Computer Imposed Countermeasures Driven by Malware Lineage

US 20160323295A1
Filed: 04/28/2015
Published: 11/03/2016
Est. Priority Date: 04/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:

determining by a computer system a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path identified in the malware software item, a file name identified in the malware software item, a name of an author of the malware software item, an identity of a compiler used to compile the malware software item, a domain name identified in the malware software item, an internet protocol address identified in the malware software item, an email address identified in the software item, and an identity of a programming language used to create the malware software item;

determining by the computer system a plurality of hashes of the malware software item, wherein each of the hashes corresponds to separate blocks of the malware software item;

comparing the malware software item by the computer system to a plurality of malware families, wherein each of the characteristics of the malware software item is compared to a corresponding characteristic of each of the malware families and each of the hashes of the malware software item is compared to a corresponding hash associated with the malware families;

based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families; and

based on the malware family to which the malware software item is associated, taking action to mitigate vulnerability of the information technology asset to the malware software item.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system to identify and counter computer malware. The system comprises a processor, a memory, a data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family, and an application stored in the memory. The application analyzes a software artifact, determines characteristics of the software artifact, and determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families. Based on the plurality of metrics, the application further determines a malware family that best matches the software artifact.

35 Citations

View as Search Results

20 Claims

1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
- determining by a computer system a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path identified in the malware software item, a file name identified in the malware software item, a name of an author of the malware software item, an identity of a compiler used to compile the malware software item, a domain name identified in the malware software item, an internet protocol address identified in the malware software item, an email address identified in the software item, and an identity of a programming language used to create the malware software item;
  
  determining by the computer system a plurality of hashes of the malware software item, wherein each of the hashes corresponds to separate blocks of the malware software item;
  
  comparing the malware software item by the computer system to a plurality of malware families, wherein each of the characteristics of the malware software item is compared to a corresponding characteristic of each of the malware families and each of the hashes of the malware software item is compared to a corresponding hash associated with the malware families;
  
  based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families; and
  
  based on the malware family to which the malware software item is associated, taking action to mitigate vulnerability of the information technology asset to the malware software item.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein taking action to mitigate vulnerability of the information technology asset comprises moving the malware software item to a quarantine area of memory of the information technology asset.
  - 3. The method of claim 1, wherein taking action to mitigate vulnerability of the information technology asset comprises reducing the frequency of execution of the malware software item.
  - 4. The method of claim 1, wherein taking action to mitigate vulnerability of the information technology asset comprises blocking receiving data packets received from a source internet protocol address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 5. The method of claim 1, wherein taking action to mitigate vulnerability of the information technology asset comprises blocking transmission of data packets to a destination internet protocol address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 6. The method of claim 1, wherein taking action to mitigate vulnerability of the information technology asset comprises blocking reception of emails from an email address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 7. The method of claim 1, wherein the information technology asset is one of an application server, a web server, a database, a data store, a domain name system (DNS) server, a router, or a content server.

8. A system to identify and counter computer malware, comprising:
- a processor;
  
  a memory;
  
  a first data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family;
  
  a second data store comprising historical information about at least one of known malware attacks, cybercrimes, espionage, hack attacks, hacktivism; and
  
  an application stored in the memory that, when executed by the processoranalyzes a software artifact identified to be present in an information technology asset,based on the analysis of the software artifact determines a plurality of characteristics of the software artifact,determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families stored in the first data store,analyzes historical information accessed from the second data store,based on the plurality of metrics and based on the analysis of historical information, determines a malware family that best matches the software artifact,responsive to the metric associated with the best match malware family exceeding a pre-defined threshold, determines the software artifact to be computer malware,responsive to determining the software artifact to be computer malware, identifies at least one countermeasure based on the mapping for the best match malware family, andcauses the at least one countermeasure to be activated on the information technology asset.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the characteristics of the software artifact comprise two or more of an internet protocol address embedded in the software artifact, a domain name embedded in the software artifact, a uniform resource locator embedded in the software artifact, and malware creation information.
  - 10. The system of claim 9, wherein the malware creation information comprises at least one of an author name, a compiler used to compile the malware, a malware name, a version identity, a process name, a file size, and file meta information.
  - 11. The system of claim 8, wherein the characteristics of the software artifact comprise two or more of a data directory name, a registry key, an identity of a communication protocol, and a function signature.
  - 12. The system of claim 8, wherein the characteristics of the software artifact comprise two or more of a header section, a code section, a data segment section, a stack segment section, a heap segment section, and a disassembly code for binaries.
  - 13. The system of claim 8, wherein the characteristics of the software artifact comprise two or more of a language used in plaintext embedded in the software artifact, a content string, a geographic location where the software artifact was found, and an information technology asset configurations.
  - 14. The system of claim 8, wherein the countermeasure is one of blocking communication relative to an internet protocol address embedded in the software artifact, blocking communication relative to a domain name embedded in the software artifact, moving the software artifact to a quarantined area of memory of the information technology asset, and blocking communication from an email address embedded in the software artifact.

15. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
- determining a value of each of a plurality of characteristics of a software artifact by a computer system;
  
  comparing the characteristics of the software artifact to the characteristics of a plurality of families of known computer malware by the computer system;
  
  associating the software artifact by the computer system to one of the plurality of families of known computer malware by the computer system based on comparing the software artifact to the families of known computer malware;
  
  selecting a countermeasure by the computer system from among a plurality of countermeasures based on the family of known computer malware that the software artifact is associated to and based on at least one of the characteristics of the software artifact; and
  
  commanding the selected countermeasure to execute on the information technology asset.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein comparing the characteristics of the software artifact to the characteristics of the families of known computer malware comprises determining a sum of matching scores for each family of known computer malware, where each matching scores of each family that is used in calculating the sum associated with that family is a metric representing the similarity between the value of a characteristic of the software artifact and the value of a corresponding characteristic of the malware family.
  - 17. The method of claim 16, wherein each sum of matching scores is a sum of weighted matching scores, where the weights represent a relative importance among the different characteristics.
  - 18. The method of claim 17, wherein the weights are different for each different malware family.
  - 19. The method of claim 17, wherein the weights are uniform for all of the malware families.
  - 20. The method of claim 17, wherein the weights are determined by a curve fitting algorithm based on the scores of a plurality of malware members of each family of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Isight Partners, Inc.
Inventors
Joram, Sharwan Kumar, Jha, Shyam Prakash, Hartley, William Matthew, Sonthalia, Madhav

Granted Patent

US 9,892,261 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/145   the attack involving the pr...

Computer Imposed Countermeasures Driven by Malware Lineage

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer Imposed Countermeasures Driven by Malware Lineage

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links