MALWARE DATA ITEM ANALYSIS

US 20180046801A1
Filed: 10/06/2017
Published: 02/15/2018
Est. Priority Date: 07/03/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computer network comprising:

a database configured to store file data items; and

one or more hardware computer processors configured to execute computer executable instructions in order to;

receive a first data item including a suspected malware file;

store, in the database, the first data item in association with at least one of;

a date of submission of the first data item, oran identifier of the person who submitted the first data item;

initiate an internal analysis of the first data item to generate an internal analysis information item;

transmit the first data item to an external analysis provider outside of the computer system for external analysis;

receive, from the external analysis provider, an external analysis information item; and

generate a graphical user interface presenting analysis information items associated with the first data item, the graphical user interface including at least;

a first node representing the first data item, anda second node representing the internal analysis information item.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).

60 Citations

View as Search Results

18 Claims

1. A computer network comprising:
- a database configured to store file data items; and
  
  one or more hardware computer processors configured to execute computer executable instructions in order to;
  
  receive a first data item including a suspected malware file;
  
  store, in the database, the first data item in association with at least one of;
  
  a date of submission of the first data item, oran identifier of the person who submitted the first data item;
  
  initiate an internal analysis of the first data item to generate an internal analysis information item;
  
  transmit the first data item to an external analysis provider outside of the computer system for external analysis;
  
  receive, from the external analysis provider, an external analysis information item; and
  
  generate a graphical user interface presenting analysis information items associated with the first data item, the graphical user interface including at least;
  
  a first node representing the first data item, anda second node representing the internal analysis information item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer system of claim 1, wherein the graphical user interface further includes a third node representing the external analysis information item, wherein the first, second, and third nodes are linked by edges in a graph or web.
  - 3. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
    - search the database for previously submitted data items matching the first data item; and
      
      generate a displayable notification indicating that the first data item was previously submitted.
  - 4. The computer system of claim 3, wherein the displayable notification indicates the date that the first data item was previously submitted.
  - 5. The computer system of claim 3, wherein the displayable notification indicates an identifier of the person who submitted the first data item.
  - 6. The computer system of claim 1, wherein nodes in the graphical user interface are user selectable icons.
  - 7. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
    - receive a submission of a second data item representing a suspected malware file; and
      
      generate a fourth node in the graphical user interface, the fourth node indicating the submission of the second data item.
  - 8. The computer system of claim 7, wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
    - compare an analysis information item of the second data item to at least one of the internal analysis information item or the external analysis information item;
      
      determine that the second data item and the first data item match; and
      
      in response to determining that the second data item and the first data item match, associate a second submission event with the first data item.
  - 9. The computer system of claim 8, wherein comparing the analysis information item of the second data item to at least one of the internal analysis information item or the external analysis information item includes:
    - calculating a hash of the second data item; and
      
      comparing the calculated hash to a previously calculated hash of the first data item.
  - 10. The computer system of claim 7, the graphical user interface including at least:
    - the first node representing the first data item,the second node representing the internal analysis information item,a third node representing the submission of the first data item, anda fourth node representing a submission of the second data item.
  - 11. The computer system of claim 10, the graphical user interface further including at least:
    - a fifth node representing the external analysis information item.
  - 12. The computer system of claim 11, wherein the graphical visualization further includes edges linking the first node to the second, third, fourth, and fifth nodes.
  - 13. The computer system of claim 7, wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
    - receive a submission of a third data item, the third data item representing another suspected malware file;
      
      compare the third data item with at least one of the first data item or the second data item;
      
      determine that at the third data item and at least one of the first data item or the second data item match;
      
      generate a fifth node in the graphical user interface, the fifth node indicating the submission of the third data item and linked to at least one of the first or third node; and
      
      provide a notification that the third data item was previously received.
  - 14. The computer system of claim 1, wherein the internal analysis includes at least calculation of a hash of the data item.
  - 15. The computer system of claim 14, wherein the hash is at least one of an MD5 hash of the first data item, a SHA-1 hash of the first data item, a SHA-256 hash of the first data item, an SSDeep hash of the first data item, or a size of the first data item.
  - 16. The computer system of claim 15, the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the first data item in a sandboxed environment and analysis of the first data item by a third-party malware analysis service.
  - 17. The computer system of claim 16, wherein any payload provided by the first data item after execution of the first data item in the sandboxed environment is indicated as a node in the graphical user interface.
  - 18. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
    - share the first data item and associated analysis information items with a second computer system via a third computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Falk, Matthew, Yousaf, Timothy, Staehle, Joseph, Lemanowicz, Lucas, Noury, Sebastien, Lim, Robin, Glazer, Michael

Application Number

US15/726,917
Publication Number

US 20180046801A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

H04L 63/105   Multiple levels of security

MALWARE DATA ITEM ANALYSIS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DATA ITEM ANALYSIS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links