Applying Antimalware Logic without Revealing the Antimalware Logic to Adversaries
First Claim
1. In a computing environment, a method performed at least in part on at least one processor, comprising, receiving a malware-related query at a backend service, processing data associated with the malware-related query at the backend service, including via updateable detection logic that is not revealed outside of the backend service, to determine whether the data associated with the malware-related query corresponds to detected malware, and returning a corresponding result in response to the query indicating whether the data associated with the malware-related query corresponds to detected malware.
2 Assignments
0 Petitions
Accused Products
Abstract
The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.
-
Citations
20 Claims
- 1. In a computing environment, a method performed at least in part on at least one processor, comprising, receiving a malware-related query at a backend service, processing data associated with the malware-related query at the backend service, including via updateable detection logic that is not revealed outside of the backend service, to determine whether the data associated with the malware-related query corresponds to detected malware, and returning a corresponding result in response to the query indicating whether the data associated with the malware-related query corresponds to detected malware.
- 12. In a computing environment, a system comprising, a backend service, the backend service configured with malware detection logic, the malware detection logic configured to process data associated with queries to determine whether for each query the data associated with that query is indicative of malware, the backend service further configured to respond to each query with a result indicating whether the logic determined the data to be indicative of malware, or with a request for more associated data from which the result may be determined, and the backend service further comprising an unpredictability mechanism configured to operate to keep antimalware techniques in the malware detection logic from being deduced based upon the returned result.
-
17. One or more computer-readable media having computer-executable instructions, which when executed perform steps of a process, comprising:
-
receiving a query and associated data at a backend service, in which the associated data is received with the query or received via one or more subsequent communications, or via a combination of both; processing the associated data at the backend service to detect that the data corresponds to malware, and returning a response corresponding to the query including a result indicating that malware was detected; taking an action at the backend service that is capable of providing a different result if given another query with similar associated data; receiving another query with similar associated data at the backend service in which the similar associated data is received with the query or received via one or more subsequent communications, or via a combination of both; and returning a response corresponding to the other query including a result indicating that malware was not detected. - View Dependent Claims (18, 19, 20)
-
Specification