Reducing malware signature set size through server-side processing
First Claim
1. A method of evaluating a signature detection event, comprising:
- using a computer to perform steps comprising;
providing a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures;
receiving from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity;
examining the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event; and
reporting to the client whether the signature detection event is a false positive signature detection event.
2 Assignments
0 Petitions
Accused Products
Abstract
A server provides a reduced set of malware signatures to clients. The reduced set of malware signatures has the same scope of coverage as a comprehensive set of malware signatures stored on the server, but with a higher rate of false positive detections. The server receives signature detection event reports from the clients. A signature detection event report identifies the signature in the reduced set that was detected, and includes information describing the suspicious entity in which the signature was detected. Upon receiving a signature detection event report from a client, the server evaluates the information describing the suspicious entity using one or more signatures in the comprehensive set to determine whether the signature detection event is a false positive or a legitimate malware detection. The security server provides the result of the evaluation to the client from which the report was received.
-
Citations
16 Claims
-
1. A method of evaluating a signature detection event, comprising:
using a computer to perform steps comprising; providing a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures; receiving from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity; examining the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event; and reporting to the client whether the signature detection event is a false positive signature detection event. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A non-transitory computer-readable storage medium having executable computer modules for evaluating a signature detection event, comprising:
-
a reporting module configured to; provide a reduced set of malware signatures to a client, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures; receive from the client a signature detection event report indicating a detection of a malware signature in the reduced set of malware signatures in association with an entity, the signature detection event report comprising data describing the entity, and configured to report to the client whether the signature detection event is a false positive signature detection event; and an evaluation module configured to examine the data describing the entity using the comprehensive set of malware signatures to determine whether the signature detection event is a false positive signature detection event. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method of evaluating a signature detection event, comprising:
using a computer to perform steps comprising; receiving a reduced set of malware signatures, the signatures in the reduced set of malware signatures generating a greater rate of false positive malware detections than signatures in a comprehensive set of malware signatures; generating a signature detection event report identifying a malware signature in the reduced set and including data describing a suspicious entity associated with the malware signature; receiving an evaluation of whether a signature detection event associated with the signature detection event report is a false positive signature detection event, wherein the evaluation is using the comprehensive set of malware signatures; and suppressing the signature detection event responsive to the evaluation indicating that the signature detection event is a false positive signature detection event. - View Dependent Claims (14, 15, 16)
Specification