Systems And Methods For Malware Detection And Mitigation

US 20150244732A1
Filed: 02/23/2015
Published: 08/27/2015
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring malware events in a computer networking environment, comprising the steps of:

identifying a plurality of suspect objects comprising data about network transactions or computer operations suspected of being linked to a security risk;

transmitting the suspect objects to an inspection service operating on one or more general purpose digital computers, wherein the inspection service inspects the suspect objects using a plurality of inspection methods to create digital information about the nature of the potential threat posed by the suspect objects;

transmitting said digital information to an analytical service operating on one or more general purpose digital computers, wherein the analytical service performs a plurality of analytical algorithms to categorize the suspect objects with one or more scores for each suspect object based on their security threat;

transmitting said one or more scores to a correlation facility which aggregates a plurality of scores, optionally with other information about each suspect objects, into the form of aggregate data representing one or more aggregate features of a plurality of suspect objects; and

generating an infection verification pack (IVP) comprising routines which, when run on an end-point machine within the computer networking environment, will mitigate a suspected security threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for monitoring malware events in a computer networking environment are described. The systems and methods including the steps of identifying a plurality of suspect objects comprising data about network transactions or computer operations suspected of being linked to a security risk; transmitting the suspect objects to an inspection service operating on one or more general purpose digital computers, wherein the inspection service inspects the suspect objects using a plurality of inspection methods to create digital information about the nature of the potential threat posed by the suspect objects; transmitting said digital information to an analytical service operating on one or more general purpose digital computers, wherein the analytical service performs a plurality of analytical algorithms to categorize the suspect objects with one or more scores for each suspect object based on their security threat; transmitting said one or more scores to a correlation facility which aggregates a plurality of scores, optionally with other information about each suspect objects, into the form of aggregate data representing one or more aggregate features of a plurality of suspect objects; and generating an infection verification pack (IVP) comprising routines which, when run on an end-point machine within the computer networking environment, will mitigate a suspected security threat.

180 Citations

7 Claims

1. A method for monitoring malware events in a computer networking environment, comprising the steps of:
- identifying a plurality of suspect objects comprising data about network transactions or computer operations suspected of being linked to a security risk;
  
  transmitting the suspect objects to an inspection service operating on one or more general purpose digital computers, wherein the inspection service inspects the suspect objects using a plurality of inspection methods to create digital information about the nature of the potential threat posed by the suspect objects;
  
  transmitting said digital information to an analytical service operating on one or more general purpose digital computers, wherein the analytical service performs a plurality of analytical algorithms to categorize the suspect objects with one or more scores for each suspect object based on their security threat;
  
  transmitting said one or more scores to a correlation facility which aggregates a plurality of scores, optionally with other information about each suspect objects, into the form of aggregate data representing one or more aggregate features of a plurality of suspect objects; and
  
  generating an infection verification pack (IVP) comprising routines which, when run on an end-point machine within the computer networking environment, will mitigate a suspected security threat.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising filtering the suspect objects based on reputation filtering, wherein the suspect objects are compared to a database of objects which have been previously scored by their reputation among a plurality of users of end-point machines who have used or executed the objects.
  - 3. The method of claim 1, wherein the inspection methods are selected from the group consisting of (a) instantiating and executing the suspect object within a sandboxed virtualized environment and inspecting its behavior;
    - (b) instantiating and executing the suspect object within an emulation environment and inspecting its behavior;
      
      (c) inspecting the suspect object statically to identify signatures of known malware; and
      
      (d) identification of command and control patterns in network communication;
  - 4. The method of claim 1, wherein the analytical algorithms comprises calculating a score representing probability that one or more of the suspect objects are malware based on a hierarchical Bayesian network.
  - 5. The method of claim 1, wherein the analytical algorithms comprises calculating a score representing probability that one or more of the suspect objects are malware based on a linear classifier based on a plurality of feature values, each feature value representing a characteristic of one or more suspect objects.
  - 6. The method of claim 1, wherein the analytical algorithms comprises classifying one or more suspect objects based on pre-defined heuristics.

7. A general purpose computer comprising:
- one or more processors, each comprising at least one arithmetic logic unit;
  
  a data receiver in connection with a networking environment;
  
  a digital memory;
  
  one or more interconnection busses configured to transmit data between the one or more processors, the data receiver, and the digital memory;
  
  wherein the digital memory is loaded with an executable application program comprising instructions to perform the steps of;
  
  identifying a plurality of suspect objects comprising data about network transactions or computer operations suspected of being linked to a security risk,transmitting the suspect objects to an inspection service operating on one or more general purpose digital computers, wherein the inspection service inspects the suspect objects using a plurality of inspection methods to create digital information about the nature of the potential threat posed by the suspect objects,transmitting said digital information to an analytical service operating on one or more general purpose digital computers, wherein the analytical service performs a plurality of analytical algorithms to categorize the suspect objects with one or more scores for each suspect object based on their security threat,transmitting said one or more scores to a correlation facility which aggregates a plurality of scores, optionally with other information about each suspect objects, into the form of aggregate data representing one or more aggregate features of a plurality of suspect objects, andgenerating an infection verification pack (IVP) comprising routines which, when run on an end-point machine within the computer networking environment, will mitigate a suspected security threat,wherein the step of transmitting the suspect objects to an inspection service comprises transmission to the data receiver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Golshan, Ali, Gong, Fengmin, Jas, Frank, Bilogorskiy, Nick, Vu, Neal, Burt, Alexander, Lu, Chenghuai, Kenyan, Manikandan, Ting, Yucheng

Granted Patent

US 9,686,293 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Systems And Methods For Malware Detection And Mitigation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

180 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Systems And Methods For Malware Detection And Mitigation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links