SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION
First Claim
1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
applying a hash function to the data to create a hash identifier for the data; and
comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and
if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.
-
Citations
21 Claims
-
1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying a hash function to the data to create a hash identifier for the data; and comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device. - View Dependent Claims (2, 3)
-
-
4. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is safe; if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device; if the known good component does not determine that the data is safe, then applying by the known bad component, logic on the data to determine if the data is malicious; and if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (5)
-
-
6. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is safe; if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device; if the known good component logic does not determine that the data is safe, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (7, 8)
-
-
9. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device; and if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (10, 11)
-
-
12. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying a hash function to the data to create a hash identifier for the data; and comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory; and if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (13, 14)
-
-
15. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
-
providing data on the mobile communications device; applying by the known good component, logic on the data to determine if the data is not safe; and if the known good component logic determines that the data is not safe, then rejecting the data from being processed by the mobile communications device. - View Dependent Claims (16, 17)
-
-
18. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
-
when the mobile communications device receives data, creates a hash identifier for the data, compares the data hash identifier against a database of known good data stored on the mobile communications device, does not obtain a positive match, compares the data hash identifier against a database stored on the mobile communications device containing hash identifiers of known bad data, and does not obtain a positive match, receiving the data at the server; at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious; if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
-
-
19. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
-
after the mobile communications device receives data, creates a hash identifier for the data, using a known bad component, compares the received data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data, does not obtain a positive match, then compares the data hash identifier against a database of known good data stored on the mobile communications device and does not obtain a positive match, receiving the data at the server; at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious; if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
-
-
20. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
-
when the mobile communications device receives data, applies by a known good component logic on the data to determine if the data is safe, does not obtain a positive match, applies by a known bad component logic on the data to determine if the data is recognizably malicious, and does not obtain a positive match, receiving the data from the mobile communications device at the server; at the server, using a decision component, performing an analysis on the received data to determine if the data is safe or malicious; if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
-
-
21. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
-
after the mobile communications device receives data, applying by a known bad component logic to the data to determine whether the data is recognizably malicious, does not obtain a positive match, then applying by known good component logic to the data to determine whether the data is safe and does not obtain a positive match, receiving the data at the server; at the server, applying by a decision component logic to the data for performing an analysis on the data to determine if the data is safe or malicious; if the determination by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and if the determination by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
-
Specification