Mitigating malicious file propagation with progressive identifiers
First Claim
1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, the method comprising the steps of:
- a computer receiving and identifying multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message;
the computer determining multiple signatures that identify the multiple segments respectively of the first file;
the computer receiving and identifying another, final segment of the first file;
the computer determining a signature that identifies the final segment of the first file;
the computer determining a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file;
the computer determining a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file;
responsive to the step of determining the first match and prior to the step of determining the second match, the computer transferring the multiple segments of the first file to the first computer system; and
responsive to the step of determining the second match after the step of determining the first match, the computer identifying the first file as being the malicious file and interdicting a transfer of the final segment of the first file to the first computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for mitigating a propagation of a file that includes malicious code. Segments of the file are determined by a series of sizes determined by a function ƒ. Signatures identifying segments of the file are determined by applying a hash function to each segment. A complete match between the file and a malicious file is determined by determining a first match between signature(s) identifying a first set of segment(s) of the file and signature(s) identifying corresponding segment(s) of the malicious file and by determining a second match between a signature identifying a final segment of the file and a signature identifying a last segment of the malicious file. Responsive to determining the complete match, the file is identified as the malicious file and a transfer of the final segment of the file is interdicted.
13 Citations
20 Claims
-
1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, the method comprising the steps of:
-
a computer receiving and identifying multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message; the computer determining multiple signatures that identify the multiple segments respectively of the first file; the computer receiving and identifying another, final segment of the first file; the computer determining a signature that identifies the final segment of the first file; the computer determining a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file; the computer determining a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file; responsive to the step of determining the first match and prior to the step of determining the second match, the computer transferring the multiple segments of the first file to the first computer system; and responsive to the step of determining the second match after the step of determining the first match, the computer identifying the first file as being the malicious file and interdicting a transfer of the final segment of the first file to the first computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A first computer system for interdicting a propagation of a malicious file in a computer network, the first computer system comprising:
-
a central processing unit (CPU); a computer-readable memory; a computer-readable, tangible storage device; first program instructions to receive and identify multiple segments of the first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message; second program instructions to determine multiple signatures that identify the multiple segments respectively of the first file; third program instructions to receive and identify another, final segment of the first file; fourth program instructions to determine a signature that identifies the final segment of the first file; fifth program instructions to determine a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file; sixth program instructions to determine a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file; seventh program instructions to, responsive to determining the first match by the fifth program instructions and prior to determining the second match by the sixth program instructions, transfer the multiple segments of the first file to the second computer system; and eighth program instructions to, responsive to determining the second match by the sixth program instructions and after determining the first match by the fifth program instructions, identify the first file as being the malicious file and interdict a transfer of the final segment of the first file to the second computer system, wherein the first, second, third, fourth, fifth, sixth, seventh and eighth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer program product for mitigating a propagation of a malicious file in a computer network, the computer program product comprising:
-
computer-readable, tangible storage device(s); and computer-readable program instructions stored on the computer-readable, tangible storage device(s), the computer-readable program instructions when executed by a CPU; receive and identify multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message; determine multiple signatures that identify the multiple segments respectively of the first file; receive and identify another, final segment of the first file; determine a signature that identifies the final segment of the first file; determine a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file; determine a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file; responsive to determining the first match and prior to determining the second match transfer the multiple segments of the first file to the first computer system; and responsive to determining the second match after determining the first match, identify the first file as being the malicious file and interdict a transfer of the final segment of the first file to the first computer system. - View Dependent Claims (18, 19, 20)
-
Specification