User-assisted security system

US 8,312,539 B1
Filed: 07/11/2008
Issued: 11/13/2012
Est. Priority Date: 07/11/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious code on a client, the method comprising:

detecting, using a computer, a pop-up displayed on the client by an executing source application;

determining, using the computer, a reputation associated with the source application;

when the reputation associated with the source application indicates that the source application is suspicious, prompting, using the computer, a user to provide feedback about the pop-up;

responsive to negative feedback about the pop-up, declaring, using the computer, the source application to be malicious software; and

after declaring the source application to be malicious software;

blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client;

tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and

blocking, using the computer, attempts by the new code modules to display a new pop-up on the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user-assisted security software program alerts a user when a new pop-up is displayed from a suspicious source application. If the source application may be suspicious if it has a low reputation. Displayed in connection with the pop-up, the alert prompts the user to indicate whether the source application that generated the pop-up should be trusted. If the user indicates that the source application is not trusted, the security software declares the source application to be malicious. The malicious code can then be dealt with, such as by removing it from the computing system, blocking it from generating new pop-ups, and preventing further network communications. The user'"'"'s feedback about the source application may also be used to adjust the application'"'"'s reputation.

97 Citations

View as Search Results

26 Claims

1. A computer-implemented method for detecting malicious code on a client, the method comprising:
- detecting, using a computer, a pop-up displayed on the client by an executing source application;
  
  determining, using the computer, a reputation associated with the source application;
  
  when the reputation associated with the source application indicates that the source application is suspicious, prompting, using the computer, a user to provide feedback about the pop-up;
  
  responsive to negative feedback about the pop-up, declaring, using the computer, the source application to be malicious software; and
  
  after declaring the source application to be malicious software;
  
  blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client;
  
  tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and
  
  blocking, using the computer, attempts by the new code modules to display a new pop-up on the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 25, 26)
- - 2. The method of claim 1, wherein determining a reputation associated with the source application comprises querying a reputation server for a reputation score associated with the source application.
  - 3. The method of claim 2, wherein the reputation score is based at least in part on interactions of a plurality of client systems in a community with the source application.
  - 4. The method of claim 2, wherein the reputation score is based at least in part on hygiene scores of a plurality of client systems that use the source application, the hygiene scores indicating propensities of the clients using the source application for getting infected by malicious code.
  - 5. The method of claim 1, wherein prompting a user to provide feedback about the pop-up comprises displaying an alert window simultaneously with the pop-up, the alert window comprising an interface for a user to provide positive or negative feedback about the pop-up.
  - 6. The method of claim 1, further comprising:
    - after declaring the source application to be malicious software, removing the source application.
  - 7. The method of claim 1, further comprising:
    - after declaring the source application to be malicious software, preventing the source application from conducting network communications.
  - 8. The method of claim 1, further comprising:
    - adjusting the reputation of the source application in response to the feedback from the user.
  - 9. The method of claim 1, further comprising:
    - responsive to positive feedback about the pop-up, storing an indication that the source application is trusted software.
  - 25. The method of claim 1, wherein the pop-up comprises a window drawn on a display of the client that includes a message to the user.
  - 26. The method of claim 1, wherein the reputation is based on a number of other users who use the source application.

10. A computer-implemented method for detecting malicious code on a client, the method comprising:
- detecting, using a computer, an attempt by a source application executing on the client to cause the client to display a visual element on a display of the client;
  
  determining, using the computer, whether the source application is suspicious;
  
  when the source application is determined to be suspicious, displaying, using the computer, an alert to a user requesting a user input indicating whether to block the source application from displaying visual elements on the display of the client;
  
  responsive to the user input indicating whether to block the source application, storing, using the computer, a preference based on the user input in a storage medium coupled to the client; and
  
  responsive to the preference identifying the source application as a blocked application;
  
  blocking, using the computer, subsequent attempts by the executing source application to display subsequent visual elements on the display of the client;
  
  tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and
  
  blocking, using the computer, attempts by the new code modules to display new visual elements on the display of the client.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein blocking subsequent attempts by the executing source application to display subsequent visual elements on the display of the client comprises:
    - responsive to a subsequent attempt of the source application to cause the client to display a subsequent visual element on a display of the client, checking for the existence of a preference identifying the source application as a blocked application; and
      
      if the preference exists, preventing the display of the subsequent visual element.
  - 12. The method of claim 10, wherein the visual element is a pop-up.

13. A computer program product for detecting malicious code on a client, the computer program product comprising a non-transitory computer-readable storage medium comprising computer program code executable by a processor for:
- detecting a pop-up displayed on the client by an executing source application;
  
  determining a reputation associated with the source application;
  
  when the reputation associated with the source application indicates that the source application is suspicious, prompting a user to provide feedback about the pop-up; and
  
  responsive to negative feedback about the pop-up, declaring the source application to be malicious software; and
  
  after declaring the source application to be malicious software;
  
  blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client;
  
  tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and
  
  blocking, using the computer, attempts by the new code modules to display a new pop-up on the client.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer program product of claim 13, wherein determining a reputation associated with the source application comprises querying a reputation server for a reputation score associated with the source application.
  - 15. The computer program product of claim 14, wherein the reputation score is based at least in part on interactions of a plurality of client systems in a community with the source application.
  - 16. The computer program product of claim 14, wherein the reputation score is based at least in part on hygiene scores of a plurality of client systems that use the source application, the hygiene scores indicating propensities of the clients using the source application for getting infected by malicious code.
  - 17. The computer program product of claim 13, wherein prompting a user to provide feedback about the pop-up comprises displaying an alert window simultaneously with the pop-up, the alert window comprising an interface for a user to provide positive or negative feedback about the pop-up.
  - 18. The computer program product of claim 13, wherein the medium further contains computer program code for:
    - after declaring the source application to be malicious software, removing the source application.
  - 19. The computer program product of claim 13, wherein the medium further contains computer program code for:
    - after declaring the source application to be malicious software, preventing the source application from conducting network communications.
  - 20. The computer program product of claim 13, wherein the medium further contains computer program code for:
    - adjusting the reputation of the source application in response to the feedback from the user.
  - 21. The computer program product of claim 13, wherein the medium further contains computer program code for:
    - responsive to positive feedback about the pop-up, storing an indication that the source application is trusted software.

22. A computer program product for detecting malicious code on a client, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code executable by a processor for:
- detecting an attempt by a source application executing on the client to cause the client to display a visual element on a display of the client;
  
  determining whether the source application is suspicious;
  
  when the source application is determined to be suspicious, displaying an alert to a user requesting a user input indicating whether to block the source application from displaying visual elements on the display of the client;
  
  responsive to the user input indicating whether to block the source application, storing a preference in a storage medium coupled to the client, the preference identifying the source application as a blocked application; and
  
  responsive to the preference identifying the source application as a blocked application;
  
  blocking, using the computer, subsequent attempts by the executing application to display subsequent visual elements on the display of the client;
  
  tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and
  
  blocking, using the computer, attempts by the new code modules to display new visual elements on the display of the client.
- View Dependent Claims (23, 24)
- - 23. The computer program product of claim 22, wherein blocking subsequent attempts by the executing source application to display subsequent visual elements on the display of the client comprises:
    - responsive to a subsequent attempt of the source application to cause the client to display a subsequent visual element on a display of the client, checking for the existence of a preference identifying the source application as a blocked application; and
      
      if the preference exists, preventing the display of the subsequent visual element.
  - 24. The computer program product of claim 22, wherein the visual element is a pop-up.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Trollope, Rowan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US12/172,046
Time in Patent Office

1,586 Days
Field of Search

726/11, 726 22- 25, 713164-167, 713187-189, 715/808
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/566 Dynamic detection, i.e. det...

User-assisted security system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

User-assisted security system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links