Reducing malware signature set size through server-side processing

US 8,239,944 B1
Filed: 03/28/2008
Issued: 08/07/2012
Est. Priority Date: 03/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method of evaluating a signature detection event, comprising:

using a computer to perform steps comprising;

providing a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures;

receiving from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity;

examining the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event; and

reporting to the client whether the signature detection event is a false positive signature detection event.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server provides a reduced set of malware signatures to clients. The reduced set of malware signatures has the same scope of coverage as a comprehensive set of malware signatures stored on the server, but with a higher rate of false positive detections. The server receives signature detection event reports from the clients. A signature detection event report identifies the signature in the reduced set that was detected, and includes information describing the suspicious entity in which the signature was detected. Upon receiving a signature detection event report from a client, the server evaluates the information describing the suspicious entity using one or more signatures in the comprehensive set to determine whether the signature detection event is a false positive or a legitimate malware detection. The security server provides the result of the evaluation to the client from which the report was received.

Citations

16 Claims

1. A method of evaluating a signature detection event, comprising:
- using a computer to perform steps comprising;
  
  providing a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures;
  
  receiving from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity;
  
  examining the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event; and
  
  reporting to the client whether the signature detection event is a false positive signature detection event.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the reduced set of malware signatures provides for the same scope of malware detection as the comprehensive set of malware signatures.
  - 3. The method of claim 1, wherein the reporting comprises:
    - reporting to the client that the signature detection event is a false positive detection event responsive to the examination of the data using the comprehensive set of malware signatures not detecting signatures in the set in the data.
  - 4. The method of claim 1, wherein the reporting comprises:
    - reporting to the client that the signature detection event is not a false positive detection event responsive to the examination of the data using the comprehensive set of malware signatures detecting a signature in the set in the data.
  - 5. The method of claim 1, wherein the examining comprises:
    - identifying reputation data indicating a reputation associated with the entity; and
      
      evaluating whether the signature detection event is false positive signature detection event responsive to the reputation data.
  - 6. The method of claim 1, wherein the examining comprises:
    - identifying popularity data indicating a popularity of the entity; and
      
      evaluating whether the signature detection event is a false positive signature detection event responsive to the popularity data.

7. A non-transitory computer-readable storage medium having executable computer modules for evaluating a signature detection event, comprising:
- a reporting module configured to;
  
  provide a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures;
  
  receive from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity, and configured to report to the client whether the signature detection event is a false positive signature detection event; and
  
  an evaluation module configured to examine the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein the reduced set of malware signatures provides for the same scope of malware detection as the comprehensive set of malware signatures.
  - 9. The computer-readable storage medium of claim 7, wherein the reporting module is further configured to:
    - report to the client that the signature detection event is a false positive detection event responsive to the examination of the data using the comprehensive set of malware signatures not detecting signatures in the set in the data.
  - 10. The computer-readable storage medium of claim 7, wherein the reporting module is further configured to:
    - report to the client that the signature detection event is not a false positive detection event responsive to the examination of the data using the comprehensive set of malware signatures detecting a signature in the set in the data.
  - 11. The computer-readable storage medium of claim 7, wherein the reporting module is further configured to:
    - identify reputation data indicating a reputation associated with the entity; and
      
      evaluate whether the signature detection event is false positive signature detection event responsive to the reputation data.
  - 12. The computer-readable storage medium of claim 7, wherein the reporting module is further configured to:
    - identify popularity data indicating a popularity of the entity; and
      
      evaluate whether the signature detection event is a false positive signature detection event responsive to the popularity data.

13. A method of evaluating a signature detection event, comprising:
- using a computer to perform steps comprising;
  
  receiving a reduced set of malware signatures, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures;
  
  generating a signature detection event report identifying a malware signature in the reduced set and including data describing a suspicious entity associated with the malware signature;
  
  receiving an evaluation of whether a signature detection event associated with the signature detection event report is a false positive signature detection event, wherein the evaluation is using the comprehensive set of malware signatures; and
  
  suppressing the signature detection event responsive to the evaluation indicating that the signature detection event is a false positive signature detection event.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising:
    - providing the signature detection event report to a server.
  - 15. The method of claim 13, wherein the reduced set of malware signatures provides for the same scope of malware detection as the comprehensive set of malware signatures.
  - 16. The method of claim 13, wherein the data describing the suspicious entity comprise at least a portion of a computer file in which the malware signature was detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Griffin, Kent E.
Primary Examiner(s)
Zia, Syed A.

Application Number

US12/058,427
Time in Patent Office

1,593 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/1416 Event detection, e.g. attac...

Reducing malware signature set size through server-side processing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing malware signature set size through server-side processing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links