Discerning use of signatures by third party vendors

US 8,015,284 B1
Filed: 07/28/2009
Issued: 09/06/2011
Est. Priority Date: 07/28/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting use of a security vendor'"'"'s signatures by third party security vendors, the method comprising:

anonymously providing a bait file to a third party security vendor for security detection, the bait file being a non-malware file;

providing a bait signature corresponding to the bait file that is included in a signature database of the security vendor which is made publicly available;

monitoring security detections made over a period of time by a security scanner operated by the third party security vendor, including monitoring before and after the bait signature is provided;

determining whether the scanner operated by the third party security vendor positively detected the bait file following the release of the bait signature for the bait file; and

responsive to a positive determination, detecting that the third party security vendor used the bait signature provided to detect the bait file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Bait files and signatures allow security software vendors to track both authorized and unauthorized usage of the security vendor'"'"'s signatures/products by third party security vendors. A bait file providing module anonymously provides a bait file to a third party security vendor for security detection, where the bait file is a non-malware file. A signature providing module provides a bait signature corresponding to the bait file that is included in a signature database which is made publicly available. A scanner monitoring module monitors security detections made over a period of time by a security scanner operated by the third party vendor. A determination module determines whether the scanner positively detected the bait file following the release of the bait signature for the bait file. A use detection module detects, in response to a positive determination, that the third party vendor used the bait signature provided to detect the bait file.

49 Citations

View as Search Results

20 Claims

1. A computer-implemented method of detecting use of a security vendor'"'"'s signatures by third party security vendors, the method comprising:
- anonymously providing a bait file to a third party security vendor for security detection, the bait file being a non-malware file;
  
  providing a bait signature corresponding to the bait file that is included in a signature database of the security vendor which is made publicly available;
  
  monitoring security detections made over a period of time by a security scanner operated by the third party security vendor, including monitoring before and after the bait signature is provided;
  
  determining whether the scanner operated by the third party security vendor positively detected the bait file following the release of the bait signature for the bait file; and
  
  responsive to a positive determination, detecting that the third party security vendor used the bait signature provided to detect the bait file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the bait signature is a bait malware signature in a malware signature database of the security vendor, and wherein detecting that the third party security vendor used the bait malware signature further comprises detecting that the third party security vendor has performed an unauthorized use of the security vendor'"'"'s signatures to detect the bait file to be malware.
  - 3. The method of claim 1, wherein the bait signature is a bait non-malware signature in a non-malware signature database of the security vendor, and wherein detecting that the third party security vendor used the bait non-malware signature further comprises detecting that the third party security vendor has performed an unauthorized use of the security vendor'"'"'s signatures to detect the bait file to be non-malware.
  - 4. The method of claim 1, wherein the use of the bait signature by the third party vendor is an authorized use of the security vendor'"'"'s signatures with the security vendor'"'"'s security product, and wherein the method further comprises confirming that the third party security vendor is correctly using the security vendor'"'"'s security product by regularly updating the signatures of the security product with new signatures provided by the security vendor.
  - 5. The method of claim 1, wherein the bait signature is a bait malware signature, and wherein the method further comprises:
    - responsive to providing the bait file to the third party security vendor, monitoring the security scanner operated by the third party security vendor for detection of the bait file after providing the bait file to the third party security vendor but before providing the bait malware signature for the bait file; and
      
      determining whether the security scanner detects the bait file, wherein failure of the security scanner to detect the bait file before the providing of the bait malware signature followed by detection of the bait file after the providing of the bait malware signature further indicates that the third party entity is performing an unauthorized use of the bait malware signature.
  - 6. The method of claim 1, further comprising:
    - responsive to a negative determination, detecting that the third party security vendor did not use the bait signature in a security detection process performed by the third party security vendor regarding the bait file; and
      
      verifying that the third party security vendor is not using the security vendor'"'"'s signatures by repeating each of the method steps with a plurality of different bait files.
  - 7. The method of claim 1, further comprising verifying the positive determination by:
    - monitoring requests for the security vendor'"'"'s signatures over a period of time; and
      
      determining whether any of the requests originated from the third party security vendor to verify whether the third party security vendor is performing a potential unauthorized use of the security vendor'"'"'s signatures.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for use of a security vendor'"'"'s signatures by third party security vendors, the computer program instructions comprising instructions for performing the steps comprising:
- anonymously providing a bait file to a third party security vendor for security detection, the bait file being a non-malware file;
  
  providing a bait signature corresponding to the bait file that is included in a signature database of the security vendor which is made publicly available;
  
  monitoring security detections made over a period of time by a security scanner operated by the third party security vendor, including monitoring before and after the bait signature is provided;
  
  determining whether the scanner operated by the third party security vendor positively detected the bait file following the release of the bait signature for the bait file; and
  
  responsive to a positive determination, detecting that the third party security vendor used the bait signature provided to detect the bait file.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the bait signature is a bait malware signature in a malware signature database of the security vendor, and wherein detecting that the third party security vendor used the bait malware signature further comprises detecting that the third party security vendor has performed an unauthorized use of the security vendor'"'"'s signatures to detect the bait file to be malware, wherein the third party security vendor could not have detected the bait file to be malware without using the bait malware signature.
  - 10. The computer-readable storage medium of claim 8, wherein the bait signature is a bait non-malware signature in a non-malware signature database of the security vendor, and wherein detecting that the third party security vendor used the bait non-malware signature further comprises detecting that the third party security vendor has performed an unauthorized use of the security vendor'"'"'s signatures to detect the bait file to be non-malware.
  - 11. The computer-readable storage medium of claim 8, wherein the use of the bait signature by the third party vendor is an authorized use of the security vendor'"'"'s signatures with the security vendor'"'"'s security product, and wherein the method further comprises confirming that the third party security vendor is correctly using the security vendor'"'"'s security product by regularly updating the signatures of the security product with new signatures provided by the security vendor.
  - 12. The computer-readable storage medium of claim 8, further comprising:
    - creating multiple different bait files;
      
      providing the multiple different bait files to the third party entity over a period of time;
      
      repeating the releasing step, the monitoring step, and the determining step for each of the multiple different bait files; and
      
      statistically verifying, based on the repeated steps, the use, by the third party security vendor, of the bait signatures that correspond to the multiple different bait files, wherein detection of the use of a threshold number of bait signatures indicates that the third party security vendor is performing unauthorized uses of the security vendor'"'"'s signatures.
  - 13. The computer-readable storage medium of claim 8, further comprising:
    - monitoring the security scanner operated by the third party security vendor for detection of the bait file after providing the bait file to the third party security vendor but before providing the bait signature for the bait file; and
      
      determining whether the security scanner detects the bait file, wherein failure of the security scanner to detect the bait file before the providing of the bait signature followed by detection of the bait file after the providing of the bait signature further indicates that the third party entity is performing a potential unauthorized use of the security vendor'"'"'s signatures.
  - 14. The computer-readable storage medium of claim 8, further comprising determining whether a given third party security vendor is suspected of possible use of the security vendor'"'"'s malware signatures by:
    - monitoring requests for the security vendor'"'"'s malware signatures over a period of time; and
      
      determining whether any of the requests originated from the given third party security vendor, a positive determination indicating that the third party security vendor is suspected of performing an unauthorized use of the security vendor'"'"'s malware signatures.

15. A computer system for detecting use of a security vendor'"'"'s signatures by third party security vendors, the system comprising:
- a non-transitory computer-readable storage medium storing executable software modules, comprising;
  
  a bait file providing module for anonymously providing a bait file to a third party security vendor for security detection, the bait file being a non-malware file;
  
  a signature providing module for providing a bait signature corresponding to the bait file that is included in a signature database of the security vendor which is made publicly available;
  
  a scanner monitoring module for monitoring security detections made over a period of time by a security scanner operated by the third party security vendor, including monitoring before and after the bait signature is provided;
  
  a determination module for determining whether the scanner operated by the third party security vendor positively detected the bait file following the release of the bait signature for the bait file;
  
  a use detection module for detecting that the third party security vendor used the bait signature provided to detect the bait file in response to a positive determination; and
  
  a processor configured to execute the software modules stored by the computer readable storage medium.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the bait signature is a bait malware signature in a malware signature database of the security vendor, and wherein detecting that the third party security vendor used the bait malware signature further comprises detecting that the third party security vendor has performed an unauthorized use of the security vendor'"'"'s signatures to detect the bait file to be malware, the bait malware signature being a proprietary signature of the security vendor.
  - 17. The system of claim 15, further comprising a verification module for verifying that the third party security vendor is using the security vendor'"'"'s signatures by repeating each of the method steps with a different bait file and by:
    - monitoring requests for the security vendor'"'"'s signatures over a period of time; and
      
      determining whether any of the requests originated from the third party security vendor to verify whether the third party security vendor is performing an unauthorized use of the security vendor'"'"'s signatures.
  - 18. The system of claim 15, further comprising:
    - a bait file creation module for creating multiple different bait files that are provided to the third party security vendor;
      
      a signature generation module for generating bait malware signatures for each of the multiple different bait files that are provided in the signature database of the security vendor; and
      
      a verification module for verifying the detection by the use detection module by verifying that the third party security vendor used the bait malware signatures provided to detect each of the corresponding bait files, wherein detection of the use of a threshold number of bait malware signatures indicates that the third party security vendor is performing unauthorized uses of the security vendor'"'"'s signatures.
  - 19. The system of claim 18, wherein the use detection module is further configured for detecting, in response to meeting the threshold number of uses of bait malware signatures, that the third party security vendor is utilizing a security scanner of the security vendor as its own security scanner to perform detections of malware.
  - 20. The system of claim 15, further comprising:
    - the scanner monitoring module for monitoring the security scanner operated by the third party security vendor for detection of the bait file after providing the bait file to the third party security vendor but before providing the bait signature for the bait file; and
      
      the use detection module for determining whether the security scanner detects the bait file, wherein failure of the security scanner to detect the bait file before the providing of the bait signature followed by detection of the bait file after the providing of the bait signature further indicates that the third party entity is performing an unauthorized use of the security vendor'"'"'s signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Isenberg, Henri, Kennedy, Mark
Primary Examiner(s)
Blair; Douglas B

Application Number

US12/510,967
Time in Patent Office

770 Days
Field of Search

709/224, 726/26, 726/32, 705/51, 705/52, 705/57
US Class Current

709/224
CPC Class Codes

G06F 21/51 at application loading time...

Discerning use of signatures by third party vendors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Discerning use of signatures by third party vendors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links