Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold

US 8,572,007 B1
Filed: 10/29/2010
Issued: 10/29/2013
Est. Priority Date: 10/29/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for classifying unknown files based on user actions, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:

identifying at least one file whose trustworthiness is unknown due at least in part to the file'"'"'s prevalence within a user community being below a predetermined prevalence threshold, wherein the predetermined prevalence threshold represents a minimum number of client devices within the user community that have encountered an instance of the file;

identifying a report received from at least one client device that identifies at least one action taken by a user within the user community after being informed by security software on the client device that the trustworthiness of the file is unknown;

determining that the action taken by the user indicates that the user believes the file is trustworthy even after being informed by the security software on the client device that the trustworthiness of the file is unknown;

classifying the file as trustworthy based at least in part on the action taken by the user;

providing the file'"'"'s classification to at least one computing device in order to enable the computing device to evaluate the trustworthiness of the file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented, server-side method for classifying unknown files based on user actions may include (1) identifying at least one file whose trustworthiness is unknown, (2) identifying a report received from at least one client device that identifies at least one action taken by a user within a user community when informed by security software on the client device that the trustworthiness of the file is unknown, (3) determining that the action taken by the user indicates that the user believes the file is trustworthy, (4) classifying the file as trustworthy based at least in part on the action taken by the user, and then (5) providing the file'"'"'s classification to at least one computing device in order to enable the computing device to evaluate the trustworthiness of the file. Corresponding systems, encoded computer-readable media, and client-side methods are also disclosed.

35 Citations

View as Search Results

20 Claims

1. A computer-implemented method for classifying unknown files based on user actions, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:
- identifying at least one file whose trustworthiness is unknown due at least in part to the file'"'"'s prevalence within a user community being below a predetermined prevalence threshold, wherein the predetermined prevalence threshold represents a minimum number of client devices within the user community that have encountered an instance of the file;
  
  identifying a report received from at least one client device that identifies at least one action taken by a user within the user community after being informed by security software on the client device that the trustworthiness of the file is unknown;
  
  determining that the action taken by the user indicates that the user believes the file is trustworthy even after being informed by the security software on the client device that the trustworthiness of the file is unknown;
  
  classifying the file as trustworthy based at least in part on the action taken by the user;
  
  providing the file'"'"'s classification to at least one computing device in order to enable the computing device to evaluate the trustworthiness of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 19, 20)
- - 2. The method of claim 1, wherein identifying the file whose trustworthiness is unknown comprises:
    - identifying an initial trustworthiness classification assigned to the file;
      
      determining that a confidence score associated with the initial trustworthiness classification fails to satisfy a predetermined confidence threshold.
  - 3. The method of claim 2, wherein determining that the confidence score associated with the initial trustworthiness classification fails to satisfy the predetermined confidence threshold comprises determining that the file'"'"'s prevalence within the user community fails to satisfy the predetermined prevalence threshold.
  - 4. The method of claim 1, wherein the action taken by the user comprises installing the file.
  - 5. The method of claim 1, wherein identifying the report received from the client device comprises:
    - identifying a plurality of reports received from a plurality of client devices that identify actions taken by users within the user community after being informed by security software on the client devices that the trustworthiness of the file is unknown;
      
      determining that the actions taken by the users indicate that the users believe the file is trustworthy even after being informed by the security software on the client devices that the trustworthiness of the file is unknown.
  - 6. The method of claim 5, wherein determining that the actions taken by the users indicate that the users believe the file is trustworthy comprises:
    - analyzing the actions taken by the users to identify at least one of;
      
      the number of users within the user community that installed the file;
      
      the number of users within the user community that blocked the file;
      
      the number of users within the user community that quarantined the file;
      
      computing an install score that represents a function of the number of users within the user community that installed the file relative to the number of users within the user community that blocked or quarantined the file;
      
      computing a threshold that represents a minimum level of trustworthiness for the file;
      
      determining that the install score for the file satisfies the threshold.
  - 7. The method of claim 6, wherein computing the threshold comprises:
    - iterating over a set of values in order to identify a value that minimizes false positives and maximizes true positives;
      
      selecting the value as the threshold.
  - 8. The method of claim 6, further comprising, prior to computing the install score, assigning a weight to one or more of the actions taken by the users in order to increase or decrease the actions'"'"' influence in the computation of the install score.
  - 9. The method of claim 8, wherein the weight comprises at least one of:
    - a weight associated with a user reputation;
      
      a weight that represents a function of the number of users within the user community that installed the file relative to the number of users within the user community that encountered the file.
  - 10. The method of claim 1, further comprising:
    - including the file within a training corpus;
      
      using the training corpus to train, based at least in part on at least one attribute of the file, a classification heuristic capable of determining the trustworthiness of files;
      
      deploying the classification heuristic.
  - 11. The method of claim 10, wherein the attribute comprises at least one of:
    - the number of users within the user community that installed the file;
      
      an install score for the file;
      
      an install score weighted by at least one user reputation;
      
      an install score weighted by the number of users within the user community that installed the file relative to the number of users within the user community that encountered the file.
  - 12. The method of claim 1, wherein providing the file'"'"'s classification to the computing device comprises at least one of:
    - providing the file'"'"'s classification to the client device;
      
      providing the file'"'"'s classification to at least one additional client device.
  - 19. The method of claim 1, wherein:
    - determining that the action taken by the user indicates that the user believes the file is trustworthy comprises determining that the action taken by the user indicates that the user has a personal knowledge of the file'"'"'s legitimacy;
      
      classifying the file as trustworthy based at least in part on the action taken by the user comprises classifying the file as trustworthy due at least in part to the user'"'"'s personal knowledge of the file'"'"'s legitimacy.
  - 20. The method of claim 1, wherein the minimum number of client devices within the user community that have encountered an instance of the file comprises a minimum percentage of client devices within the user community that have encountered an instance of the file.

13. A computer-implemented method for identifying files that have been classified as trustworthy based on user actions, at least a portion of the method being performed by a client device comprising at least one processor, the method comprising:
- identifying a file;
  
  querying a server for a trustworthiness classification assigned to the file;
  
  receiving, from the server, a trustworthiness classification assigned to the file that indicates that the file is likely trustworthy, wherein;
  
  the trustworthiness classification assigned to the file by the server is based at least in part on at least one action taken by a user of at least one additional client device after being informed by security software on the additional client device that the trustworthiness of the file is unknown due at least in part to the file'"'"'s prevalence within a user community being below a predetermined prevalence threshold, wherein the predetermined prevalence threshold represents a minimum number of client devices within the user community that have encountered an instance of the file;
  
  the action taken by the user indicates that the user believes the file is trustworthy even after being informed by the security software on the client device that the trustworthiness of the file is unknown;
  
  allowing the file to install on the client device.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the action taken by the user of the additional client device comprises installing the file on the additional client device.

15. A system for classifying unknown files based on user actions, the system comprising:
- an identification module programmed to;
  
  identify at least one file whose trustworthiness is unknown due at least in part to the file'"'"'s prevalence within a user community being below a predetermined prevalence threshold, wherein the predetermined prevalence threshold represents a minimum number of client devices within the user community that have encountered an instance of the file;
  
  identify a report received from at least one client device that identifies at least one action taken by a user within the user community after being informed by security software on the client device that the trustworthiness of the file is unknown;
  
  a classification module programmed to;
  
  determine that the action taken by the user indicates that the user believes the file is trustworthy even after being informed by the security software on the client device that the trustworthiness of the file is unknown;
  
  classify the file as trustworthy based at least in part on the action taken by the user;
  
  provide the file'"'"'s classification to at least one computing device in order to enable the computing device to evaluate the trustworthiness of the file;
  
  at least one processor configured to execute the identification module and the classification module.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the identification module is further programmed to:
    - identify an initial trustworthiness classification assigned to the file;
      
      determine that a confidence score associated with the initial trustworthiness classification fails to satisfy a predetermined confidence threshold.
  - 17. The system of claim 15, wherein the identification module is further programmed to:
    - identify an initial trustworthiness classification assigned to the file;
      
      determine that the file'"'"'s prevalence within the user community fails to satisfy the predetermined prevalence threshold.
  - 18. The system of claim 15, wherein the action taken by the user comprises installing the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Griffin, Kent, Ramzan, Zulfikar, Manadhata, Pratyusa
Primary Examiner(s)
VINCENT, DAVID ROBERT

Application Number

US12/916,267
Time in Patent Office

1,096 Days
Field of Search

706/12, 706/47, 706/62, 717/174, 717/168, 717/189, 713/2, 726/13
US Class Current

706/12
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06F 2221/2115   Third party

Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links