Using temporal attributes to detect malware

US 8,413,244 B1
Filed: 11/11/2010
Issued: 04/02/2013
Est. Priority Date: 11/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for classifying computer files, comprising:

identifying a plurality of client systems hosting a local instance of a target file;

for one or more of the identified plurality of client systems,identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;

determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and

determining a classification of the target file based at least in part on the global malicious temporal proximity score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.

Citations

18 Claims

1. A computer-implemented method for classifying computer files, comprising:
- identifying a plurality of client systems hosting a local instance of a target file;
  
  for one or more of the identified plurality of client systems,identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;
  
  determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and
  
  determining a classification of the target file based at least in part on the global malicious temporal proximity score.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file.
  - 3. The method of claim 1, wherein the aspect of the local malicious temporal proximity scores measured by the global malicious temporal proximity score comprises at least one of the following:
    - an average, a mean, a median, a maximum, and a minimum.
  - 4. The method of claim 1, wherein the timestamp of the target file comprises a creation timestamp of the target file.
  - 5. The method of claim 1, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.
  - 6. The method of claim 1, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.

7. A computer-implemented method for classifying computer files, comprising:
- identifying a plurality of client systems hosting a local instance of a target file;
  
  for one or more of the identified plurality of client systems,identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known legitimate files in the plurality of files hosted on the client system,for one or more of the identified known legitimate files, determining a score measuring a temporal proximity between the timestamp of the legitimate file and the timestamp the local instance of the target file, anddetermining a local legitimate temporal proximity score measuring an aggregation of the scores of the identified known legitimate files;
  
  determining a global legitimate temporal proximity score measuring an aspect of the local legitimate temporal proximity scores of the identified plurality of client systems; and
  
  determining a classification of the target file based at least in part on the global legitimate temporal proximity score.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file.
  - 9. The method of claim 7, wherein the aspect of the local legitimate temporal proximity scores measured by the global legitimate temporal proximity score comprises at least one of the following:
    - an average, a mean, a median, a maximum, and a minimum.
  - 10. The method of claim 7, wherein the timestamp of the target file comprises a creation timestamp of the target file.
  - 11. The method of claim 7, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.
  - 12. The method of claim 7, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.

13. A computer system for classifying computer files, comprising:
- a computer-readable storage medium comprising executable computer program code for;
  
  identifying a plurality of client systems hosting a local instance of a target file;
  
  for one or more of the identified plurality of client systems,identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;
  
  determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and
  
  determining a classification of the target file based at least in part on the global malicious temporal proximity score.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file.
  - 15. The computer system of claim 13, wherein the aspect of the local malicious temporal proximity scores measured by the global malicious temporal proximity score comprises at least one of the following:
    - an average, a mean, a median, a maximum, and a minimum.
  - 16. The computer system of claim 13, wherein the timestamp of the target file comprises a creation timestamp of the target file.
  - 17. The computer system of claim 13, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.
  - 18. The computer system of claim 13, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
ULLAH, SHARIF E

Application Number

US12/944,121
Time in Patent Office

873 Days
Field of Search

726/23, 726/24, 726/26, 713/188, 713/502, 714/48
US Class Current

726/23
CPC Class Codes

G06F 21/565   by checking file integrity

G06F 2221/2151   Time stamp

H04L 63/145   the attack involving the pr...

Using temporal attributes to detect malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Using temporal attributes to detect malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links