Method and system for identifying icons

US 8,256,000 B1
Filed: 11/04/2009
Issued: 08/28/2012
Est. Priority Date: 11/04/2009
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for identifying Icons comprising:

providing a known/clean file Icon database, the known/clean file Icon database including Icon image data associated with one or more Icons associated with one or more applications;

using one or more processors associated with one or more computing systems to monitor a given user computing system to detect and intercept all PE files being directed to the given user computing system;

using one or more processors associated with one or more computing systems to scan the resource section of all PE files being directed to the given user computing system to detect .ico files;

detecting a given .ico file in the resource section of a given PE file;

extracting the given .ico file from the resource section of a given PE file using one or more processors associated with one or more computing systems;

extracting relevant image data from the given .ico file;

obtaining known/clean Icon image data from the known/clean file Icon database;

defining a threshold matching level such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match;

comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database; and

if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, transforming data indicating a status of the extracted .ico file and the given PE file, to data indicating a status of Icon match.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for indentifying Icons whereby a known/clean file Icon database is created that includes Icon image data and/or .ico files associated with known icons of selected applications. The resource section of any file being transferred to, or through, a given user computing system is then stripped and scanned for .ico files and any .ico files identified are extracted. Then for each directory extracted from the identified .ico files, the relevant image data is extracted. The known/clean Icon image data is obtained from the known/clean file Icon database. The extracted relevant image data is then compared with known/clean Icon image data and, if the extracted relevant image data matches with the known/clean Icon image data to a desired level of accuracy, a status of the extracted .ico files, and/or given file, is transformed indicate a status of Icon match.

16 Citations

View as Search Results

20 Claims

1. A computing system implemented process for identifying Icons comprising:
- providing a known/clean file Icon database, the known/clean file Icon database including Icon image data associated with one or more Icons associated with one or more applications;
  
  using one or more processors associated with one or more computing systems to monitor a given user computing system to detect and intercept all PE files being directed to the given user computing system;
  
  using one or more processors associated with one or more computing systems to scan the resource section of all PE files being directed to the given user computing system to detect .ico files;
  
  detecting a given .ico file in the resource section of a given PE file;
  
  extracting the given .ico file from the resource section of a given PE file using one or more processors associated with one or more computing systems;
  
  extracting relevant image data from the given .ico file;
  
  obtaining known/clean Icon image data from the known/clean file Icon database;
  
  defining a threshold matching level such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match;
  
  comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database; and
  
  if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, transforming data indicating a status of the extracted .ico file and the given PE file, to data indicating a status of Icon match.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing system implemented process for identifying Icons of claim 1, wherein:
    - at least one of the one or more Icons associated with one or more applications is selected from the group of Icons consisting of;
      
      the Microsoft Word word processing program;
      
      the Microsoft Excel spreadsheet program;
      
      the Microsoft Paint graphics program;
      
      the Microsoft PowerPoint display program;
      
      the Microsoft Visio graphics program;
      
      JPEG; and
      
      PDF.
  - 3. The computing system implemented process for identifying Icons of claim 1, wherein:
    - the threshold matching level is defined such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to a fifty percent match level, data indicating a status of the extracted .ico file and the given PE file, is transformed to data indicating a status of Icon match.
  - 4. The computing system implemented process for identifying Icons of claim 1, wherein:
    - comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database is performed on a byte-by-byte basis.
  - 5. The computing system implemented process for identifying Icons of claim 1, further comprising:
    - taking one or more actions to protect a user of the given user computing system if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level.
  - 6. The computing system implemented process for identifying Icons of claim 5, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system is selected from the group of protective actions consisting of;
      
      quarantining the given PE file;
      
      performing further analysis of the given PE file;
      
      blocking the given PE file; and
      
      generating a warning to the user regarding the given PE file.

7. A system for identifying Icons comprising:
- a known/clean file Icon database, the known/clean file Icon database including Icon image data associated with one or more Icons associated with one or more applications;
  
  a given user computing system;
  
  a security system associated with the given user computing system;
  
  a security system provider computing system;
  
  one or more processors associated with the security system provider computing system, the one or more processors associated with the security system provider computing system executing at least part of a computing system implemented process for identifying Icons, the computing system implemented process for identifying Icons comprising;
  
  using the one or more processors associated with the security system provider computing system to monitor a given user computing system to detect and intercept all files being directed to the given user computing system;
  
  using the one or more processors associated with the security system provider computing system to scan the resource section of all files being directed to the given user computing system to detect .ico files;
  
  detecting a given .ico file in the resource section of a given file;
  
  extracting the given .ico file from the resource section of a given file using the one or more processors associated with the security system provider computing system;
  
  extracting relevant image data from the given .ico file using the one or more processors associated with the security system provider computing system;
  
  obtaining known/clean Icon image data from the known/clean file Icon database;
  
  defining a threshold matching level such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match;
  
  comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database using the one or more processors associated with the security system provider computing system; and
  
  if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, transforming data indicating a status of the extracted .ico file and the given file, to data indicating a status of Icon match using the one or more processors associated with the security system provider computing system.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system for identifying Icons of claim 7, wherein:
    - the given file is a PE file.
  - 9. The system for identifying Icons of claim 7, wherein:
    - at least one of the one or more Icons associated with one or more applications is selected from the group of Icons consisting of;
      
      the Microsoft Word word processing program;
      
      the Microsoft Excel spreadsheet program;
      
      the Microsoft Paint graphics program;
      
      the Microsoft PowerPoint display program;
      
      the Microsoft Visio graphics program;
      
      JPEG; and
      
      PDF.
  - 10. The system for identifying Icons of claim 7, wherein:
    - the threshold matching level is defined such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to a fifty percent match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match.
  - 11. The system for identifying Icons of claim 7, wherein:
    - comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database is performed on a byte-by-byte basis.
  - 12. The system for identifying Icons of claim 7, further comprising:
    - taking one or more actions to protect a user of the given user computing system if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level.
  - 13. The system for identifying Icons of claim 12, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system is selected from the group of protective actions consisting of;
      
      quarantining the given file;
      
      performing further analysis of the given file;
      
      blocking the given file; and
      
      generating a warning to the user regarding the given file.

14. A system for identifying Icons comprising:
- a known/clean file Icon database, the known/clean file Icon database including Icon image data associated with one or more Icons associated with one or more applications;
  
  a given user computing system;
  
  a security system associated with the given user computing system;
  
  one or more processors associated with the given user computing system, the one or more processors associated with the given user computing system executing at least part of a computing system implemented process for identifying Icons, the computing system implemented process for identifying Icons comprising;
  
  using the one or more processors associated with the given user computing system to monitor the given user computing system to detect and intercept all files being directed to the given user computing system;
  
  using the one or more processors associated with the given user computing system to scan the resource section of all files being directed to the given user computing system to detect .ico files;
  
  detecting a given .ico file in the resource section of a given file;
  
  extracting the given .ico file from the resource section of a given file using the one or more processors associated with the given user computing system;
  
  extracting relevant image data from the given .ico file using the one or more processors associated with the given user computing system;
  
  obtaining clean/known Icon image data from the known/clean file Icon database;
  
  defining a threshold matching level such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match;
  
  comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database using the one or more processors associated with the given user computing system; and
  
  if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level, transforming data indicating a status of the extracted .ico file and the given file, to data indicating a status of Icon match using the one or more processors associated with the given user computing system.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system for identifying Icons of claim 14, wherein:
    - the given file is a PE file.
  - 16. The system for identifying Icons of claim 14, wherein:
    - at least one of the one or more Icons associated with one or more applications is selected from the group of Icons consisting of;
      
      the Microsoft Word word processing program;
      
      the Microsoft Excel spreadsheet program;
      
      the Microsoft Paint graphics program;
      
      the Microsoft PowerPoint display program;
      
      the Microsoft Visio graphics program;
      
      JPEG; and
      
      PDF.
  - 17. The system for identifying Icons of claim 14, wherein:
    - the threshold matching level is defined such that if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to a fifty percent match level, data indicating a status of the extracted .ico file and the given file, is transformed to data indicating a status of Icon match.
  - 18. The system for identifying Icons of claim 14, wherein:
    - comparing the relevant image data from the given .ico file and clean/known Icon image data from the known/clean file Icon database is performed on a byte-by-byte basis.
  - 19. The system for identifying Icons of claim 14, further comprising:
    - taking one or more actions to protect a user of the given user computing system if the extracted relevant image data from the given .ico file matches with known/clean Icon image data obtained from the known/clean file Icon database to at least the defined threshold match level.
  - 20. The system for identifying Icons of claim 19, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system is selected from the group of protective actions consisting of;
      
      quarantining the given file;
      
      performing further analysis of the given file;
      
      blocking the given file; and
      
      generating a warning to the user regarding the given file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Krishnappa, Bhaskar
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/612,550
Time in Patent Office

1,028 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Method and system for identifying icons

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for identifying icons

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links