Method and system for detecting malware
First Claim
Patent Images
1. A method for protecting objects in a system comprising a backup including backup copies of the objects, the method comprising:
- determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object;
detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object;
determining a magnitude of the deviation from the pattern; and
comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.
9 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting objects in a computer system against malware is disclosed. An object is analyzed to determine whether it is infected by malware, and if it is determined to be infected, a backup copy of the object is located in a backup of the objects. The infected object is replaced with the backup copy.
51 Citations
16 Claims
-
1. A method for protecting objects in a system comprising a backup including backup copies of the objects, the method comprising:
-
determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object; detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object; determining a magnitude of the deviation from the pattern; and comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for protecting objects in a system comprising a backup including backup copies of the objects, the computer program product being embodied in a non-transitory computer readable medium and comprising computer instructions for:
-
determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object; detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object; determining a magnitude of the deviation from the pattern; and comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.
-
-
16. A system for protecting objects, comprising a backup including copies of the objects, and a processor configured to:
-
determine a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object; detect a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object; determine a magnitude of the deviation from the pattern; and compare the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.
-
Specification