Mitigating malicious file propagation with progressive identifiers

US 8,353,037 B2
Filed: 12/03/2009
Issued: 01/08/2013
Est. Priority Date: 12/03/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, the method comprising the steps of:

a computer receiving and identifying multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message;

the computer determining multiple signatures that identify the multiple segments respectively of the first file;

the computer receiving and identifying another, final segment of the first file;

the computer determining a signature that identifies the final segment of the first file;

the computer determining a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file;

the computer determining a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file;

responsive to the step of determining the first match and prior to the step of determining the second match, the computer transferring the multiple segments of the first file to the first computer system; and

responsive to the step of determining the second match after the step of determining the first match, the computer identifying the first file as being the malicious file and interdicting a transfer of the final segment of the first file to the first computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mitigating a propagation of a file that includes malicious code. Segments of the file are determined by a series of sizes determined by a function ƒ. Signatures identifying segments of the file are determined by applying a hash function to each segment. A complete match between the file and a malicious file is determined by determining a first match between signature(s) identifying a first set of segment(s) of the file and signature(s) identifying corresponding segment(s) of the malicious file and by determining a second match between a signature identifying a final segment of the file and a signature identifying a last segment of the malicious file. Responsive to determining the complete match, the file is identified as the malicious file and a transfer of the final segment of the file is interdicted.

13 Citations

View as Search Results

20 Claims

1. A computer-implemented method of interdicting a propagation of a malicious file in a computer network, the method comprising the steps of:
- a computer receiving and identifying multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message;
  
  the computer determining multiple signatures that identify the multiple segments respectively of the first file;
  
  the computer receiving and identifying another, final segment of the first file;
  
  the computer determining a signature that identifies the final segment of the first file;
  
  the computer determining a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file;
  
  the computer determining a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file;
  
  responsive to the step of determining the first match and prior to the step of determining the second match, the computer transferring the multiple segments of the first file to the first computer system; and
  
  responsive to the step of determining the second match after the step of determining the first match, the computer identifying the first file as being the malicious file and interdicting a transfer of the final segment of the first file to the first computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising the steps of:
    - prior to the step of determining the first match, the computer determining the multiple segments of the malicious file and the final segment of the malicious file by determining a series of sizes of segments defined by a function ƒ
      
      ;
      
      prior to the step of determining the first match, the computer determining the multiple signatures that identify the multiple segments of the malicious file by applying a hash function to each segment of the multiple segments of the malicious file;
      
      prior to the step of determining the second match, the computer determining the signature that identifies the final segment of the malicious file by applying the hash function to the final segment of the malicious file; and
      
      the computer storing in a blacklist a progressive identifier (pID) identifying the malicious file by including the multiple signatures that identify the multiple segments of the malicious file followed by the signature that identifies the final segment of the malicious file.
  - 3. The method of claim 2, wherein the step of determining the multiple segments of the malicious file and the final segment of the malicious file includes a step of determining a series of segments that includes the multiple segments of the malicious file followed by the final segment of the malicious file, and wherein the step of determining the first match includes determining the multiple segments of the malicious file do not include all segments of the malicious file.
  - 4. The method of claim 1, wherein the step of determining the second match includes determining the malicious file includes no segments other than the multiple segments of the malicious file and the final segment of the malicious file.
  - 5. The method of claim 1, further comprising the computer determining a series of sizes of segments defined by a function ƒ
    - by applying the function ƒ
      
      to the first file to determine a series of n segments of the first file, wherein a maximum value of n is indicated by a size of the first file and by the function ƒ
      
      , wherein the series of n segments of the first file includes the multiple segments of the first file and the final segment of the first file, wherein the function ƒ
      
      is a monotonically increasing function that indicates that ƒ
      
      (i+1)>
      
      ƒ
      
      (i), wherein i and n are positive integers, n>
      
      1, and i<
      
      n−
      
      1, wherein ƒ
      
      (i) is an i-th size in the series of sizes of segments and ƒ
      
      (i+1) is an (i+1)-th size in the series of sizes of segments, and wherein the i-th size is a size of an i-th segment in the series of n segments and the (i+1)-th size is a size of an (i+1)-th segment in the series of n segments.
  - 6. The method of claim 5, wherein step of applying the function ƒ
    - includes determining the series of n segments as a geometric sequence that includes ƒ
      
      (i) and ƒ
      
      (i+1), and wherein ƒ
      
      (i) is followed by ƒ
      
      (i+1) in the geometric sequence.
  - 7. The method of claim 1, further comprising the computer applying a hash function to each segment of the multiple segments of the first file and the final segment of the first file by applying a hash function algorithm having computationally efficient requirements that include a requirement for a number of cycles of a central processing unit and a requirement for an amount of memory, wherein the number of cycles is less than a first predefined threshold, and wherein the amount of memory is less than a second predefined threshold.
  - 8. The method of claim 1, further comprising the computer applying a hash function to each segment of the multiple segments of the first file and the final segment of the first file by applying a cyclic redundancy check (CRC) to each segment of a series of n segments defined by a function ƒ
    - , wherein the first file consists of the series of n segments.
  - 9. The method of claim 1, further comprising the steps of:
    - prior to the step of determining the second match, an integrated intrusion prevention system (IIPS) receiving a plurality of segments of the malicious file as the malicious file is transferred to a second computing system via the network, wherein the plurality of segments consists of the multiple segments of the malicious file and the final segment of the malicious file;
      
      the IIPS determining a set of signatures identifying the plurality of segments of the malicious file by applying a hash function to each segment of the multiple segments of the malicious file and by applying the hash function to the final segment of the malicious file, wherein the set of signatures includes the multiple signatures that identify the multiple segments of the malicious file and the signature that identifies the final segment of the malicious file;
      
      the IIPS monitoring a plurality of patterns of network traffic emanating from the second computing system via the network subsequent to a receipt of the malicious file by the second computing system;
      
      the IIPS detecting a presence of malicious code on the second computing system based on the plurality of patterns of network traffic emanating from the second computing system;
      
      the IIPS correlating the presence of the malicious code with a plurality of receipts of a plurality of files by the second computing system, wherein the plurality of files is received by the second computing system prior to the step of detecting the presence of the malicious code, and wherein the plurality of receipts includes the receipt of the malicious file;
      
      responsive to the step of correlating the presence of the malicious code, the IIPS determining the malicious file includes the malicious code; and
      
      responsive to the step of determining the malicious file includes the malicious code, the IIPS storing the set of signatures in a blacklist that includes one or more sets of signatures, wherein the one or more sets of signatures included in the blacklist identify one or more files that include one or more sets of malicious code, wherein the step of determining the first match includes retrieving from the blacklist the multiple signatures that identify the multiple segments of the malicious file, and wherein the step of determining the second match includes retrieving from the blacklist the signature that identifies the final segment of the malicious file.
  - 10. The method of claim 1, further comprising the steps of:
    - the computer populating a blacklist that identifies n malicious files that include n sets of malicious code;
      
      the computer determining 1st . . . (i−
      
      1)-th segments of a second computer file by determining 1st . . . (i−
      
      1)-th sizes in a series of sizes of segments determined by a function ƒ
      
      , wherein the second file is being transferred to a second computer system via the network;
      
      the computer receiving the 1st . . . (i−
      
      1)-th segments of the second file;
      
      the computer determining 1st . . . (i−
      
      1)-th signatures that identify the 1st . . . (i−
      
      1)-th segments of the second file by applying a hash function to each segment of the 1st . . . (i−
      
      1)-th segments of the second file;
      
      the computer determining 1st . . . (i−
      
      1)-th matches between the 1st . . . (i−
      
      1)-th signatures that identify the 1st . . . (i−
      
      1)-th segments of the second file and 1st . . . (i−
      
      1)-th signatures that identify 1st . . . (i−
      
      1)-th segments of one or more malicious files included in the n malicious files;
      
      the computer determining each malicious file of the one or more malicious files includes at least one segment other than the 1st . . . (i−
      
      1)-th segments of the one or more malicious files;
      
      responsive to the step of determining the 1st . . . (i−
      
      1)-th matches and the step of determining each malicious file includes the at least one segment other than the 1st . . . (i−
      
      1)-th segments of the one or more malicious files, the computer transferring the 1st . . . (i−
      
      1)-th sets of one or more data packets to the second computer system;
      
      the computer determining an i-th segment of the second file by determining an i-th size in the series of sizes of segments defined by the function ƒ
      
      ;
      
      the computer receiving the i-th segment of the second file;
      
      the computer determining an i-th signature that identifies the i-th segment of the second file by applying the hash function to the i-th segment of the second file;
      
      the computer determining one or more mismatches between the i-th signature that identifies the i-th segment of the second file and one or more i-th signatures that identify one or more i-th segments of the one or more malicious files;
      
      responsive to the step of determining the one or more mismatches, the computer determining the second file is not included in the n malicious files identified by the blacklist and transferring the i-th segment of the second file to the second computer system; and
      
      subsequent to the step of determining the second file is not included in the n malicious files, the computer receiving (i+1)-th . . . m-th segments of the second file and transferring the (i+1)-th . . . m-th segments of the second file to the second computer system without determining (i+1)-th . . . m-th signatures that identify the (i+1)-th . . . m-th segments of the second file by applying the hash function to the (i+1)-th . . . m-th segments of the second file, wherein 1<
      
      i<
      
      m.

11. A first computer system for interdicting a propagation of a malicious file in a computer network, the first computer system comprising:
- a central processing unit (CPU);
  
  a computer-readable memory;
  
  a computer-readable, tangible storage device;
  
  first program instructions to receive and identify multiple segments of the first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message;
  
  second program instructions to determine multiple signatures that identify the multiple segments respectively of the first file;
  
  third program instructions to receive and identify another, final segment of the first file;
  
  fourth program instructions to determine a signature that identifies the final segment of the first file;
  
  fifth program instructions to determine a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file;
  
  sixth program instructions to determine a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file;
  
  seventh program instructions to, responsive to determining the first match by the fifth program instructions and prior to determining the second match by the sixth program instructions, transfer the multiple segments of the first file to the second computer system; and
  
  eighth program instructions to, responsive to determining the second match by the sixth program instructions and after determining the first match by the fifth program instructions, identify the first file as being the malicious file and interdict a transfer of the final segment of the first file to the second computer system,wherein the first, second, third, fourth, fifth, sixth, seventh and eighth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The first computer system of claim 11, further comprising:
    - ninth program instructions to, prior to determining the first match by the fifth program instructions, determine the multiple segments of the malicious file and the final segment of the malicious file by determining a series of sizes of segments defined by a function ƒ
      
      ;
      
      tenth program instructions to, prior to determining the first match by the fifth program instructions, determine the multiple signatures that identify the multiple segments of the malicious file by applying a hash function to each segment of the multiple segments of the malicious file;
      
      eleventh program instructions to, prior to determining the second match by the sixth program instructions, determine the signature that identifies the final segment of the malicious file by applying the hash function to the final segment of the malicious file; and
      
      twelfth program instructions to store in a blacklist a progressive identifier (pID) identifying the malicious file by including the multiple signatures that identify the multiple segments of the malicious file followed by the signature that identifies the final segment of the malicious file,wherein the ninth, tenth, eleventh and twelfth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
  - 13. The computer system of claim 12, wherein the ninth program instructions include thirteenth program instructions to determine the multiple segments of the malicious file and the final segment of the malicious file by determining a series of segments that includes the multiple segments of the malicious file followed by the final segment of the malicious file, wherein determining the first match by the fifth program instructions includes determining the multiple segments of the malicious file do not include all segments of the malicious file, and wherein the thirteenth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
  - 14. The computer system of claim 11, wherein the sixth program instructions to determine the second match include ninth program instructions to determine the malicious file includes no segments other than the multiple segments of the malicious file and the final segment of the malicious file, and wherein the ninth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
  - 15. The computer system of claim 11, further comprising ninth program instructions to determine a series of sizes of segments defined by a function ƒ
    - by performing a step of applying the function ƒ
      
      to the first file to determine a series of n segments of the first file, wherein a maximum value of n is indicated by a size of the first file and by the function ƒ
      
      , wherein the series of n segments of the first file includes the multiple segments of the first file and the final segment of the first file, wherein the function ƒ
      
      is a monotonically increasing function that indicates that ƒ
      
      (i+1)>
      
      ƒ
      
      (i), wherein i and n are positive integers, n>
      
      1, and i<
      
      n−
      
      1, wherein ƒ
      
      (i) is an i-th size in the series of sizes of segments and ƒ
      
      (i+1) is an (i+1)-th size in the series of sizes of segments, wherein the i-th size is a size of an i-th segment in the series of n segments and the (i+1)-th size is a size of an (i+1)-th segment in the series of n segments, and wherein the ninth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
  - 16. The computer system of claim 15, wherein the step of applying the function ƒ
    - includes determining the series of n segments as a geometric sequence that includes ƒ
      
      (i) and ƒ
      
      (i+1), and wherein ƒ
      
      (i) is followed by ƒ
      
      (i+1) in the geometric sequence.

17. A computer program product for mitigating a propagation of a malicious file in a computer network, the computer program product comprising:
- computer-readable, tangible storage device(s); and
  
  computer-readable program instructions stored on the computer-readable, tangible storage device(s), the computer-readable program instructions when executed by a CPU;
  
  receive and identify multiple segments of a first file being transferred in a message to a first computer system via the network, the segments that represent earlier portions of the message being shorter than the segments that represent later portions of the message;
  
  determine multiple signatures that identify the multiple segments respectively of the first file;
  
  receive and identify another, final segment of the first file;
  
  determine a signature that identifies the final segment of the first file;
  
  determine a first match between the multiple signatures that identify the multiple segments of the first file and multiple signatures that identify multiple segments of the malicious file;
  
  determine a second match between the signature that identifies the final segment of the first file and a signature of a final segment of the malicious file;
  
  responsive to determining the first match and prior to determining the second match transfer the multiple segments of the first file to the first computer system; and
  
  responsive to determining the second match after determining the first match, identify the first file as being the malicious file and interdict a transfer of the final segment of the first file to the first computer system.
- View Dependent Claims (18, 19, 20)
- - 18. The program product of claim 17, wherein the computer-readable program instructions when executed by the CPU:
    - prior to determining the first match, determine the multiple segments of the malicious file and the final segment of the malicious file by determining a series of sizes of segments defined by a function ƒ
      
      ;
      
      prior to determining the first match, determine the multiple signatures that identify the multiple segments of the malicious file by applying a hash function to each segment of the multiple segments of the malicious file;
      
      prior to determining the second match, determine the signature that identifies the final segment of the malicious file by applying the hash function to the final segment of the malicious file; and
      
      in a blacklist a progressive identifier (pID) identifying the malicious file by including the multiple signatures that identify the multiple segments of the malicious file followed by the signature that identifies the final segment of the malicious file.
  - 19. The program product of claim 18, wherein the computer-readable program instructions when executed by the CPU determine the multiple segments of the malicious file and the final segment of the malicious file by determining a series of segments that includes the multiple segments of the malicious file followed by the final segment of the malicious file, wherein the computer-readable program instructions that determine the first match includes computer-readable program instructions when executed by the CPU determine the multiple segments of the malicious file does not include all segments of the malicious file.
  - 20. The program product of claim 17, wherein the computer-readable program instructions that determine the second match include computer-readable program instructions when executed by the CPU determine the malicious file includes no segments other than the multiple segments of the malicious file and the final segment of the malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Franklin, Douglas North, Mays, Richard C.
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/629,941
Publication Number

US 20110138465A1
Time in Patent Office

1,132 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

H04L 9/08   Key distribution or managem...

Mitigating malicious file propagation with progressive identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating malicious file propagation with progressive identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links