Streaming malware definition updates

US 8,234,709 B2
Filed: 06/20/2008
Issued: 07/31/2012
Est. Priority Date: 06/20/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

assembling a full signature definition file comprising a first received malware signature, upon receipt of the first received malware signature, whereinthe full signature definition file further comprises a first plurality of malware signatures received up to a specified time;

associating a version identifier with the full signature definition file;

publishing the full signature definition file after the specified time;

assembling a streaming signature definition file comprising the first received malware signature, upon the receipt of the first received malware signature, whereinthe streaming signature definition file further comprises a second plurality of malware signatures received over a first time period,the first time period occurs prior to the specified time, andthe first received malware signature is received during the first time period;

associating the version identifier with the streaming signature definition file; and

publishing the streaming signature definition file upon completion of the first time period.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and apparatus for assembling and publishing frequent malware signature definition updates through the use of additive or “streaming” definition packages is provided. Embodiments of the present invention provide such functionality by publishing not only full malware signature definition updates on a long periodicity but also streaming malware signature definition updates containing newly certified signature definitions on a short periodicity. As newly-certified malware signature definitions are received, those newly-certified signature definitions are incorporated not only in the full signature definition file but also in a streaming signature definition update that contains only newly-certified signature definitions received during a streaming update period. At the end of the streaming update period, a streaming signature definition file is made available by publication to anti-malware clients. A streaming signature definition file only contains those signature definitions received during the assembly period for that streaming definition file. Embodiments of the present invention replace a previous streaming signature definition file with a new streaming signature definition file at the time of publication of the new streaming signature definition file.

284 Citations

22 Claims

1. A method comprising:
- assembling a full signature definition file comprising a first received malware signature, upon receipt of the first received malware signature, whereinthe full signature definition file further comprises a first plurality of malware signatures received up to a specified time;
  
  associating a version identifier with the full signature definition file;
  
  publishing the full signature definition file after the specified time;
  
  assembling a streaming signature definition file comprising the first received malware signature, upon the receipt of the first received malware signature, whereinthe streaming signature definition file further comprises a second plurality of malware signatures received over a first time period,the first time period occurs prior to the specified time, andthe first received malware signature is received during the first time period;
  
  associating the version identifier with the streaming signature definition file; and
  
  publishing the streaming signature definition file upon completion of the first time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said publishing the streaming signature definition file comprises:
    - transmitting the streaming signature definition file in response to a request from a first remote node; and
      
      the request from the first remote node is received during a second time period, wherein the second time period occurs after the first time period.
  - 3. The method of claim 2 further comprising:
    - using a previous full signature definition file and the streaming signature definition file for scanning the first remote node for instances of malware corresponding to one of the first received signature and the first plurality of malware signatures, whereinsaid scanning the first remote node is performed prior to the specified time.
  - 4. The method of claim 1 further comprising:
    - assembling a second streaming signature definition file comprising a third plurality of signatures received over a second time period, whereinthe second time period occurs after the first time period, andthe second time period occurs prior to the specified time;
      
      associating the version identifier with the second streaming signature definition file; and
      
      publishing the second streaming signature definition file upon completion of the second time period.
  - 5. The method of claim 4 wherein said publishing the second streaming signature definition file comprises:
    - replacing the streaming signature definition file with the second streaming signature definition file upon completion of the second time period.
  - 6. The method of claim 1 wherein the first received malware signature, the first plurality of malware signatures and the second plurality of malware signatures are received from one or more malware signature certification engines.
  - 7. The method of claim 1 wherein said assembling the streaming signature definition file comprises:
    - appending the first received malware signature to a list comprising one or more malware signatures of the second plurality of malware signatures.
  - 8. The method of claim 1 wherein said assembling the streaming signature definition file comprises:
    - appending a pointer corresponding to the first received malware signature to a list comprising one or more pointers to corresponding malware signatures of the second plurality of malware signatures, wherein the pointer corresponding to the first received malware signature comprises information regarding a location of the first received malware signature.
  - 9. The method of claim 4, further comprising:
    - producing a published full signature definition file by publishing the full signature definition file at a second specified time;
      
      downloading the published full signature definition file to a remote node after the second specified time;
      
      comparing a version identifier of the published full signature definition file to one or more version identifiers of one or more local streaming signature definition files, whereinthe one or more local streaming signature definition files were downloaded to the remote node before the published full signature definition file was downloaded; and
      
      removing ones of the local streaming signature definition files that comprise version identifiers that match the version identifier of the published full signature definition file.
  - 10. The method of claim 1, whereinthe assembling the full signature definition file comprisesincorporating the first received malware signature into the full signature definition file, whereinthe first received malware signature is incorporated into an optimized tree structure comprising the first plurality of malware signatures;
    - andverifying the integrity of the full signature definition file after the incorporating the first received malware signature.

11. An apparatus comprising:
- a processor;
  
  a network interface, coupled to the processor, and configured to receive a first malware signature, a first plurality of malware signatures, and a second plurality of malware signatures;
  
  a first storage volume, coupled to the processor, and configured to store a full signature definition file, wherein the full signature definition file comprises the first malware signature;
  
  a second storage volume, coupled to the processor, and configured to store a streaming signature definition file, wherein the streaming signature definition file comprises the first malware signature; and
  
  a memory, coupled to the processor, and storing instructions executable by the processor, the instructions configured toassemble the full signature definition file, upon receipt of the first received malware signature, whereinthe full signature definition file further comprises a first plurality of malware signatures received up to a specified time,associate a version identifier with the full signature definition file,publish the full signature definition file after the specified time,assemble the streaming signature definition file, upon the receipt of the first received malware signature, whereinthe streaming signature definition file further comprises a second plurality of malware signatures received over a first time period that occurs prior to the specified time, andthe first received malware signature is received during the first time period,associate the version identifier with the streaming signature definition file, andpublish the streaming signature definition file upon completion of the first time period.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11 further comprising:
    - a second network interface, coupled to the processor, and configured to transmit the streaming signature definition file; and
      
      the memory storing further instructions for publishing the streaming signature definition file, executable by the processor, and configured to transmit the streaming signature definition file, using the second network interface, in response to a request from a first remote node, whereinthe request from the first remote node is received during a second time period, andthe second time period occurs after the first end time.
  - 13. The apparatus of claim 11 further comprising:
    - the memory storing further instructions, executable by the processor, and configured toassemble a second streaming signature definition file comprising a third plurality of signatures received over a second time period, wherein the second time period occurs after the first time period and prior to the specified time,associate the version identifier with the second streaming signature definition file, andpublish the second streaming signature definition file upon completion of the second time period.
  - 14. The apparatus of claim 13 further comprising:
    - the memory storing further instructions for publishing the second streaming signature file, executable by the processor, and configured to replace the streaming signature definition file with the second streaming signature definition file upon completion of the second time period.
  - 15. The apparatus of claim 11 further comprising:
    - the memory storing further instructions for assembling the streaming signature definition file, executable by the processor, and configured to append the first malware signature to a list comprising one or more malware signatures of the second plurality of malware signatures.
  - 16. The apparatus of claim 11 further comprising:
    - the memory storing further instructions for assembling the streaming signature definition file, executable by the processor, and configured to append a pointer corresponding to the first malware signature to a list comprising one or more pointers to corresponding malware signatures of the second plurality of malware signatures, wherein the pointer corresponding to the first malware signature comprises information regarding a location of the first malware signature.

17. A system comprising:
- a signature update server comprising a processor and a memory coupled to the processor, the memory storing instructions executable by the processor, the instructions configured to implement;
  
  a signal processor module configured toreceive a first malware signature, andprovide the first malware signature to a full definition assembly module and a streaming definition assembly module;
  
  the full definition assembly module, coupled to the signal processor module, and configured toassemble a full signature definition file comprising the first malware signature upon receipt of the first received malware signature,associate a version identifier with the full signature definition file, andto store the full signature definition file in an associated first memory, whereinthe full signature definition file further comprises a first plurality of malware signatures received by the full definition assembly module up to a specified time;
  
  a full definition request module, coupled to the first memory, and configured to transmit all or part of the full signature definition file after the specified time;
  
  the streaming definition assembly module, coupled to the signal processor module, and configured toassemble a streaming signature definition file comprising the first malware signature upon the receipt of the first received malware signature,associate the version identifier with the streaming signature definition file, andstore the streaming signature definition file in an associated second memory, whereinthe streaming signature definition file further comprises a second plurality of malware signatures received over a first time period,the first time period occurs prior to the specified time; and
  
  the first received malware signature is received during the first time period; and
  
  a streaming definition request module, coupled to the second memory, and configured to transmit the streaming signature definition file upon completion of the first time period.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17 further comprising:
    - a remote node, coupled to the streaming definition request module by a network, and configured to request the streaming signature definition file, wherein the request is received during a second time period and the second time period occurs after the first time period; and
      
      the streaming definition request module is further configured to perform said transmitting the streaming signature definition file in response to the request from the remote node.
  - 19. The system of claim 17 further comprising:
    - the signal processor module is further configured to receive a third plurality of signatures over a second time period, whereinthe second time period occurs after the first time period, andthe second time period occurs prior to the specified time;
      
      the streaming definition assembly module is further configured to assemble a second streaming signature definition file comprising the third plurality of signatures and store the second streaming signature definition file in the associated second memory; and
      
      the streaming definition request module is further configured to transmit the second streaming definition file upon completion of the second time period.
  - 20. The system of claim 17 further comprising:
    - one or more malware signature certification engines, coupled to the signal processor module, and configured to provide the first received malware signature, the first plurality of malware signatures and the second plurality of malware signatures to the signal processor module.
  - 21. The system of claim 17 wherein the streaming signature definition assembly module is further configured to:
    - assemble the streaming signature definition file by appending the first malware signature to a list comprising one or more malware signatures of the second plurality of malware signatures.
  - 22. The system of claim 17 wherein the streaming signature definition assembly module is further configured to:
    - assemble the streaming signature definition file by appending a pointer corresponding to the first malware signature to a list comprising one or more pointers to corresponding malware signatures of the second plurality of malware signatures, wherein the pointer corresponding to the first malware signature comprises information regarding a location of the first malware signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Operating Corporation (NortonLifeLock Inc.)
Inventors
Viljoen, Petrus Johannes, Meggers, Jens
Primary Examiner(s)
Zee, Edward

Application Number

US12/142,905
Publication Number

US 20090320133A1
Time in Patent Office

1,502 Days
Field of Search

726/24, 717168-173
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/564 by virus signature recognition

Streaming malware definition updates

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

284 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Streaming malware definition updates

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

284 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links