System, method and computer program product for context-driven behavioral heuristics
First Claim
Patent Images
1. A security method for detecting unwanted data, comprising:
- performing a scan for unwanted data to generate results of the scan;
identifying a context of the scan for the unwanted data utilizing a state machine; and
conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan;
wherein the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans;
wherein the scan involves comparing a plurality of signatures with data;
wherein the signatures include heuristic signatures;
wherein the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections;
wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.
42 Citations
30 Claims
-
1. A security method for detecting unwanted data, comprising:
-
performing a scan for unwanted data to generate results of the scan; identifying a context of the scan for the unwanted data utilizing a state machine; and conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan; wherein the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans; wherein the scan involves comparing a plurality of signatures with data; wherein the signatures include heuristic signatures; wherein the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections; wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A security computer program product embodied on a tangible computer readable medium, comprising:
-
computer code for performing a scan for unwanted data to generate results of the scan; computer code for identifying a context of the scan for the unwanted data utilizing a state machine; and computer code for conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan; wherein the security computer program product is operable such that the context of the scan is identified utilizing a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans; wherein the security computer program product is operable such that the scan involves comparing a plurality of signatures with data; wherein the signatures include heuristic signatures; wherein the security computer program product is operable such that the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections; wherein the security computer program product is operable such that a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
-
-
28. A security system including a tangible computer readable medium, comprising:
-
a scanner for performing a scan for unwanted data to generate results of the scan; wherein the security system is operable such that a context of the scan for the unwanted data is identified for conditionally indicating the presence of the unwanted data based on both the results of the scan and the context of the scan; wherein the security system is operable such that the context of the scan is identified utilizing a state machine and a unique context identifier which is separate from the context of the scan and is capable of being used to identify the context of the scan during subsequent scans; wherein the security system is operable such that the scan involves comparing a plurality of signatures with data; wherein the signatures include heuristic signatures; wherein the security system is operable such that the context of the scan is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections; wherein the security system is operable such that a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
-
-
29. A security method for detecting unwanted data, comprising:
-
(a) monitoring a behavior of data, wherein a context is identified based on the monitoring; (b) determining whether the data includes unwanted data based on the context; (c) repeating (a)-(b), wherein additional determinations in operation (b) are based on a plurality of the contexts identified in operation (a); wherein the context is identified utilizing a state machine and a unique context identifier which is separate from the context and is capable of being used to identify the context during a scan; wherein the scan involves comparing a plurality of signatures with the data; wherein the signatures include heuristic signatures; wherein the context is utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections; wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
-
-
30. A security method for detecting unwanted data, comprising:
-
identifying access to data; performing a first scan for unwanted data; conditionally permitting access to the data based on the first scan; monitoring a behavior of the data, wherein a first context of the first scan is determined based on the monitoring; conditionally controlling the behavior of the data based on the monitoring; identifying the first context of the first scan utilizing a state machine and a unique first context identifier; performing a second scan for the unwanted data utilizing the unique first context identifier; conditionally identifying the data as the unwanted data based on the second scan; further monitoring the behavior of the data, wherein a second context of the second scan is determined based on the monitoring; conditionally controlling the behavior of the data based on the further monitoring; identifying the second context of the second scan utilizing a unique second context identifier; performing a third scan for the unwanted data utilizing the unique first context identifier and the unique second context identifier; and conditionally identifying the data as the unwanted data based on the third scan; wherein the unique first context identifier and the unique second context identifier are separate from the first context of the first scan and the second context of the second scan and are capable of being used to identify the first context of the first scan and the second context of the second scan during subsequent scans; wherein the first and the second scan involve comparing a plurality of signatures with the data; wherein the signatures include heuristic signatures; wherein the first context of the first scan and the second context of the second scan are utilized permitting a wider range of the heuristic signatures, without increasing instances of false detections; wherein a sample of the unwanted data is sent to a virus signature service provider so that an exact signature can be generated.
-
Specification