Using temporal attributes to detect malware
First Claim
1. A computer-implemented method for classifying computer files, comprising:
- identifying a plurality of client systems hosting a local instance of a target file;
for one or more of the identified plurality of client systems,identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;
determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and
determining a classification of the target file based at least in part on the global malicious temporal proximity score.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.
-
Citations
18 Claims
-
1. A computer-implemented method for classifying computer files, comprising:
-
identifying a plurality of client systems hosting a local instance of a target file; for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system, identifying known malicious files in the plurality of files hosted on the client system, for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, and determining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files; determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and determining a classification of the target file based at least in part on the global malicious temporal proximity score. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for classifying computer files, comprising:
-
identifying a plurality of client systems hosting a local instance of a target file; for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system, identifying known legitimate files in the plurality of files hosted on the client system, for one or more of the identified known legitimate files, determining a score measuring a temporal proximity between the timestamp of the legitimate file and the timestamp the local instance of the target file, and determining a local legitimate temporal proximity score measuring an aggregation of the scores of the identified known legitimate files; determining a global legitimate temporal proximity score measuring an aspect of the local legitimate temporal proximity scores of the identified plurality of client systems; and determining a classification of the target file based at least in part on the global legitimate temporal proximity score. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer system for classifying computer files, comprising:
a computer-readable storage medium comprising executable computer program code for; identifying a plurality of client systems hosting a local instance of a target file; for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system, identifying known malicious files in the plurality of files hosted on the client system, for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, and determining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files; determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; and determining a classification of the target file based at least in part on the global malicious temporal proximity score. - View Dependent Claims (14, 15, 16, 17, 18)
Specification