Method and system for detecting malware

US 8,468,604 B2
Filed: 09/29/2006
Issued: 06/18/2013
Est. Priority Date: 08/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting objects in a system comprising a backup including backup copies of the objects, the method comprising:

determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object;

detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object;

determining a magnitude of the deviation from the pattern; and

comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting objects in a computer system against malware is disclosed. An object is analyzed to determine whether it is infected by malware, and if it is determined to be infected, a backup copy of the object is located in a backup of the objects. The infected object is replaced with the backup copy.

51 Citations

View as Search Results

16 Claims

1. A method for protecting objects in a system comprising a backup including backup copies of the objects, the method comprising:
- determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object;
  
  detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object;
  
  determining a magnitude of the deviation from the pattern; and
  
  comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method as recited in claim 1, wherein detecting the deviation from the pattern to identify an anomaly includes returning a positive result if the first size is larger than the second size.
  - 3. The method as recited in claim 1, further comprising determining a size change threshold for the object, and wherein detecting the deviation from the pattern to identify an anomaly includes returning a positive result if the first size is larger than the second size by at least the size change threshold.
  - 4. The method as recited in claim 1, further comprising determining size change thresholds for a plurality of objects.
  - 5. The method as recited in claim 1, wherein determining the pattern includes determining sizes of backup copies of the object, and performing statistical analysis on the sizes of backup copies.
  - 6. The method as recited in claim 5, wherein detecting a deviation from the pattern to identify an anomaly includes analyzing a size of the object or a size of a backup copy of the object with respect to the sizes of the backup copies.
  - 7. The method as recited in claim 6, wherein detecting a deviation from the pattern to identify an anomaly further includes returning a positive result if the size of the object or a size of a backup copy of the object is larger than a size predicted by the statistical analysis.
  - 8. The method as recited in claim 1, wherein detecting a deviation from the pattern to identify an anomaly includes returning a positive result if a modification time of the object or a modification time of a backup copy of the object is inconsistent with the derived frequency.
  - 9. The method as recited in claim 1, wherein detecting a deviation from the pattern to identify an anomaly includes returning a positive result if a modification time of the object occurs earlier than a modification time predicted from the derived frequency.
  - 10. The method as recited in claim 1, wherein detecting a deviation from the pattern to identify an anomaly includes returning a positive result if a modification time of the object occurs later than a modification time predicted from the derived frequency.
  - 11. The method as recited in claim 1, further comprising determining an infection point in time when the object became infected by malware.
  - 12. The method as recited in claim 11, wherein the infection point is determined from a time of occurrence of the identified anomaly.
  - 13. The method as recited in claim 12, further comprising retrieving a backup copy made prior to the infection point.
  - 14. The method as recited in claim 13, further comprising replacing the object with the retrieved backup copy.

15. A computer program product for protecting objects in a system comprising a backup including backup copies of the objects, the computer program product being embodied in a non-transitory computer readable medium and comprising computer instructions for:
- determining a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object;
  
  detecting a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object;
  
  determining a magnitude of the deviation from the pattern; and
  
  comparing the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.

16. A system for protecting objects, comprising a backup including copies of the objects, and a processor configured to:
- determine a pattern associated with an object by performing a size-based analysis, using at least one backup copy from the backup copies of the object, wherein performing the size-based analysis includes determining a first size of the object selected from a group comprising a current size of the object and a size of a backup copy of the object and, determining a second size of another backup copy of the object, wherein determining the pattern includes determining modification times of the backup copies of the object and, deriving a frequency of modification based on the modification times of the backup copies of the object;
  
  detect a deviation from the pattern to identify an anomaly indicating that the object is infected by malware, wherein detecting the deviation from the pattern includes comparing the first size to the second size based on a size change threshold for the object and, analyzing a binary pattern of the object if the first size is same as the second size, wherein detecting the deviation from the pattern includes identifying a change to a first portion of the object that is expected to remain the same, wherein detecting the deviation from the pattern includes identifying an absence of a change to a second portion of the object that is expected to change, wherein the first and second portions of the object are located at respective first and second offsets within the object;
  
  determine a magnitude of the deviation from the pattern; and
  
  compare the magnitude of the deviation to a threshold, wherein the threshold is determined according to known object profiles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Claudatos, Christopher Hercules, Baim, Jason A, Cobb, Daniel S
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US11/541,413
Publication Number

US 20080047013A1
Time in Patent Office

2,454 Days
Field of Search

726/22, 726/24, 726/5, 707/4, 707/201
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

G06F 21/568 eliminating virus, restorin...

Method and system for detecting malware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links