System and method for attack and malware prevention

US 8,108,933 B2
Filed: 10/21/2008
Issued: 01/31/2012
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:

providing data on the mobile communications device;

applying a hash function to the data to create a hash identifier for the data;

comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;

if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device;

if the comparison by the known good component does not result in a positive match, then comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;

if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;

if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;

if the analysis determines that the data is safe, then allowing the data to be processed by the mobile communications device; and

if the analysis determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.

113 Citations

View as Search Results

11 Claims

1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device;
  
  if the comparison by the known good component does not result in a positive match, then comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;
  
  if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
  
  if the analysis determines that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

2. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device;
  
  if the known good component does not determine that the data is safe, then applying by the known bad component, logic on the data to determine if the data is malicious;
  
  if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications deviceIf the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

3. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is safe, then applying by the known bad component logic on the data to determine if the data is malicious;
  
  if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device;
  
  if the known bad component does not determine that the data is malicious, then using the decision component, applying logic on the data for performing an analysis to determine if the data is safe or malicious;
  
  if the decision component determines that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the decision component determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

4. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- by the server, receiving a hash identifier for the data to be analyzed from the mobile communications device;
  
  comparing, by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in memory associated with the server;
  
  if the comparison by the known good component results in a positive match, then sending an instruction to the mobile communications device to allow the data to be processed by the mobile communications device;
  
  if the comparison by the known good component does not result in a positive match, then comparing by the known bad component the data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data;
  
  if the comparison by the known bad component results in a positive match, then sending an instruction to the mobile communications to reject the data from being processed by the mobile communications device;
  
  if the comparison by the known bad component does not result in a positive match, then receiving the data from the mobile communications device;
  
  using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the decision component determines that the data is safe, then sending an instruction to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the decision component determines that the data is malicious, then sending an instruction to the mobile communications device to reject the data from being processed by the mobile communications device.

5. In a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving data at the server from the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is safe, then rejecting the data from being processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is safe, then applying by the known bad component logic on the data to determine if the data is malicious;
  
  if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device;
  
  if the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the decision component determines that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the decision component determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

6. A non-transitory computer readable storage medium for use with a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, the non-transitory computer readable storage medium containing computer readable instructions, which when executed by a processor cause the processor to perform the steps of a method comprising:
- applying a hash function to the data to create a hash identifier for the datacomparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communication device;
  
  if the comparison by the known good component does not result in a positive match, then using the known bad component, comparing the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data; and
  
  if the comparison by the known bad component does not result in appositive match, then using the decision component to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

7. A non-transitory computer readable storage medium for use with a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, the non-transitory computer readable storage medium containing computer readable instructions which when executed by a processor cause the processor to perform the steps of a method comprising:
- applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in memory associated with the server;
  
  if the comparison by the known good component results in appositive match, then allowing the data to be processed by the mobile communications device;
  
  if the comparison by the known good component does not result in appositive match, then comparing by the known bad component, the data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad dataif the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communication device;
  
  if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

8. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device;
  
  if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known good component results in a positive match, then comparing by the known bad component, the data against a database stored in the mobile communications device memory containing at least one of the data selected from the group consisting of characteristics for known bad data, known bad data signatures, and known bad data patterns;
  
  if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

9. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known good component results in a positive match, then comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers for known bad data;
  
  if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

10. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is not safe;
  
  if the known good component logic determines that the data is not safe, then rejecting the data from being processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is not safe, applying by the known bad component, logic on the data to determine if it is malicious;
  
  if the known bad component determines that the data is malicious, then rejecting the data from being processed by the mobile communications device;
  
  if the known bad component does not determine that the data is malicious, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

11. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, and creates a hash identifier for the data, receiving the data hash identifier at the server;
  
  then, at the server, using a known bad component, comparing the received data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data;
  
  if the data hash identifier comparison by the known bad component results in a positive match, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device;
  
  if the data hash identifier comparison at the server by the known bad component does not result in a positive match, then at the server, using a known good component, comparing the received data hash identifier against a database of identifiers of known good data stored in a memory associated with the server;
  
  at the server, if the comparison by the known good component results in a positive match, then sending an instruction by the server to the mobile communications device to allow the data to be processed by the mobile communication device;
  
  if the comparison by the known good component does not result in a positive match, then, at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  ,if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US12/255,621
Publication Number

US 20100100963A1
Time in Patent Office

1,197 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04W 12/08   Access security

System and method for attack and malware prevention

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for attack and malware prevention

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links