ANTI-MALWARE DEVICE, ANTI-MALWARE SYSTEM, ANTI-MALWARE METHOD, AND RECORDING MEDIUM IN WHICH ANTI-MALWARE PROGRAM IS STORED

US 20180004939A1
Filed: 01/21/2016
Published: 01/04/2018
Est. Priority Date: 01/29/2015
Status: Active Grant

First Claim

Patent Images

1. An anti-malware device comprising:

a storage unit configured to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;

a subject attribution collection unit configured to collect the value indicating the attribution of the first information processing device from outside;

a object attribution collection unit configured to collect the value indicating the attribution of the software from outside; and

a determination unit configured to determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected by the subject attribution collection unit and the object attribution collection unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-malware device 50 includes: a risk information storage unit 51 in which risk information 510 is stored, in which there are associated a value indicating an attribution of an information processing device 60 for executing software 600, a value indicating an attribution of the software 600, and a value that indicates the degree of risk when the software 600 is executed; a subject attribution collection unit 53 for collecting the value indicating the attribution of the information processing device 60; an object attribution collection unit 54 for collecting the value indicating the attribution of the software 600; and a determination unit 55 for determining that the software 600 is malware when the value indicating the degree of risk obtained by comparing the risk information 510 and the values collected by the subject attribution collection unit 53 and object attribution collection unit 54 satisfies a criterion.

16 Citations

View as Search Results

21 Claims

1. An anti-malware device comprising:
- a storage unit configured to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;
  
  a subject attribution collection unit configured to collect the value indicating the attribution of the first information processing device from outside;
  
  a object attribution collection unit configured to collect the value indicating the attribution of the software from outside; and
  
  a determination unit configured to determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected by the subject attribution collection unit and the object attribution collection unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The anti-malware device according to claim 1, further comprisinga transfer unit configured to transfer the software to a second information processing device when the determination unit determines that the software is malware, and then cause the second information processing device to execute the software.
  - 3. The anti-malware device according to claim 2, further comprisingan internal state collection unit configured to collect information indicating an internal state from the second information processing device after the transfer unit transfers the software to the second information processing device and before the second information processing device is caused to execute the software.
  - 4. The anti-malware device according to claim 3, whereinthe transfer unit transfers the software to the second information processing device being a virtual machine, andthe internal state collection unit collects a snapshot of the second information processing device before the second information processing device is caused to execute the software.
  - 5. The anti-malware device according to claim 3, whereinthe internal state collection unit-collects information indicating an operation of the software being executed by the second information processing device and stores the collected information into the storage unit as the risk information.
  - 6. The anti-malware device according to claim 5, whereinthe internal state collection unit collects at least one of an IP address of a communication destination device, a communication frequency, an argument of a system call, and a frequency of the system call, as the information indicating the operation of the software being executed by the second information processing device.
  - 7. The anti-malware device according to claim 1, further comprisinga risk information collection unit configured to collect the risk information from an accessible external device via a communication network connected in a communicable manner, and store the collected risk information into the storage unit.
  - 8. The anti-malware device according to claim 1, whereinthe subject attribution collection unit collects an IP address assigned to the first information processing device from the first information processing device.
  - 9. The anti-malware device according to claim 1, whereinthe object attribution collection unit collects a hash value obtained by inputting a binary code of the software to a hash function.
  - 10. The anti-malware device according to claim 8, whereinthe storage unit stores the risk information in which the IP address assigned to the first information processing device is associated with an identifier capable of identifying an organization which owns the first information processing device or in which the first information processing device is installed.
  - 11. The anti-malware device according to claim 9, whereinthe storage unit stores the risk information in which the hash value is associated with information relating to a development source which developed the software.
  - 12. The anti-malware device according to claim 1, whereinthe storage unit stores the risk information in which a content of a security policy applied to the first information processing device is associated with a value indicating the degree of risk when an operation that is non-conforming to the security policy is performed at a time when the first information processing device executes the software.
  - 13. The anti-malware device according to claim 1, whereinthe storage unit stores the risk information in which the value indicating the degree of risk is associated with information indicating a content of an event occurring when the first information processing device executes the software.
  - 14. The anti-malware device according to claim 10, whereinthe storage unit stores the risk information in which there are associated the identifier capable of identifying the organization which owns the first information processing device or by which the first information processing device is installed, information relating to the development source which developed the software, and the value indicating the degree of risk.

15. An anti-malware system comprising:
- an anti-malware device including;
  
  a storage unit configured to store risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device;
  
  a subject attribution collection unit configured to collect the value indicating the attribution of the first information processing device from outside;
  
  an object attribution collection unit configured to collect the value indicating the attribution of the software from outside; and
  
  a determination unit configured to determine that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected by the subject attribution collection unit and the object attribution collection unit; and
  
  the first information processing device and the second information processing device.

16. An anti-malware method comprising, when storage unit stores risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device:
- by a third information processing device,collecting the value indicating the attribution of the first information processing device from outside;
  
  collecting the value indicating the attribution of the software from outside; and
  
  determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected, indicating the attribution of the first information processing device and the attribution of the software.
- View Dependent Claims (17, 18)
- - 17. The anti-malware method according to claim 16, wherein,when it is determined that the software is malware, the software is transferred to a second information processing device and then the second information processing device is caused to execute the software.
  - 18. The anti-malware method according to claim 17, whereininformation indicating an internal state is collected from the second information processing device after the software is transferred to the second information processing device and before the second information processing device is caused to execute the software.

19. A non-transitory computer readable recording medium storing an anti-malware program for causing a computer accessible to storage unit for storing risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device, to execute:
- a subject attribution collection process of collecting the value indicating the attribution of the first information processing device from outside;
  
  an object attribution collection process of collecting the value indicating the attribution of the software from outside; and
  
  a determination process of determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected in the subject attribution collection process and the object attribution collection process.
- View Dependent Claims (20, 21)
- - 20. The non-transitory computer readable recording medium storing the anti-malware program according to claim 19, further causing the computer to executea transfer process of causing a second information processing device to execute the software after the software is transferred to the second information processing device, when it is determined in the determination process that the software is malware.
  - 21. The non-transitory computer readable recording medium storing the anti-malware program according to claim 20, further causing the computer to executean internal state collection process of collecting information indicating an internal state from the second information processing device after the software is transferred to the second information processing device in the transfer process and before the second information processing device is caused to execute the software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
KAWAKITA, Masaru

Granted Patent

US 10,482,240 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

ANTI-MALWARE DEVICE, ANTI-MALWARE SYSTEM, ANTI-MALWARE METHOD, AND RECORDING MEDIUM IN WHICH ANTI-MALWARE PROGRAM IS STORED

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ANTI-MALWARE DEVICE, ANTI-MALWARE SYSTEM, ANTI-MALWARE METHOD, AND RECORDING MEDIUM IN WHICH ANTI-MALWARE PROGRAM IS STORED

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links