Server-Side Malware Detection and Classification

US 20140047544A1
Filed: 08/09/2013
Published: 02/13/2014
Est. Priority Date: 08/09/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of networked units;

at least one detection and classification unit comprising a physical memory, a processor, and a network access module;

the at least one detection and classification unit being configured to;

collect interaction data from the plurality of networked units;

cluster collected interaction data of at least two networked units;

identify pattern(s) based on observed similarities in the clustered interaction data; and

make a security determination based at least in part on the identified pattern(s).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server-side system that detects and classifies malware and other types of undesirable processes and events operating on network connected devices through the analysis of information collected from said network connected devices. The system receives information over a network connection and collects information that is identified as being anomalous. The collected information is analyzed by system process that can group data based on optimally suited cluster analysis methods. Upon clustering the information, the system can correlate an anomalous event to device status, interaction, and various elements that constitute environmental data in order to identify a pattern of behavior associated with a known or unknown strain of malware. The system further interprets the clustered information to extrapolate propagation characteristics of the strain of malware and determine a potential response action.

99 Citations

View as Search Results

11 Claims

1. A system, comprising:
- a plurality of networked units;
  
  at least one detection and classification unit comprising a physical memory, a processor, and a network access module;
  
  the at least one detection and classification unit being configured to;
  
  collect interaction data from the plurality of networked units;
  
  cluster collected interaction data of at least two networked units;
  
  identify pattern(s) based on observed similarities in the clustered interaction data; and
  
  make a security determination based at least in part on the identified pattern(s).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 wherein the at least one detection and classification unit is configured to extrapolate propagation characteristics for identified malware.
  - 3. The system of claim 2 wherein the extrapolation is followed by the initiation of a response action to the identified malware.
  - 4. The system of claim 1 wherein the collection of the interaction data is based at least in part on detectable markers associated with at least one anomalous event.
  - 5. The system of claim 1 wherein the clustering of the collected interaction data is accomplished by the processor of the at least one detection and classification unit.
  - 6. The system of claim 1 wherein the observed similarities contain environmental data specific to a particular networked unit.
  - 7. The system of claim 1 wherein the at least one detection and classification unit communicates with the plurality of networked units through the network access module.
  - 8. The system of claim 7 wherein the at least one detection and classification unit communicates with the plurality networked units through a proxy.
  - 9. The system of claim 1 wherein said patterns for the plurality of networked units is associated with at least one of an environmental feature of said units and a behavioral feature of said units.
  - 10. The system of claim 9 wherein an environmental feature comprises at least one of a physical location associated with the unit;
    - a classification of the hardware of the unit;
      
      a classification of the software of the unit;
      
      information relating to a service provider providing access to a resource to the unit;
      
      usage information associated with the unit; and
      
      information relating to a social network accessed by the unit.
  - 11. The system of claim 9 wherein an behavioral feature comprises at least one of a value computed by the associated device;
    - a representation of the time it took to compute said value;
      
      the time at which said value was received; and
      
      a value representing an invalid response generated by the associated device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Jakobsson, Bjorn Markus

Granted Patent

US 9,411,955 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/14   for detecting or protecting...

Server-Side Malware Detection and Classification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Server-Side Malware Detection and Classification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links