SHORT-RANGE MOBILE HONEYPOT FOR SAMPLING AND TRACKING THREATS

US 20130091570A1
Filed: 09/15/2009
Published: 04/11/2013
Est. Priority Date: 09/15/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of sampling files for malware tracking on a mobile device, the computer-implemented method comprising:

receiving a sampling module deployed to the mobile device, the sampling module performing steps comprising;

configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting attempts to transfer files;

intercepting files transferred via the short-range communication technology to the mobile device from another device;

quarantining the files transferred to the mobile device;

logging identifying information about the files quarantined and about the other devices from which the files originated, wherein logging identifying information comprises actively scanning each of the other devices from which the files originated to acquire identifying information about the other devices, and the identifying information logged about each of the other devices comprises a device type and an identification of ports on the other devices that are open for sharing files; and

providing the logged identifying information for the files received to a security server for malware tracking.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Files received by a mobile device are sampled for malware tracking. The method includes configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting all attempts to transfer files. The method further comprises intercepting files transferred via the short-range communication technology to the mobile device from another device. The method also comprises quarantining the files transferred to the mobile device and logging identifying information about each of the files quarantined and about the other devices from which each of the files originated. The method further includes providing the logged identifying information for the files received to a security server. The method can also include, responsive to a request from the security server for more information about one of the files, providing a copy of that file to the security server for malware analysis and for updating a reputation system tracking mobile device malware.

Citations

21 Claims

1. A computer-implemented method of sampling files for malware tracking on a mobile device, the computer-implemented method comprising:
- receiving a sampling module deployed to the mobile device, the sampling module performing steps comprising;
  
  configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting attempts to transfer files;
  
  intercepting files transferred via the short-range communication technology to the mobile device from another device;
  
  quarantining the files transferred to the mobile device;
  
  logging identifying information about the files quarantined and about the other devices from which the files originated, wherein logging identifying information comprises actively scanning each of the other devices from which the files originated to acquire identifying information about the other devices, and the identifying information logged about each of the other devices comprises a device type and an identification of ports on the other devices that are open for sharing files; and
  
  providing the logged identifying information for the files received to a security server for malware tracking.
- View Dependent Claims (2, 3, 4, 6, 21)
- - 2. The method of claim 1, further comprising, responsive to a request from the security server for more information about one of the files, providing a copy of that file to the security server for malware analysis and for updating a reputation system tracking mobile device malware.
  - 3. The method of claim 1, wherein the logged identifying information about each of the files comprises a physical location from which the file was obtained.
  - 4. The method of claim 3, wherein the physical location is determined using technology selected from the group consisting of:
    - GPS and cellular triangulation.
  - 6. The method of claim 1, wherein logging identifying information further comprises emulating the mobile device to respond to an information gathering request from one of the other devices from which one of the files originated.
  - 21. The method of claim 1, further comprising receiving a response from the security server, the response comprising reputation information about the files originated from the other devices.

5. (canceled)

7. (canceled)

8. A non-transitory computer-readable storage medium storing executable computer program instructions for sampling files for malware tracking on a mobile device, the computer program instructions comprising instructions for performing steps comprising:
- receiving a sampling module deployed to the mobile device, the sampling module performing steps comprising;
  
  configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting attempts to transfer files;
  
  intercepting files transferred via the short-range communication technology to the mobile device from another device;
  
  quarantining the files transferred to the mobile device; and
  
  logging identifying information about the files quarantined and about the other devices from which the files originated, wherein logging identifying information comprises actively scanning each of the other devices from which the files originated to acquire identifying information about the other devices, and the identifying information logged about each of the other devices comprises a device type and an identification of ports on the other devices that are open for sharing files;
  
  providing the logged identifying information for the files received to a security server for malware tracking
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable storage medium of claim 8, wherein the logged identifying information about the files comprises a name of the file, a date that the file was received, and a time that the file was received.
  - 10. The computer-readable storage medium of claim 8, wherein the logged identifying information about each of the files comprises a network medium used to send the file.
  - 11. The computer-readable storage medium of claim 8, wherein the logged identifying information about each of the files comprises one or more peer identifiers associated with the file.
  - 12. The computer-readable storage medium of claim 8, wherein the logged identifying information comprises information about a security configuration of the mobile device, the information selected from the group consisting of:
    - a firewall configuration, a list of interfaces that are active on the mobile device, and a visibility of the mobile device on a short range communication network.
  - 13. The computer-readable storage medium of claim 8, wherein the mobile device is one of a plurality of mobile devices executing a sampling module for performing the steps, each mobile device acting as a honeypot that gathers data about mobile device attackers providing malware files and submits the gathered data to the security server to seed a reputation system with data about mobile device malware.

14. A computer-implemented method of sampling files for malware tracking on mobile devices, the computer-implemented method comprising:
- deploying sampling modules to a plurality of mobile devices having file transfer mechanisms using short-range communication technology, the file transfer mechanisms of the mobile devices being configured by the sampling modules to appear, to other devices, to be open for accepting all attempts to transfer files;
  
  periodically receiving, from the sampling modules, logged identifying information about a plurality of files intercepted and quarantined by the sampling modules and about the other devices from which the files originated, wherein the logged identifying information is obtained by actively scanning, by the sampling modules, the other devices from which the files originated to acquire identifying information about the other devices, and the logged identifying information about the other devices comprises device types and identifications of ports on the other devices that are open for sharing files;
  
  requesting, from the sampling modules, copies of certain of the files for which logged information was received; and
  
  analyzing the requested copies to identify the files that contain malware.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-implemented method of claim 14, further comprising updating a reputation system for tracking mobile device malware regarding the files identified to contain malware.
  - 16. The computer-implemented method of claim 15, wherein updating the reputation system further comprises seeding the reputation system with information about files determined to be mobile malware.
  - 17. The computer-implemented method of claim 15, wherein the identifying information received further comprises data regarding types of locations at which the mobile devices were located when the files were received, and wherein updating the reputation system further comprises providing to the reputation system the data regarding the types of locations for tracking location type distribution patterns of mobile malware.
  - 18. The computer-implemented method of claim 15, wherein the identifying information received further comprises data regarding geographic locations of the mobile devices, and wherein updating the reputation system further comprises providing to the reputation system geographic location information for the mobile devices on which malware was detected for tracking geographic distribution patterns of mobile malware.
  - 19. The computer-implemented method of claim 14, further comprising applying results of the malware analysis and information collected about locations of the mobile devices to customize heuristics for detecting malware, to create malware signature updates, and to generate security policies for malware management.
  - 20. The computer-implemented method of claim 14, wherein analyzing the requested copies further comprises executing the requested file copies in an emulator or on a virtual machine to observe whether the files exhibit malicious behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Reefedge Networks LLC (IPNav)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Hernacki, Brian, Kelly, John P.

Granted Patent

US 8,528,080 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04W 12/128   Anti-malware arrangements, ...

SHORT-RANGE MOBILE HONEYPOT FOR SAMPLING AND TRACKING THREATS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SHORT-RANGE MOBILE HONEYPOT FOR SAMPLING AND TRACKING THREATS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links