Rapid analysis of data stream for malware presence

US 8,042,184 B1
Filed: 10/18/2006
Issued: 10/18/2011
Est. Priority Date: 10/18/2006
Status: Active Grant

First Claim

Patent Images

1. A system for anti-malware processing of data stream, the system comprising:

a processor;

a memory coupled to the processor;

a plurality of elements stored in the memory and executed by the processor, the elements comprising;

dividing a primary data stream to form a plurality of logical data streams, wherein each logical data stream has a different data format;

a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream;

a plurality of processing handlers separated from the stream buffers, each processing handler associated with one of the stream buffers and processing the data of the logical data stream buffered by its stream buffer,wherein;

each logical data stream is processed inside the processing handler associated with the stream buffer; and

each processing handler is associated with a particular data transmission mode and at least one of the processing handlers scans its logical data stream for malware presence, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for anti-malware processing of data stream that includes a plurality of logical data streams formed from a primary data stream; and a plurality of stream buffers, each buffering data of a corresponding logical data stream. A plurality of processing handlers each associated with one of the data streams, where the handlers are processing the data of the logical data stream buffered by its stream buffer. Each processing handler is associated with a particular functionality and at least one processing handler scans its logical data stream for malware presence. Each stream buffer has a configurable buffering policy. At least one of the processing handlers decompresses the data into one or more secondary streams. At least one of the processing handlers parses its logical data stream, creating one or more instances of secondary data streams. The scanning can be based on a signature search. At least one of the processing handlers parses its logical data stream to identify headers, wherein new secondary data streams are instantiated based on regions of interest in a future stream data at positions identified by the headers. The set of conditions is stored e.g., in a table, a list, and/or a registry.

257 Citations

29 Claims

1. A system for anti-malware processing of data stream, the system comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a plurality of elements stored in the memory and executed by the processor, the elements comprising;
  
  dividing a primary data stream to form a plurality of logical data streams, wherein each logical data stream has a different data format;
  
  a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream;
  
  a plurality of processing handlers separated from the stream buffers, each processing handler associated with one of the stream buffers and processing the data of the logical data stream buffered by its stream buffer,wherein;
  
  each logical data stream is processed inside the processing handler associated with the stream buffer; and
  
  each processing handler is associated with a particular data transmission mode and at least one of the processing handlers scans its logical data stream for malware presence, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein each stream buffer has configurable buffering policy that is defined when that instance of stream buffer is created.
  - 3. The system of claim 1, wherein each stream buffer has an individually configurable buffering policy that is defined at a time of its instantiation.
  - 4. The system of claim 3, where the buffering policy includes any of information about maximum buffer size, whether the data stream must be fully buffered, a size of a backtrack buffer, relative importance of buffered data for later processing and whether the buffered data can be dropped when available memory is low.
  - 5. The system of claim 1, wherein the corresponding processing handler identifies archived files in the logical data stream corresponding to an email, wherein the archived files represent attachments, and wherein the processing handler parses a body of the email to identify password information needed to unpack the archived files.
  - 6. The system of claim 1, wherein at least one of the processing handlers decompresses the data into one or more logical data streams.
  - 7. The system of claim 1, wherein at least one of the processing handlers parses its logical data stream, creating one or more instances of secondary data streams.
  - 8. The system of claim 7, wherein the logical data stream is transmitted using a transmission mode of any of hypertext (HTTP), mail protocols, including any of SMTP, POP, and IMAP, file transfer protocols, including any of SMB and FTP, and instant messaging protocols, including ICQ protocols.
  - 9. The system of claim 7, wherein the logical data stream uses a transmission mode of any of hypertext formats, including any of HTML and MIME, archive formats, including any of GZIP, ZIP, RAR, and ARJ formats, compound document formats, including OLE2 formats, executable file formats, including PE and ELF formats, dynamic content formats, including SWF formats, and media formats, including, GIF, JPEG, PNG, WAV, MPEG, MP3 and AVI formats.
  - 10. The system of claim 1, wherein the at least one processing handler performs malware scanning using a signature search.
  - 11. The system of claim 1, wherein at least one of the processing handlers uses hardware acceleration.
  - 12. The system of claim 1, where each stream buffer keeps track of an amount of data consumed by their corresponding associated processing handlers.
  - 13. The system of claim 1, wherein new instances of data streams are created based on logical data stream offset and action to be performed when the new instance of a logical data stream is created, is defined at time of creation of the logical data stream.
  - 14. The system of claim 1, wherein at least one of the processing handlers parses its logical data stream to identify headers and wherein new secondary stream buffers are instantiated based on regions of interest in a future data stream identified by the headers.
  - 15. The system of claim 1, further comprising a set of conditions for creation of new instances of stream buffers, wherein the set of conditions is stored in any of a table, a list, and a registry.

16. A method for anti-malware processing of data stream, the method being performed on a computer having a processor and a memory, the method comprising:
- generating a plurality of logical data streams by dividing a primary data stream, wherein each logical data stream has a different data format;
  
  instantiating a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream;
  
  instantiating a plurality of processing handlers separated from the stream buffers, wherein each processing handler scans data of the logical data stream buffered by its stream buffer for malware presence;
  
  associating each processing handler with one of the logical data streams, wherein each logical data stream is processed inside the associated processing handler; and
  
  associating each processing handler with a particular data transmission mode, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16, further comprising configuring a buffering policy of each stream buffer upon an instantiation of each logical data stream.
  - 18. The method of claim 16, further comprising parsing at least one logical data stream to identify headers, and wherein new secondary data streams are instantiated based on regions of interest in a future data stream identified by the headers.
  - 19. The method of claim 16, further comprising identifying archived files in the logical data stream corresponding to an email, wherein the archived files represent attachments, and parsing a body of the email to identify password information needed to unpack the archived files.
  - 20. The method of claim 16, where the buffering policy includes any of information about maximum buffer size, whether a logical data stream must be fully buffered, a size of a backtrack buffer, relative importance of buffered data and whether portions of buffered data can be discarded when available memory is low.
  - 21. The method of claim 16, wherein at least one of the processing handlers decompresses the data into one or more secondary data streams.
  - 22. The method of claim 16, further comprising parsing at least one logical data stream using at least one processing handler, and instantiating one or more secondary stream buffers.
  - 23. The method of claim 16, wherein the scanning uses a signature search.
  - 24. The method of claim 16, further comprising instantiating new instances of data streams are created based on logical data stream offset and action that is to be performed when the new instance of a logical data stream is created is defined at time of creation of the logical data stream.
  - 25. The method of claim 16, further comprising storing a set of conditions for instantiating new stream buffers in any of a table, a list, and a registry.

26. A system for anti-malware processing of data stream, the system comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a plurality of elements stored in the memory and executed by the processor, the elements comprising;
  
  a plurality of logical data streams separated out from a primary data stream based on a data format;
  
  a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream; and
  
  a plurality of processing handlers separated from the stream buffers, each processing handler associated with a corresponding stream buffer and processing the logical data stream stored by its stream buffer, and each processing handler associated with a particular data transmission mode, wherein each processing handler scans its logical data stream for malware presence,wherein each logical data stream is processed inside the associated processing handler, wherein at least some of the processing handlers identify, using header information, location of regions of interest in future data in the primary data stream and instantiate new instances of stream buffers to buffer the data in the regions of interest,wherein at least one of the processing handlers is adapted to parse an email body for password information, andwherein at least one other processing handler is adapted to unpack archived files based on the password information, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.

27. A system for anti-malware processing of data stream, the system comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a plurality of elements stored in the memory and executed by the processor, the elements comprising;
  
  a primary data stream that includes emails with archived password-protected attachments;
  
  a plurality of stream buffers, each stream buffer buffering data of a corresponding portion of the emails, wherein the portions include any of email body and the archived password-protected attachments; and
  
  a plurality of processing handlers separated from the stream buffers, each processing handler associated with a corresponding stream buffer and processing the portion of the email stored by its stream buffer,wherein each portion of the email is processed inside the associated processing handler;
  
  wherein each processing handler scans its portion of the email for malware,wherein at least some of the processing handlers identify, using header information, location of attachments in future data in the primary data stream and instantiate new instances of stream buffers to buffer the attachments, andwherein at least one of the processing handlers parses the email body for passwords for the attachments used to unpack the attachments, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.

28. A system for anti-malware processing of data stream, the system comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a plurality of elements stored in the memory and executed by the processor, the elements comprising;
  
  a logical data stream receiving input data portion by portion from a primary data stream, wherein the logical data stream receives data of a particular format;
  
  a stream buffer, assigned to the logical data stream, buffering the last N bytes associated with the logical data stream;
  
  a plurality of processing handlers separated from the stream buffer assigned to the logical data stream, wherein a portion of buffered data is passed to all the assigned processing handlers and each processing handler is permitted to consume less data than the entire portion, and the remainder of the buffered data, that has not yet been consumed, is passed to one of the plurality of processing handlers together with the next portion of input data when the next portion becomes available in the stream buffer,wherein each portion of the buffered data is processed inside the assigned processing handler;
  
  wherein at least one of the processing handlers scans its associated data for malware presence,wherein the amount of data consumed by different processing handlers from the same portion of buffered data is not the same, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.

29. A non-transitory computer readable storage medium having computer executable program logic stored thereon, the computer executable program logic executing on a processor for anti-malware processing of data stream, the computer program logic comprising:
- computer program code means for generating a plurality of logical data streams by dividing a primary data stream, wherein each logical data stream has a different data format;
  
  computer program code means for instantiating a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream;
  
  computer program code means for instantiating a plurality of processing handlers separated from the stream buffers, wherein each processing handler scans data of the logical data stream buffered by its stream buffer for malware presence;
  
  computer program code means for associating each processing handler with one of the logical data streams, wherein each logical data stream is processed inside the associated processing handler; and
  
  computer program code means for associating each processing handler with a particular data transmission mode, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Batenin, Vyacheslav A.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HERZOG, MADHURI R

Application Number

US11/550,428
Time in Patent Office

1,826 Days
Field of Search

726 22- 25, 710/52, 710/56, 713/188, 711100-173
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Rapid analysis of data stream for malware presence

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

257 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Rapid analysis of data stream for malware presence

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

257 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links