes at least one of:
    - the current name of the object;
      
      the physical and folder location of the object on disk;
      
      the original name of the object;
      
      the creation and modification dates of the object;
      
      vendor, product and version and any other information stored within the object;
      
      the object header or header held by the remote computer; and
      
      ,events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.
  - 13. A method according to claim 9, wherein the key has at least one component that represents the physical size of the object.
  - 14. A method according to claim 1, comprising initially classifying an object as not malware, generating a mask for said object that defines acceptable behaviour for the object, and comprising monitoring operation of the object on at least one of the remote computers and reclassifying the object as malware if the actual monitored behaviour extends beyond that permitted by the mask.
  - 29. A computer program recorded on non-transitory computer readable medium comprising program instructions for causing a computer to perform the method of claim 1.

15. Apparatus for classifying a computer object as malware, the apparatus comprising:
- a base computer constructed and arranged to receive data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed;
  
  the base computer being constructed and arranged to compare the data about the computer object received from said plural computers to identify relationships between the object and other objects or entities; and
  
  ,the base computer being constructed and arranged to classify the computer object as malware on the basis of said comparison.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. Apparatus according to claim 15, wherein the base computer is constructed and arranged so as to identify the relationship between objects related directly, or between objects related via other objects.
  - 17. Apparatus according to claim 15, wherein the base computer is constructed and arranged so as, where an object and other objects are found to have a relationship, to monitoring those related objects as a homogenous entity.
  - 18. Apparatus according to claim 15, wherein the base computer is constructed and arranged so as to deduce an object to be malware based on the behaviour of a related object.
  - 19. Apparatus according to claim 15, wherein the base computer is constructed and arranged so that if at least one other object to which said object is related is classed as malware, then said object is classified as malware.
  - 20. Apparatus according to claim 15, wherein the base computer is constructed and arranged so that said other objects include the object or similar objects stored on at least some of said remote computers.
  - 21. Apparatus according to claim 15, wherein the base computer is constructed and arranged so that said other objects include other objects that are parent objects or child objects or otherwise process-related objects to said object.
  - 22. Apparatus according to claim 15, wherein the base computer is constructed and arranged so as to compare the data where the data includes one or more of:
    - executable instructions contained within or constituted by the object;
      
      the size of the object;
      
      the current name of the object;
      
      the physical and folder location of the object on disk;
      
      the original name of the object;
      
      the creation and modification dates of the object;
      
      vendor, product and version and any other information stored within the object; and
      
      ,the object header or header held by the remote computer. 10
  - 23. Apparatus according to claim 15, wherein the base computer is constructed and arranged so as to be able to process data that is sent in the form of key that is obtained by a hashing process carried out in respect of the objects on said respective remote computers.
  - 24. Apparatus according to claim 23, wherein the key has at least one component that represents executable instructions contained within or constituted by the object.
  - 25. Apparatus according to claim 23, wherein the key has at least one component that represents data about said object.
  - 26. Apparatus according to claim 25, wherein said data about said object includes at least one of:
    - the current name of the object;
      
      the physical and folder location of the object on disk;
      
      the original name of the object;
      
      the creation and modification dates of the object;
      
      vendor, product and version and any other information stored within the object;
      
      the object header or header held by the remote computer; and
      
      ,events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.
  - 27. Apparatus according to claim 23, wherein the key has at least one component that represents the physical size of the object.
  - 28. Apparatus according to claim 15, wherein the base computer is constructed and arranged to generate a mask for an object that is initially classed not as malware, said mask defining acceptable behaviour for the object, and the base computer is constructed and arranged to monitor operation of the object on at least one of the remote computers and to reclassify the object as malware if the actual monitored behaviour extends beyond that permitted by the mask.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Solutions Ltd. (Open Text Corporation)
Inventors
Morris, Melvyn, Stubbs, Paul, Hartwig, Markus, Harter, Darren

Granted Patent

US 8,726,389 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/577 Assessing vulnerabilities a...

METHODS AND APPARATUS FOR DEALING WITH MALWARE

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR DEALING WITH MALWARE

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links