Computer Imposed Countermeasures Driven by Malware Lineage
First Claim
1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
- determining by a computer system a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path identified in the malware software item, a file name identified in the malware software item, a name of an author of the malware software item, an identity of a compiler used to compile the malware software item, a domain name identified in the malware software item, an internet protocol address identified in the malware software item, an email address identified in the software item, and an identity of a programming language used to create the malware software item;
determining by the computer system a plurality of hashes of the malware software item, wherein each of the hashes corresponds to separate blocks of the malware software item;
comparing the malware software item by the computer system to a plurality of malware families, wherein each of the characteristics of the malware software item is compared to a corresponding characteristic of each of the malware families and each of the hashes of the malware software item is compared to a corresponding hash associated with the malware families;
based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families; and
based on the malware family to which the malware software item is associated, taking action to mitigate vulnerability of the information technology asset to the malware software item.
5 Assignments
0 Petitions
Accused Products
Abstract
A system to identify and counter computer malware. The system comprises a processor, a memory, a data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family, and an application stored in the memory. The application analyzes a software artifact, determines characteristics of the software artifact, and determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families. Based on the plurality of metrics, the application further determines a malware family that best matches the software artifact.
35 Citations
20 Claims
-
1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
-
determining by a computer system a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path identified in the malware software item, a file name identified in the malware software item, a name of an author of the malware software item, an identity of a compiler used to compile the malware software item, a domain name identified in the malware software item, an internet protocol address identified in the malware software item, an email address identified in the software item, and an identity of a programming language used to create the malware software item; determining by the computer system a plurality of hashes of the malware software item, wherein each of the hashes corresponds to separate blocks of the malware software item; comparing the malware software item by the computer system to a plurality of malware families, wherein each of the characteristics of the malware software item is compared to a corresponding characteristic of each of the malware families and each of the hashes of the malware software item is compared to a corresponding hash associated with the malware families; based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families; and based on the malware family to which the malware software item is associated, taking action to mitigate vulnerability of the information technology asset to the malware software item. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system to identify and counter computer malware, comprising:
-
a processor; a memory; a first data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family; a second data store comprising historical information about at least one of known malware attacks, cybercrimes, espionage, hack attacks, hacktivism; and an application stored in the memory that, when executed by the processor analyzes a software artifact identified to be present in an information technology asset, based on the analysis of the software artifact determines a plurality of characteristics of the software artifact, determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families stored in the first data store, analyzes historical information accessed from the second data store, based on the plurality of metrics and based on the analysis of historical information, determines a malware family that best matches the software artifact, responsive to the metric associated with the best match malware family exceeding a pre-defined threshold, determines the software artifact to be computer malware, responsive to determining the software artifact to be computer malware, identifies at least one countermeasure based on the mapping for the best match malware family, and causes the at least one countermeasure to be activated on the information technology asset. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
-
determining a value of each of a plurality of characteristics of a software artifact by a computer system; comparing the characteristics of the software artifact to the characteristics of a plurality of families of known computer malware by the computer system; associating the software artifact by the computer system to one of the plurality of families of known computer malware by the computer system based on comparing the software artifact to the families of known computer malware; selecting a countermeasure by the computer system from among a plurality of countermeasures based on the family of known computer malware that the software artifact is associated to and based on at least one of the characteristics of the software artifact; and commanding the selected countermeasure to execute on the information technology asset. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification