Obtaining network origins of potential software threats

US 7,971,257 B2
Filed: 07/30/2007
Issued: 06/28/2011
Est. Priority Date: 08/03/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of obtaining a network origin of a downloaded entity of interest, the method including the steps of, in a processing system:

recording network locations of at least some files downloaded to the processing system;

recording physical locations of the at least some files stored in one or more storage devices of the processing system;

recording at least some events performed in the processing system by the at least some files downloaded to the processing system;

identifying an entity of interest in the processing system;

searching the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest;

using the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and

if the network location and the physical location of the entity of interest are identified, transmitting the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method/system/computer program for obtaining the network origin of a downloaded entity of interest (e.g. a threat or malicious software). The method includes recording the network locations of at least some files downloaded to a processing system and recording the physical locations of the at least some files stored in one or more storage devices of the processing system. Then, identifying an entity of interest in the processing system and searching the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest. Then, if the network location and the physical location of the entity of interest is identified, transmitting the network location and the physical location of the entity of interest to a remote processing system.

46 Citations

View as Search Results

20 Claims

1. A method of obtaining a network origin of a downloaded entity of interest, the method including the steps of, in a processing system:
- recording network locations of at least some files downloaded to the processing system;
  
  recording physical locations of the at least some files stored in one or more storage devices of the processing system;
  
  recording at least some events performed in the processing system by the at least some files downloaded to the processing system;
  
  identifying an entity of interest in the processing system;
  
  searching the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest;
  
  using the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and
  
  if the network location and the physical location of the entity of interest are identified, transmitting the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The method as claimed in claim 1, further including the step of searching the recorded network locations and the recorded physical locations for the network location and the physical location of any files downloaded by the processing system.
  - 3. The method as claimed in claim 1, further including the step of searching the recorded network locations and the recorded physical locations for the network location and the physical location of a file which downloaded or created the entity of interest.
  - 4. The method as claimed in claim 1, wherein a network location is a Uniform Resource Locator (URL).
  - 5. The method as claimed in claim 1, wherein the network locations of all files downloaded to the processing system are recorded.
  - 6. The method as claimed in claim 1, wherein the network locations of files of at least one type downloaded to the processing system are recorded.
  - 7. The method as claimed in claim 6, wherein a type of file is from the group of an executable, an archive, a library, and data.
  - 8. The method as claimed in claim 1, further including recording a hash function of at least some files downloaded to the processing system, and transmitting a hash function of the entity of interest to the remote processing system.
  - 9. The method as claimed in claim 1, wherein an automatically generated sliding fit signature for the entity of interest is also transmitted to the remote processing system.
  - 10. The method as claimed in claim 1, further including obtaining the network location of an entity of interest by:
    - identifying when an entity is being downloaded to the processing system;
      
      storing the network location of the entity in a record, and storing one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
      
      identifying when a new file is created in the processing system;
      
      comparing information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; and
      
      ,if a match is found between the new file and the entity, storing at least the network location and the filename for the new file in a second record.
  - 20. The method as claims in claim 1, wherein the remote processing system automatically downloads the entity of interest directly from the network location.

11. A non-transitory computer program product for obtaining a network origin of a downloaded entity of interest, the computer program product executable in a processing system and configured to:
- record network locations of at least some files downloaded to the processing system;
  
  record physical locations of the at least some files stored in one or more storage devices of the processing system;
  
  record at least some events performed in the processing system by the at least some files downloaded to the processing system;
  
  identify an entity of interest in the processing system;
  
  search the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest;
  
  use the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and
  
  if the network location and the physical location of the entity of interest are identified, transmit the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations.

12. A method of obtaining a network location of a downloaded file, the method including the steps of, in a processing system:
- identifying when an entity is being downloaded to the processing system;
  
  storing a network location of the entity in a record, and storing one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
  
  identifying when a new file is created in the processing system;
  
  comparing information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file;
  
  if a match is found between the new file and the entity, storing at least the network location and the filename for the new file in a second record;
  
  recording at least some events performed in the processing system by the new file created in the processing system;
  
  using the at least some recorded events to search the stored network locations for a network location for a file downloaded to the processing system by the new file; and
  
  transmitting the network location of the new file and the network location of the file downloaded to the processing system by the new file to a remote processing system, wherein the remote processing system downloads the new file and the file downloaded to the processing system directly from the transmitted network locations.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method as claimed in claim 12, wherein the entity is an executable file or an archive containing an executable file.
  - 14. The method as claimed in claim 12, wherein the method is performed when the entity is in the process of downloading or has downloaded.
  - 15. The method as claimed in claim 12, wherein a network driver is used to intercept all network activity associated with the processing system.
  - 16. The method as claimed in claim 12, wherein the new file creation is identified using event hooking.
  - 17. The method as claimed in claim 16, wherein the event hooking includes one or more of API hooking, kernel mode driver, system callbacks, and polling all files.
  - 18. The method as claimed in claim 12, wherein the record is periodically deleted.

19. A non-transitory computer program product for obtaining a network location of a downloaded file, the computer program product executable in a processing system and configured to:
- identify when an entity is being downloaded to the processing system;
  
  store a network location of the entity in a record, and store one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity;
  
  identify when a new file is created in the processing system;
  
  compare information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file;
  
  if a match is found between the new file and the entity, store at least the network location and the filename for the new file in a second record;
  
  record at least some events performed in the processing system by the new file created in the processing system;
  
  use the at least some recorded events to search the stored network locations for a network location for a file downloaded to the processing system by the new file; and
  
  transmit the network location of the new file and the network location of the file downloaded to the processing system by the new file to a remote processing system, wherein the remote processing system downloads the new file and the file downloaded to the processing system directly from the transmitted network locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Younusov, Neil, Repasi, Rolf, Pereira, Ryan, Oliver, Ian
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US11/830,144
Publication Number

US 20080034434A1
Time in Patent Office

1,429 Days
Field of Search

726 22- 25, 709/245, 713/188
US Class Current

726/24
CPC Class Codes

H04L 67/06   specially adapted for file ...

H04L 67/52   specially adapted for the l...

H04W 4/02   Services making use of loca...

Obtaining network origins of potential software threats

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Obtaining network origins of potential software threats

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links