Source independent file attribute tracking

US 7,739,278 B1
Filed: 08/22/2003
Issued: 06/15/2010
Est. Priority Date: 08/22/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for gleaning file attributes independently of file format, the method comprising the steps of:

a non-application-specific file attribute manager receiving a plurality of files in a plurality of formats, the plurality of files including a plurality of copies of a selected file from the plurality of files;

the file attribute manager scanning the plurality of received files in the plurality of formats;

the file attribute manager gleaning file attributes from each of the plurality of scanned files based on a communications protocol used to receive each of the plurality of files, the file attribute manager gleaning different file attributes for different communications protocols;

the file attribute manager storing the file attributes gleaned from each of the plurality of scanned files as a plurality of records in a database;

the file attribute manager indexing specific file attributes gleaned from specific files according to contents of the specific files, the specific file attributes being stored as ones of the plurality of records in the database;

the file attribute manager storing a record for each of the plurality of copies of the selected file, each separate record indexed according to the contents of the selected file from the plurality of files, such that each separate record can be accessed by a single index;

examining one of the plurality of files;

retrieving from the plurality of records in the database a first record associated with the examined one of the plurality of files;

retrieving from the plurality of records in the database a second record associated with a malicious file;

analyzing the gleaned file attributes gleaned from the examined one of the plurality of files, the gleaned file attributes having been retrieved from the first record;

analyzing one or more attributes of the malicious file, the one or more attributes of the malicious file having been gleaned from the second record; and

determining whether a status of the examined one of the plurality of files is malicious, responsive to analyzing the gleaned file attributes and the one or more attributes of the malicious file.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-application specific file attribute manager (101) receives (201) a plurality of files (103) in a plurality of formats. The file attribute manager (101) scans (203) the plurality of received files (103), and gleans (205) attributes concerning each of the plurality of scanned files (103). The file attribute manager (101) stores (207) gleaned attributes concerning each of the scanned files (103) as records (105) in a database (107). The file attribute manager (101) indexes (209) the records (105) according to the contents of their associated files (103).

85 Citations

View as Search Results

20 Claims

1. A computer implemented method for gleaning file attributes independently of file format, the method comprising the steps of:
- a non-application-specific file attribute manager receiving a plurality of files in a plurality of formats, the plurality of files including a plurality of copies of a selected file from the plurality of files;
  
  the file attribute manager scanning the plurality of received files in the plurality of formats;
  
  the file attribute manager gleaning file attributes from each of the plurality of scanned files based on a communications protocol used to receive each of the plurality of files, the file attribute manager gleaning different file attributes for different communications protocols;
  
  the file attribute manager storing the file attributes gleaned from each of the plurality of scanned files as a plurality of records in a database;
  
  the file attribute manager indexing specific file attributes gleaned from specific files according to contents of the specific files, the specific file attributes being stored as ones of the plurality of records in the database;
  
  the file attribute manager storing a record for each of the plurality of copies of the selected file, each separate record indexed according to the contents of the selected file from the plurality of files, such that each separate record can be accessed by a single index;
  
  examining one of the plurality of files;
  
  retrieving from the plurality of records in the database a first record associated with the examined one of the plurality of files;
  
  retrieving from the plurality of records in the database a second record associated with a malicious file;
  
  analyzing the gleaned file attributes gleaned from the examined one of the plurality of files, the gleaned file attributes having been retrieved from the first record;
  
  analyzing one or more attributes of the malicious file, the one or more attributes of the malicious file having been gleaned from the second record; and
  
  determining whether a status of the examined one of the plurality of files is malicious, responsive to analyzing the gleaned file attributes and the one or more attributes of the malicious file.
- View Dependent Claims (2, 3, 4, 5, 6, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein:
    - specific types of file attributes are gleaned from a specific file as a function of a format of the specific file.
  - 3. The method of claim 1 wherein the file attribute manager indexing specific file attributes indexes according to a secure hash of the contents of each specific file.
  - 4. The method of claim 1 wherein the file attribute manager indexing specific file attributes indexes according to a cyclical redundancy check of the contents of each specific file.
  - 5. The method of claim 1 further comprising:
    - deleting records from the database after the records have been stored for a specific period of time.
  - 6. The method of claim 1 wherein the non-application-specific file attribute manager is incorporated into one selected from the group consisting of:
    - a firewall;
      
      an intrusion detection system;
      
      an intrusion detection system application proxy;
      
      a router;
      
      a switch;
      
      a standalone proxy;
      
      a server;
      
      a gateway;
      
      an anti-virus detection system; and
      
      a client.
  - 16. The method of claim 1 further comprising:
    - responsive to determining the status of the examined one of the plurality of files to be malicious, blocking the examined one of the plurality of files.
  - 17. The method of claim 1 further comprising:
    - responsive to determining the status of the examined one of the plurality of files to be legitimate, not blocking the examined one of the plurality of files.
  - 18. The method of claim 1 further comprising:
    - applying at least one rule specifying how to use the gleaned file attributes to process the examined one of the plurality of files.
  - 19. The method of claim 18 further comprising:
    - selecting the at least one rule from a plurality of rules to apply specifying how to use the gleaned file attributes to process the examined one of the plurality of files.
  - 20. The method of claim 1, wherein the plurality of files are received from a network connection.

7. A non-transitory computer-readable storage medium containing a computer program product for gleaning file attributes independently of file format, the computer program product comprising program code for:
- receiving a plurality of files in a plurality of formats, the plurality of files including a plurality of copies of a selected file from the plurality of files;
  
  scanning the plurality of received files in the plurality of formats;
  
  gleaning file attributes from each of the plurality of scanned files based on a communications protocol used to receive each of the plurality of files, the file attribute manager gleaning different file attributes for different communications protocols;
  
  storing the file attributes gleaned from each of the plurality of scanned files as a plurality of records in a database;
  
  indexing specific file attributes gleaned from specific files according to contents of the specific files, the specific file attributes being stored as ones of the plurality of records in the database;
  
  storing a record for each of the plurality of copies of the selected file, each separate record indexed according to the contents of the selected file from the plurality of files, such that each separate record can be accessed by a single index;
  
  examining one of the plurality of files;
  
  retrieving from the plurality of records in the database a first record associated with the one of the examined plurality of files;
  
  retrieving from the plurality of records in the database a second record associated with a malicious file;
  
  analyzing the gleaned file attributes gleaned from the examined one of the plurality of files, the gleaned file attributes having been retrieved from the first record;
  
  analyzing one or more attributes of the malicious file, the one or more attributes of the malicious file having been gleaned from the second record; and
  
  determining whether a status of the examined one of the plurality of files is malicious, responsive to analyzing the gleaned file attributes and the one or more attributes of the malicious file.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer program product of claim 7 further comprising:
    - program code for gleaning specific types of file attributes from a specific file as a function of a format of the specific file.
  - 9. The computer program product of claim 7 wherein the program code for indexing file attributes indexes according to a secure hash of the contents of each specific file.
  - 10. The computer program product of claim 7 wherein the program code for indexing file attributes indexes according to a cyclical redundancy check of the contents of each specific file.
  - 11. The computer program product of claim 7 further comprising:
    - program code for deleting records from the database after the records have been stored for a specific period of time.

12. A computer system for gleaning file attributes independently of file format, the computer system having a non-transitory computer readable storage medium storing computer-executable instructions, the computer-executable instructions comprising:
- a reception module, configured to receive a plurality of files in a plurality of formats, the plurality of files including a plurality of copies of a selected file from the plurality of files;
  
  a scanning module, configured to scan the plurality of received files in the plurality of formats, the scanning module communicatively coupled to the reception module;
  
  a gleaning module, configured to glean file attributes from each of the plurality of scanned files based on a communications protocol used to receive each of the plurality of files, the file attribute manager gleaning different file attributes for different communications protocols, the gleaning module communicatively coupled to the scanning module;
  
  a storage module, configured to store file attributes gleaned from each of the plurality of scanned files as a plurality of records in a database, the storage module communicatively coupled to the gleaning module;
  
  an indexing module, configured to index specific file attributes gleaned from specific files according to contents of the specific files, the specific file attributes being stored as ones of the plurality of records in the database, the indexing module communicatively coupled to the storage module;
  
  the storage module, further configured to store a record for each of the plurality of copies of the selected file, each separate record indexed according to the contents of the selected file from the plurality of files, such that each separate record can be accessed by a single index;
  
  an examining module, configured to examine one of the plurality of files, the examining module communicatively coupled to the storage module;
  
  a retrieval module, configured to retrieve from the plurality of records in the database a first record associated with the examined one of the plurality of files, the retrieval module communicatively coupled to the examining module and the storage module;
  
  the retrieval module, also configured to retrieve from the plurality of records in the database a second record associated with a malicious file;
  
  an analysis module, configured to analyze the gleaned file attributes gleaned from the examined one of the plurality of files, the gleaned file attributes having been retrieved from the first record;
  
  the analysis module communicatively coupled to the retrieval module;
  
  the analysis module, also configured to analyze one or more attributes of the malicious file, the one or more attributes of the malicious file having been gleaned from the second record; and
  
  a status module, configured to determine whether a status of the examined one of the plurality of files is malicious, responsive to analyzing the gleaned file attributes and the one or more attributes of the malicious file, the status module communicatively coupled to the analysis module.
- View Dependent Claims (13, 14, 15)
- - 13. The computer system of claim 12 wherein:
    - the gleaning module is further configured to glean specific types of file attributes from a specific file as a function of a format of the specific file.
  - 14. The computer system of claim 12 wherein the indexing module is further configured to index specific file attributes according to a secure hash of the contents of each specific file.
  - 15. The computer system of claim 12 wherein the indexing module is further configured to index specific file attributes according to a cyclical redundancy check of the contents of each specific file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E.
Primary Examiner(s)
Mahmoudi; Tony
Assistant Examiner(s)
Kim; Paul

Application Number

US10/645,989
Time in Patent Office

2,489 Days
Field of Search

707/3, 707/9, 707/10, 707/200, 707/104.1, 707/1, 709/205, 711/216, 726/24, 717/170
US Class Current

707/728
CPC Class Codes

G06F 16/10 File systems; File servers

Source independent file attribute tracking

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Source independent file attribute tracking

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links