SYSTEMS AND METHODS FOR DETERMINING MALICIOUS-DOWNLOAD RISK BASED ON USER BEHAVIOR

US 20160366167A1
Filed: 06/15/2015
Published: 12/15/2016
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining malicious-download risk based on user behavior, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;

determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;

analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;

categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for determining malicious-download risk based on user behavior may include (1) identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads, (2) determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users, (3) analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk, and (4) categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior. Various other methods, systems, and computer-readable media are also disclosed. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for determining malicious-download risk based on user behavior, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising increasing a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware.
  - 3. The computer-implemented method of claim 1, further comprising collecting additional data about the high-risk user in order to at least one of:
    - improve the accuracy of the high-risk pattern of download behavior at predicting malware infections;
      
      improve the accuracy of additional malware-infection-prediction systems.
  - 4. The computer-implemented method of claim 1, further comprising increasing the security posture of an organization that includes the high-risk user in order to reduce the risk of computing devices used by the organization becoming infected with malware.
  - 5. The computer-implemented method of claim 1, wherein identifying the set of high-risk users and the set of low-risk users comprises:
    - monitoring download behavior of a set of unclassified users over a predefined download monitoring time period;
      
      classifying users whose computing devices became infected with malware during the predefined download monitoring time period as the set of high-risk users;
      
      classifying users whose computing devices did not become infected with malware during the predefined download monitoring time period as the set of low-risk users.
  - 6. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of files on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one file on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one file that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one file on a computing device used by the high-risk user to download files;
      
      a category of at least one file on a computing device used by the high-risk user to download files.
  - 7. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of distinct file names on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file name on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file name that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one distinct file name on a computing device used by the high-risk user to download files.
  - 8. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of distinct file paths on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file path on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file path that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a creation of at least one distinct file path on a computing device used by the high-risk user to download files.
  - 9. The computer-implemented method of claim 1, further comprising:
    - periodically analyzing additional download behavior of a previously categorized user with an assigned risk category over an additional predefined time period in order to categorize the download behavior as high-risk or low-risk;
      
      adjusting the assigned risk category of the previously categorized user in response to determining that the download behavior of the previously categorized has changed with respect to the high-risk pattern of download behavior.
  - 10. The computer-implemented method of claim 1, further comprising:
    - identifying a new set of users that are at high risk for malicious downloads;
      
      updating the high-risk pattern of download behavior in response to at least one change in download behavior between the set of high-risk users and the new set of high-risk users.

11. A system for determining malicious-download risk based on user behavior, the system comprising:
- an identification module, stored in memory, that identifies a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  a determination module, stored in memory, that determines a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  an analysis module, stored in memory, that analyzes download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  a categorization module, stored in memory, that categorizes the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior;
  
  at least one physical processor configured to execute the identification module, the determination module, the analysis module, and the categorization module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, further comprising a security module, stored in memory, that increases a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware.
  - 13. The system of claim 11, further comprising a security module, stored in memory, that collects additional data about the high-risk user in order to at least one of:
    - improve the accuracy of the high-risk pattern of download behavior at predicting malware infections;
      
      improve the accuracy of additional malware-infection-prediction systems.
  - 14. The system of claim 11, further comprising a security module, stored in memory, that increases the security posture of an organization that includes the high-risk user in order to reduce the risk of computing devices used by the organization becoming infected with malware.
  - 15. The system of claim 11, wherein the identification module identifies the set of high-risk users and the set of low-risk users by:
    - monitoring download behavior of a set of unclassified users over a predefined download monitoring time period;
      
      classifying users whose computing devices became infected with malware during the predefined download monitoring time period as the set of high-risk users;
      
      classifying users whose computing devices did not become infected with malware during the predefined download monitoring time period as the set of low-risk users.
  - 16. The system of claim 11, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of files on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one file on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one file that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one file on a computing device used by the high-risk user to download files;
      
      a category of at least one file on a computing device used by the high-risk user to download files.
  - 17. The system of claim 11, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of distinct file names on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file name on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file name that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one distinct file name on a computing device used by the high-risk user to download files.
  - 18. The system of claim 11, wherein the high-risk pattern of download behavior comprises at least one of:
    - a total number of distinct file paths on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file path on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file path that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a creation of at least one distinct file path on a computing device used by the high-risk user to download files.
  - 19. The system of claim 11, wherein:
    - the analysis module periodically analyzes additional download behavior of a previously categorized user with an assigned risk category over an additional predefined time period in order to categorize the download behavior as high-risk or low-risk;
      
      the categorization module adjusts the assigned risk category of the previously categorized user in response to determining that the download behavior of the previously categorized has changed with respect to the high-risk pattern of download behavior.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  determine a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  analyze download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  categorize the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Yumer, Leylya

Granted Patent

US 9,813,437 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

SYSTEMS AND METHODS FOR DETERMINING MALICIOUS-DOWNLOAD RISK BASED ON USER BEHAVIOR

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETERMINING MALICIOUS-DOWNLOAD RISK BASED ON USER BEHAVIOR

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links