Method and system for detection and prediction of computer virus-related epidemics
First Claim
1. A method for detecting a malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:
- (a) detecting a malware-related threat;
(b) calculating an activity value for this threat based on parameters of the threat;
(c) setting a threshold value for the threat activity burst based on known bursts of the threat activity;
(d) setting a threshold value for a threat activity epidemic based on the known epidemics;
(e) comparing the threat activity value against the threat activity burst threshold;
(f) comparing the threat activity value against the threat activity epidemic threshold, if the threat activity exceeds the threat activity burst threshold;
(g) monitoring the threat activity over a selected time period, if the threat activity exceeds the activity epidemic threshold; and
(e) detecting the malware epidemic, if the threat activity persistently exceeds the activity epidemic threshold over the pre-set time period.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and computer program product for detection of epidemics caused by malware programs or computer viruses. Detection of local and global epidemics is performed automatically. A source of an epidemic is calculated and analyzed based on collected statistics. A spread of the epidemic is predicted and an accurate prognosis referring to the time frame and to geographical areas of the epidemic spread is made. The prognosis is made based on a calculated value of “connection strength” coefficient. The connection strength coefficient reflects a volume of information exchange (i.e., a number and a quality of connection channels) between the countries. An epidemic is detected in its infancy and its spread is monitored in time and propagation across different countries. Then, effective security and protection measures can be invoked in a timely manner.
65 Citations
17 Claims
-
1. A method for detecting a malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:
-
(a) detecting a malware-related threat; (b) calculating an activity value for this threat based on parameters of the threat; (c) setting a threshold value for the threat activity burst based on known bursts of the threat activity; (d) setting a threshold value for a threat activity epidemic based on the known epidemics; (e) comparing the threat activity value against the threat activity burst threshold; (f) comparing the threat activity value against the threat activity epidemic threshold, if the threat activity exceeds the threat activity burst threshold; (g) monitoring the threat activity over a selected time period, if the threat activity exceeds the activity epidemic threshold; and (e) detecting the malware epidemic, if the threat activity persistently exceeds the activity epidemic threshold over the pre-set time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for generating a prognosis for malware epidemic, the method being performed on a computer having a processor and a memory, the method comprising:
-
detecting an epidemic in a source geographic area; calculating connection strength coefficients between the source geographic area and other connected geographic areas; calculating a probability of the epidemic for each of the connected geographic areas based on the connection strength coefficients between the source geographic area and the connected geographic area; and calculating an activity level of the epidemic in each of the connected geographic areas for pre-set time increments, wherein the activity level is calculated based on malware parameters. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for detection of a malware-related epidemic, the system comprising:
-
a processor and a memory in a computer configured to implement a malware detection system; a real-time processing database coupled to the malware detection system; a defense module; a white list database accessible by the malware detection system; an anti-virus (AV) record database coupled to the defense module and accessible by the malware detection system; and a deferred analyses database coupled to the real-time processing database, wherein; raw data, received from the defense module by the real-time processing database is compared against the white list database; the detection system receives the data from the real-time processing database and runs the data against the AV data base; the defense module determines if the data contains malware; and if the malware is detected, the defense module calculates an activity level for the malware; the defense module determines a source of the malware; the defense module determines if the malware causes an epidemic; and if the epidemic is detected, the defense module generates a prognosis for spread of the epidemic.
-
Specification