SYSTEM AND METHOD FOR DETECTION OF MALICIOUS DATA ENCRYPTION PROGRAMS

US 20170093886A1
Filed: 11/25/2015
Published: 03/30/2017
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detection of malicious encryption programs, the method comprising:

intercepting, at a server, a file operation request from a client device on a file stored on the server;

creating and saving a backup copy of the file at the server;

collecting information about at least the client device, the requested file and the requested operation;

determining, by a hardware processor of the server, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation;

when the file operation request came from an unknown encryption program, calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file;

calculating, by the hardware processor, a difference between the calculated entropies;

when the difference is below a threshold, allowing the requested operation on the file; and

when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.

43 Citations

View as Search Results

21 Claims

1. A method for detection of malicious encryption programs, the method comprising:
- intercepting, at a server, a file operation request from a client device on a file stored on the server;
  
  creating and saving a backup copy of the file at the server;
  
  collecting information about at least the client device, the requested file and the requested operation;
  
  determining, by a hardware processor of the server, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation;
  
  when the file operation request came from an unknown encryption program, calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file;
  
  calculating, by the hardware processor, a difference between the calculated entropies;
  
  when the difference is below a threshold, allowing the requested operation on the file; and
  
  when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server.
- View Dependent Claims (2, 3, 5, 6, 7)
- - 2. The method of claim 1, wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
  - 3. The method of claim 1, wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
  - 5. The method of claim 1, wherein collecting information about the requested file and the requested operation includes, collecting one or more of:
    - type of the requested file operation, and data buffers with original file contents and modified file contents.
  - 6. The method of claim 1, wherein, when the file operation request came from a known malicious encryption program, denying the requested operation on the file.
  - 7. The method of claim 1, wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.

4. (canceled)

8. A system for detection of malicious encryption programs, the system comprising:
- a server having a hardware processor configured to;
  
  intercept a file operation request from a client device on a file stored on the server;
  
  create and save a backup copy of the file at the server;
  
  collect information about at least the client device, the requested file and the requested operation;
  
  determine based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation;
  
  when the file operation request came from an unknown encryption program, calculate entropies of at least a portion of the file before and after the execution of the requested operation on the file;
  
  calculate a difference between the calculated entropies;
  
  when the difference is below a threshold, allow the requested operation on the file; and
  
  when the difference is above the threshold, deny the requested operation on the file and restore the backup copy of the file at the server.
- View Dependent Claims (9, 10, 12, 13, 14)
- - 9. The system of claim 8, wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept the request by a file system driver filter.
  - 10. The system of claim 8, wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept a system function call and one or more parameters of the call.
  - 12. The system of claim 8, wherein, to collect the information about the requested file and the requested operation, the processor is further configured to collect one or more of:
    - type of the requested file operation, and data buffers with original file contents and modified file contents.
  - 13. The system of claim 8, wherein the processor is further configured to deny the requested operation on the file when the file operation request came from a known malicious encryption program.
  - 14. The system of claim 8, wherein, to calculate the entropies of at least a portion of the file, the processor is further configured to calculate entropies of at least portions of file headers before and after the execution of the requested operation on the file.

11. (canceled)

15. A non-transitory computer readable medium storing computer executable instructions for detection of malicious encryption programs, including instructions for:
- intercepting, at a server, a file operation request from a client device on a file stored on the server;
  
  creating and saving a backup copy of the file at the server;
  
  collecting information about at least the client device, the requested file and the requested operation;
  
  determining, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation;
  
  when the file operation request came from an unknown encryption program, calculating entropies of at least a portion of the file before and after the execution of the requested operation on the file;
  
  calculating a difference between the calculated entropies;
  
  when the difference is below a threshold, allowing the requested operation on the file; and
  
  when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server.
- View Dependent Claims (16, 17, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
  - 17. The non-transitory computer readable medium of claim 15, wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
  - 19. The non-transitory computer readable medium of claim 15, wherein collecting information about the requested file and the requested operation includes, collecting one or more of:
    - type of the requested file operation, and data buffers with original file contents and modified file contents.
  - 20. The non-transitory computer readable medium of claim 15, wherein, when the file operation request came from a known malicious encryption program, denying the requested operation on the file.
  - 21. The non-transitory computer readable medium of claim 15, wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.

18. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Bykov, Oleg G., Ovcharik, Vladislav I.

Granted Patent

US 10,375,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 9/002   Countermeasures against att...

SYSTEM AND METHOD FOR DETECTION OF MALICIOUS DATA ENCRYPTION PROGRAMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR DETECTION OF MALICIOUS DATA ENCRYPTION PROGRAMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others