SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION

US 20130133071A1
Filed: 01/15/2013
Published: 05/23/2013
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:

when the mobile communications device receives data, creates a hash identifier for the data, compares the data hash identifier against a database of known good data stored on the mobile communications device and does not obtain a positive match, receiving the data hash identifier at the server;

at the server, using a known bad component, comparing the received data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data; and

,if the data hash identifier comparison by the known bad component results in a positive match, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.

Citations

10 Claims

1. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- when the mobile communications device receives data, creates a hash identifier for the data, compares the data hash identifier against a database of known good data stored on the mobile communications device and does not obtain a positive match, receiving the data hash identifier at the server;
  
  at the server, using a known bad component, comparing the received data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data; and
  
  ,if the data hash identifier comparison by the known bad component results in a positive match, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
- View Dependent Claims (2)
- - 2. The method of claim 1 further comprising:
    - if the data hash identifier comparison at the server by the known bad component does not result in a positive match, then at the server, using a decision component, performing an analysis on the data hash identifier to determine if the data is safe or malicious;
      
      if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
      
      if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

3. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, and creates a hash identifier for the data, receiving the data hash identifier at the server;
  
  then, at the server, using a known bad component, comparing the received data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data;
  
  if the data hash identifier comparison by the known bad component results in a positive match, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device;
  
  if the data hash identifier comparison at the server by the known bad component does not result in a positive match, then at the server, using a known good component, comparing the received data hash identifier against a database of identifiers of known good data stored in a memory associated with the server;
  
  at the server, if the comparison by the known good component results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the comparison by the known good component does not result in a positive match, then, at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  ,if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

4. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, creates a hash identifier for the data, using a known bad component, compares the received data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data, receiving the data hash identifier at the server;
  
  then, if the data hash identifier comparison at the mobile communications device by the known bad component does not result in a positive match, then at the server, using a known good component, comparing the received data hash identifier against a database of identifiers of known good data stored in a memory associated with the server;
  
  at the server, if the comparison by the known good component results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the comparison by the known good component does not result in a positive match, then, at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

5. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- when the mobile communications device receives data, applies by a known good component logic on the data to determine if the data is safe and does not obtain a positive match, receiving the data from the mobile communication device at the server;
  
  at the server, applying by a known bad component, logic on the received data to determine if the data is safe and or recognizably malicious; and
  
  ,if the known bad component logic determines that the received data is recognizably malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.
- View Dependent Claims (6)
- - 6. The method of claim 5 further comprising:
    - if the known bad component logic does not determine that the received data is recognizably malicious, then at the server, using a decision component, performing an analysis on the received data to determine if the data is safe or malicious;
      
      if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
      
      if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

7. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, receiving the data at the server;
  
  at the server, applying by a known good component, logic on the data to determine if the data is safe;
  
  at the server, if the determination by the known good component logic results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the determination by the known good component logic does not result in a positive match, then, at the server, using a decision component, performing an analysis on the received data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the received data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

8. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, receiving the data at the server;
  
  at the server, applying by a known good component, logic on the data to determine if the data is safe;
  
  at the server, if the determination by the known good component logic results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the determination by the known good component logic does not result in a positive match, then, at the server, applying by a known bad component logic to determine if the data is safe or recognizably malicious; and
  
  ,if the determination by the known bad component logic determines that the data is recognizably malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

9. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, receiving the data at the server;
  
  then, at the server, applying by a known bad component logic to the data to determine if the data is recognizably malicious;
  
  if the determination by the known bad component results in a positive match, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device;
  
  if the determination at the server by the known bad component does not result in a positive match, then at the server, applying by a known good component, logic to the data to determine if the data is safe;
  
  at the server, if the determination by the known good component results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the determination by the known good component does not result in a positive match, then, at the server, applying by a decision component logic to the data for performing an analysis on the data to determine if the data is safe or malicious;
  
  if the determination by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  ,if the determination by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

10. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, and applying by a known had component logic to the data to determine whether the data is recognizably malicious, receiving the data at the server;
  
  then, if the determination at the mobile communications device by the known bad component does not result in a positive match, then at the server, applying by a known good component logic to determine whether the data is safe;
  
  at the server, if the determination by the known good component results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the determination by the known good component does not result in a positive match, then, at the server, applying by a decision component logic to the data for performing an analysis on the data to determine if the data is safe or malicious;
  
  if the determination by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the determination by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick

Granted Patent

US 8,683,593 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04W 12/08   Access security

SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links