Method and system for detection and prediction of computer virus-related epidemics

US 7,743,419 B1
Filed: 12/06/2009
Issued: 06/22/2010
Est. Priority Date: 10/01/2009
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:

(a) detecting a malware-related threat;

(b) calculating an activity value for this threat based on parameters of the threat;

(c) setting a threshold value for the threat activity burst based on known bursts of the threat activity;

(d) setting a threshold value for a threat activity epidemic based on the known epidemics;

(e) comparing the threat activity value against the threat activity burst threshold;

(f) comparing the threat activity value against the threat activity epidemic threshold, if the threat activity exceeds the threat activity burst threshold;

(g) monitoring the threat activity over a selected time period, if the threat activity exceeds the activity epidemic threshold; and

(e) detecting the malware epidemic, if the threat activity persistently exceeds the activity epidemic threshold over the pre-set time period.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for detection of epidemics caused by malware programs or computer viruses. Detection of local and global epidemics is performed automatically. A source of an epidemic is calculated and analyzed based on collected statistics. A spread of the epidemic is predicted and an accurate prognosis referring to the time frame and to geographical areas of the epidemic spread is made. The prognosis is made based on a calculated value of “connection strength” coefficient. The connection strength coefficient reflects a volume of information exchange (i.e., a number and a quality of connection channels) between the countries. An epidemic is detected in its infancy and its spread is monitored in time and propagation across different countries. Then, effective security and protection measures can be invoked in a timely manner.

65 Citations

View as Search Results

17 Claims

1. A method for detecting a malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:
- (a) detecting a malware-related threat;
  
  (b) calculating an activity value for this threat based on parameters of the threat;
  
  (c) setting a threshold value for the threat activity burst based on known bursts of the threat activity;
  
  (d) setting a threshold value for a threat activity epidemic based on the known epidemics;
  
  (e) comparing the threat activity value against the threat activity burst threshold;
  
  (f) comparing the threat activity value against the threat activity epidemic threshold, if the threat activity exceeds the threat activity burst threshold;
  
  (g) monitoring the threat activity over a selected time period, if the threat activity exceeds the activity epidemic threshold; and
  
  (e) detecting the malware epidemic, if the threat activity persistently exceeds the activity epidemic threshold over the pre-set time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the parameters of the threat are:
    - launches of applications;
      
      attacks on computer systems;
      
      attempts to exploit system security weaknesses; and
      
      file downloads.
  - 3. The method of claim 1, wherein the threat activity burst threshold is set according to the activity burst statistics of a geographic region where the malware-related threat is detected.
  - 4. The method of claim 1, wherein the threat activity epidemic threshold is set according to statistics of the epidemic activity of a geographic region where the malware-related threat is detected.
  - 5. The method of claim 1, wherein, if the threat activity value does not exceed the threat activity epidemic threshold, the activity is considered to be a burst of the threat activity.
  - 6. The method of claim 1, further comprising generating a prognosis for spreading of the epidemic.
  - 7. The method of claim 6, wherein the prognosis reflects a probability of the malware threat epidemic in another geographic area.
  - 8. The method of claim 6, wherein the prognosis reflects a level of activity of the malware threat epidemic once it spreads to another geographic area.

9. A method for generating a prognosis for malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:
- detecting an epidemic in a source geographic area;
  
  calculating connection strength coefficients between the source geographic area and other connected geographic areas;
  
  calculating a probability of the epidemic for each of the connected geographic areas based on the connection strength coefficients between the source geographic area and the connected geographic area; and
  
  calculating an activity level of the epidemic in each of the connected geographic areas for pre-set time increments,wherein the activity level is calculated based on malware parameters.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising determining a source of the epidemic by analyzing hash values of the malware files and distribution sources of the files.
  - 11. The method of claim 9, wherein the malware parameters are:
    - launches of applications;
      
      attacks on computer systems;
      
      attempts to exploit system security weaknesses; and
      
      file downloads.
  - 12. The method of claim 9, wherein the connection strength coefficients are calculated based on a number of connection channels between the geographic areas.
  - 13. The method of claim 9, wherein the connection strength coefficients are calculated based on volume of information exchange between the geographic areas.
  - 14. The method of claim 9, wherein the geographic areas are countries.
  - 15. The method of claim 9, wherein the geographic areas are regions within a country.
  - 16. The method of claim 9, wherein the prognosis is generated automatically upon detection of the epidemic.

17. A system for detection of a malware-related epidemic, the system comprising:
- a processor and a memory in a computer configured to implementa malware detection system;
  
  a real-time processing database coupled to the malware detection system;
  
  a defense module;
  
  a white list database accessible by the malware detection system;
  
  an anti-virus (AV) record database coupled to the defense module and accessible by the malware detection system; and
  
  a deferred analyses database coupled to the real-time processing database,wherein;
  
  raw data, received from the defense module by the real-time processing database is compared against the white list database;
  
  the detection system receives the data from the real-time processing database and runs the data against the AV data base;
  
  the defense module determines if the data contains malware; and
  
  if the malware is detected, the defense module calculates an activity level for the malware;
  
  the defense module determines a source of the malware;
  
  the defense module determines if the malware causes an epidemic; and
  
  if the epidemic is detected, the defense module generates a prognosis for spread of the epidemic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Namestnikov, Yury V., Zelensky, Pavel A., Mashevsky, Yury V., Denishchenko, Nikolay V.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/631,830
Time in Patent Office

198 Days
Field of Search

713/187, 713/188, 726/22, 726/23, 726/24, 726/25
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/562   Static detection

H04L 63/145   the attack involving the pr...

Method and system for detection and prediction of computer virus-related epidemics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detection and prediction of computer virus-related epidemics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links