METHOD AND APPARATUS FOR DETECTING A MALWARE IN FILES

US 20130276117A1
Filed: 12/19/2011
Published: 10/17/2013
Est. Priority Date: 12/31/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting a malware in files, comprising:

an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system;

a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point; and

an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting a malware in files includes an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system, a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point, and an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.

9 Citations

View as Search Results

25 Claims

1. An apparatus for detecting a malware in files, comprising:
- an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system;
  
  a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point; and
  
  an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the candidate determination unit is configured to determine the interested file as the candidate file to be inspected in case that the second time point is behind a predetermined term from the first time point.
  - 3. The apparatus of claim 1, wherein the interested folder is associated with an operating system employing the file system.
  - 4. The apparatus of claim 3, wherein the interested folder has a folder name that is prohibited from being renamed by the operating system.
  - 5. The apparatus of claim 1, wherein the interested folder has a parent folder, and wherein the first time point is within a predetermined term from the time when the parent folder was created.
  - 6. The apparatus of claim 1, wherein the interested folder contains a plurality of files inclusive of the interested file, and the number of files created within a predetermined term from the first time point is larger than a threshold number.
  - 7. The apparatus of claim 2, wherein the predetermined term from the first time point is defined on the basis of a size of the folder.
  - 8. The apparatus of claim 2, wherein the interested folder contains a plurality of files inclusive of the interested file, and wherein the predetermined term from the first time point is defined based on a plurality of time points corresponding to creation of the plurality of files.
  - 9. The apparatus of claim 2, wherein the candidate determination unit is further configured to determine the interested file as the candidate file to be inspected in case that the first time point is behind the predetermined term.
  - 10. The apparatus of claim 2, wherein the acquisition unit is further configured to obtain from the file system information on a third time point, when the interested file is changed by the file system, and wherein the candidate determination unit is further configured to determine the interested file as the candidate file in case that the third time point is behind a predetermined term from the second time point.
  - 11. The apparatus of claim 2, wherein the candidate determination unit is further configured to determine the interested file as the candidate file in case that the second time point is behind a second predetermined time point.
  - 12. The apparatus of claim 1, wherein the inspection unit is further configured to receive a request to perform the malware inspection on the interested file when the interested file is determined as an candidate file, and not to perform the malware inspection on the interested file when it is determined that the interested file is not a candidate file.
  - 13. The apparatus of claim 12, wherein the inspection unit performs the malware inspection when it is requested to perform the malware inspection, and does not perform the malware inspection when it is requested not to perform the malware inspection.

14. A method for detecting a malware in files, the method comprising:
- obtaining from a file system information about a first time point when an interested folder is created by the file system and information about a second time point when an interested file is created in the interested folder by the file system;
  
  determining whether or not the interested file is a candidate file to be subjected to a malware inspection based on the information about the first and the second time point; and
  
  performing the malware inspection on the interested file determined to be the candidate file.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein said determining whether or not the interested file is a candidate file includes determining the interested file as a candidate file to be subjected to the malware inspection in case that the second time point is behind a predetermined term from the first time point.
  - 16. The method of claim 14, wherein the interested folder is associated with an operating system employing the file system.
  - 17. The method of claim 16, wherein the interested folder has a folder name that is prohibited from being renamed by the operating system.
  - 18. The method of claim 14, wherein the interested folder has a parent folder, and wherein the first time point is within a predetermined term from the time when the parent folder was created.
  - 19. The method of claim 14, wherein the interested folder contains a plurality of files inclusive of the interested file, and the number of files created within a predetermined term from the first time point is larger than a threshold number.
  - 20. The method of claim 15, wherein the predetermined term from the first time point is defined on the basis of a size of the folder.
  - 21. The method of claim 15, wherein the interested folder contains a plurality of files inclusive of the interested file, and wherein the predetermined term from the first time point is defined based on a plurality of time points corresponding to creation of the plurality of files.
  - 22. The method of claim 15, wherein said determining whether or not the interested file is a candidate file further includes determining the interested file as the candidate file in case that the first time point is behind the predetermined term.
  - 23. The method of claim 15, further comprising:
    - obtaining from the file system information about a third time point when the interested file is changed; and
      
      determining the interested file as the candidate file in case that the third time point is behind a predetermined term from the second time point.
  - 24. The method of claim 15, wherein said determining whether or not the interested file is a candidate file further includes determining the interested file as the candidate file in case that the second time point is behind a second predetermined time.
  - 25. A computer-readable storage medium which stores a computer program of a method for determining files to be subjected to a malware inspection in accordance with claim 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Ahnlab Incorporated
Inventors
Hwang, Kyu Beom

Granted Patent

US 9,129,109 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 2221/2151   Time stamp

METHOD AND APPARATUS FOR DETECTING A MALWARE IN FILES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING A MALWARE IN FILES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links