System, method and computer program product for context-driven behavioral heuristics

US 7,917,955 B1
Filed: 01/14/2005
Issued: 03/29/2011
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A security method for detecting unwanted data, comprising:

performing a scan for unwanted data to generate results of the scan;

identifying a context of the scan for the unwanted data utilizing a state machine; and

conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan;

wherein the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans;

wherein the scan involves comparing a plurality of signatures with data;

wherein the signatures include heuristic signatures;

wherein the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;

wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

42 Citations

View as Search Results

30 Claims

1. A security method for detecting unwanted data, comprising:
- performing a scan for unwanted data to generate results of the scan;
  
  identifying a context of the scan for the unwanted data utilizing a state machine; and
  
  conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan;
  
  wherein the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans;
  
  wherein the scan involves comparing a plurality of signatures with data;
  
  wherein the signatures include heuristic signatures;
  
  wherein the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
  
  wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method as recited in claim 1, wherein the plurality of signatures are representative of the unwanted data, and wherein the results indicate whether a match is found.
  - 3. The method as recited in claim 1, wherein the results of the scan and the context of the scan are used in combination to improve a reliability of the detection of the unwanted data.
  - 4. The method as recited in claim 1, wherein the context of the scan reflects behavior over time.
  - 5. The method as recited in claim 1, wherein the context of the scan involves at least one file subject to the scan.
  - 6. The method as recited in claim 1, wherein the context of the scan involves at least one process subject to the scan.
  - 7. The method as recited in claim 1, wherein the context of the scan includes a registry change.
  - 8. The method as recited in claim 1, wherein the context of the scan includes network communication.
  - 9. The method as recited in claim 1, wherein the context of the scan includes user information.
  - 10. The method as recited in claim 1, wherein the context of the scan includes at least one change to at least one file.
  - 11. The method as recited in claim 1, wherein the context of the scan includes information on code execution.
  - 12. The method as recited in claim 1, wherein the context of the scan is used to determine a source of the unwanted data.
  - 13. The method as recited in claim 1, wherein the context of the scan is used to determine a persistence of the unwanted data.
  - 14. The method as recited in claim 1, wherein the context of the scan is used to determine a propagation of the unwanted data.
  - 15. The method as recited in claim 1, wherein the context of the scan is used to determine a stealth aspect of the unwanted data.
  - 16. The method as recited in claim 1, wherein the unwanted data includes potentially unwanted programs.
  - 17. The method as recited in claim 1, wherein the unwanted data includes spyware.
  - 18. The method as recited in claim 1, wherein the unwanted data includes malware.
  - 19. The method as recited in claim 1, wherein the method is utilized to counter terrorism by preventing infection of cyber-frameworks with malware initiated by terrorists.
  - 20. The method as recited in claim 1, wherein the unique context identifier includes a unique identification number.
  - 21. The method as recited in claim 1, wherein when an application writes data to a registry, a registry monitoring rule triggers, which blocks the data from being written to the registry and informs a scanner, where the scanner establishes the unique context identifier based on a current context.
  - 22. The method as recited in claim 1, wherein when an application attempts to open a port, a network monitoring rule triggers, which blocks the attempt to open the port and informs a scanner, where the scanner establishes the unique context identifier based on a current context.
  - 23. The method as recited in claim 1, wherein if the presence of the unwanted data is indicated based on both the results of the scan and the context of the scan, then a process associated with the unwanted data is terminated.
  - 24. The method as recited in claim 1, wherein the context of the scan includes a state related to the scan and the state machine includes anti-virus software.
  - 25. The method as recited in claim 1, wherein the unique context identifier is capable of being used to identify a previous context of at least one prior scan during the subsequent scans.
  - 26. The method as recited in claim 1, wherein the context of the scan includes a context of an entire scan for the unwanted data.

27. A security computer program product embodied on a tangible computer readable medium, comprising:
- computer code for performing a scan for unwanted data to generate results of the scan;
  
  computer code for identifying a context of the scan for the unwanted data utilizing a state machine; and
  
  computer code for conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan;
  
  wherein the security computer program product is operable such that the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans;
  
  wherein the security computer program product is operable such that the scan involves comparing a plurality of signatures with data;
  
  wherein the signatures include heuristic signatures;
  
  wherein the security computer program product is operable such that the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
  
  wherein the security computer program product is operable such that a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.

28. A security system including a tangible computer readable medium, comprising:
- a scanner for performing a scan for unwanted data to generate results of the scan;
  
  wherein the security system is operable such that a context of the scan for the unwanted data is identified for conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan;
  
  wherein the security system is operable such that the context of the scan is identified utilizing a state machine and a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans;
  
  wherein the security system is operable such that the scan involves comparing a plurality of signatures with data;
  
  wherein the signatures include heuristic signatures;
  
  wherein the security system is operable such that the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
  
  wherein the security system is operable such that a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.

29. A security method for detecting unwanted data, comprising:
- (a) monitoring a behavior of data, wherein a context is identified based on the monitoring;
  
  (b) determining whether the data includes unwanted data based on the context;
  
  (c) repeating (a)-(b), wherein additional determinations in operation (b) are based on a plurality of the contexts identified in operation (a);
  
  wherein the context is identified utilizing a state machine and a unique context identifier which is separate from the context and is capable of being used to identify the context during a scan;
  
  wherein the scan involves comparing a plurality of signatures with the data;
  
  wherein the signatures include heuristic signatures;
  
  wherein the context is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
  
  wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.

30. A security method for detecting unwanted data, comprising:
- identifying access to data;
  
  performing a first scan for unwanted data;
  
  conditionally permitting access to the data based on the first scan;
  
  monitoring a behavior of the data, wherein a first context of the first scan is determined based on the monitoring;
  
  conditionally controlling the behavior of the data based on the monitoring;
  
  identifying the first context of the first scan utilizing a state machine and a unique first context identifier;
  
  performing a second scan for the unwanted data utilizing the unique first context identifier;
  
  conditionally identifying the data as the unwanted data based on the second scan;
  
  further monitoring the behavior of the data, wherein a second context of the second scan is determined based on the monitoring;
  
  conditionally controlling the behavior of the data based on the further monitoring;
  
  identifying the second context of the second scan utilizing a unique second context identifier;
  
  performing a third scan for the unwanted data utilizing the unique first context identifier and the unique second context identifier; and
  
  conditionally identifying the data as the unwanted data based on the third scan;
  
  wherein the unique first context identifier and the unique second context identifier are separate from the first context of the first scan and the second context of the second scan and are capable of being used to identify the first context of the first scan and the second context of the second scan during subsequent scans;
  
  wherein the first and the second scan involve comparing a plurality of signatures with the data;
  
  wherein the signatures include heuristic signatures;
  
  wherein the first context of the first scan and the second context of the second scan are utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
  
  wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Spurlock, Joel Robert, Schmugar, Craig D., Howard, Fraser Peter
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/036,153
Time in Patent Office

2,265 Days
Field of Search

726/24, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/564 by virus signature recognition

System, method and computer program product for context-driven behavioral heuristics

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for context-driven behavioral heuristics

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links